# Configure DNAT Rules

Configure DNAT (Destination Network Address Translation) rules on a public NAT gateway to associate public IP addresses with instances via port or IP mapping, enabling the instances to provide services over the Internet.

## Procedures

1. Go to **NAT Rules** > **Create DNAT Entry** on details page

   <div align="left"><figure><img src="https://3201622183-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9X3FDdkCL2HzhbPpPMFt%2Fuploads%2FdhQ8r4exLbb7xpaXyxKp%2Fimage.png?alt=media&#x26;token=b66602da-e8b9-4868-8625-e07a7781b0d7" alt="" width="563"><figcaption></figcaption></figure></div>
2. Set a public ingress IP\
   Select the elastic IPv4 address that receives incoming traffic.
   * Only elastic IPs already bound to the current NAT Gateway are listed.
   * If no suitable elastic IP is available, click **New Elastic IPv4** to create and bind one.
3. Select a private IP

   Choose the private endpoint to which traffic will be forwarded. Two options are available:

   * **By vNIC/By Instance**\
     Select a private IP associated with a vNIC or an instance.
   * **By Custom Private IP**\
     Manually enter a private IP address. \
     If the private IP is not associated with an instance, the route will not take effect.
4. Configure protocol and port\
   Define the protocol and ports used for the DNAT mapping.
   * **Any Port**\
     Forwards all traffic from the public IP to the private IP without specifying ports (IP mapping).
   * **Custom Port**\
     Specify the **public port**, **private port**, and **protocol** (TCP and UDP) for fine-grained control (Port mapping).
5. Click **Confirm** to save and apply the DNAT entry.

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

<mark style="color:blue;">When SNAT is also configured, the DNAT-mapped elastic IP takes priority for outbound access. Ensure port mappings and IP selections do not conflict.</mark>
{% endhint %}

## Results

In the DNAT rule list page, you can edit and delete existing DNAT entries.

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

* <mark style="color:blue;">Editing NAT rules may cause service disruption. Proceed with caution.</mark>
* <mark style="color:blue;">Deleting resources may affect ongoing services. The related resources will be unbound. Proceed with caution.</mark>
  {% endhint %}

## Example

**Map TCP Port 8080 to Port 80 on a Private Instance**

To allow external HTTP access to a web service hosted on a private instance, you can configure a DNAT rule with custom protocol and port mapping.

**Configuration Example:**

* **Elastic IP (Public IP)**: `203.0.113.5`
* **Protocol**: `TCP`
* **Public Port**: `8080`
* **Private IP**: `192.168.1.100`
* **Private Port**: `80`

**Effect:**

Any TCP traffic sent to `203.0.113.5:8080` will be forwarded by the NAT gateway to `192.168.1.100:80` in your global VPC.