# Configure DNAT Rules

Configure DNAT (Destination Network Address Translation) rules on a public NAT gateway to associate public IP addresses with instances via port or IP mapping, enabling the instances to provide services over the Internet.

## Procedures

1. Go to **NAT Rules** > **Create DNAT Entry** on details page

   <div align="left"><figure><img src="/files/C2KhQrrWGbyYtrW2D2y6" alt="" width="563"><figcaption></figcaption></figure></div>
2. Set a public ingress IP\
   Select the elastic IPv4 address that receives incoming traffic.
   * Only elastic IPs already bound to the current NAT Gateway are listed.
   * If no suitable elastic IP is available, click **New Elastic IPv4** to create and bind one.
3. Select a private IP

   Choose the private endpoint to which traffic will be forwarded. Two options are available:

   * **By vNIC/By Instance**\
     Select a private IP associated with a vNIC or an instance.
   * **By Custom Private IP**\
     Manually enter a private IP address.\
     If the private IP is not associated with an instance, the route will not take effect.
4. Configure protocol and port\
   Define the protocol and ports used for the DNAT mapping.
   * **Any Port**\
     Forwards all traffic from the public IP to the private IP without specifying ports (IP mapping).
   * **Custom Port**\
     Specify the **public port**, **private port**, and **protocol** (TCP and UDP) for fine-grained control (Port mapping).
5. Click **Confirm** to save and apply the DNAT entry.

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

<mark style="color:blue;">When SNAT is also configured, the DNAT-mapped elastic IP takes priority for outbound access. Ensure port mappings and IP selections do not conflict.</mark>
{% endhint %}

## Results

In the DNAT rule list page, you can edit and delete existing DNAT entries.

{% hint style="info" %} <mark style="color:blue;">**Note**</mark>

* <mark style="color:blue;">Editing NAT rules may cause service disruption. Proceed with caution.</mark>
* <mark style="color:blue;">Deleting resources may affect ongoing services. The related resources will be unbound. Proceed with caution.</mark>
  {% endhint %}

## Example

**Map TCP Port 8080 to Port 80 on a Private Instance**

To allow external HTTP access to a web service hosted on a private instance, you can configure a DNAT rule with custom protocol and port mapping.

**Configuration Example:**

* **Elastic IP (Public IP)**: `203.0.113.5`
* **Protocol**: `TCP`
* **Public Port**: `8080`
* **Private IP**: `192.168.1.100`
* **Private Port**: `80`

**Effect:**

Any TCP traffic sent to `203.0.113.5:8080` will be forwarded by the NAT gateway to `192.168.1.100:80` in your global VPC.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.console.zenlayer.com/welcome/elastic-compute/get-started/manage-networking/create-a-public-nat-gateway/configure-dnat-rules.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.