search
Ctrlk
WebsitePlatformPricingSign Up

NAT Gateway Resources

NAT Gateway is a fully managed service. Once created, it handles translation, routing, and availability automatically.

hashtag
What It Does

  • Outbound translation (SNAT): Replaces the private source IP of outbound packets with one of the gateway's Elastic IPv4 addresses, then restores the original destination on the reply.

  • Inbound forwarding (DNAT): Rewrites the destination of packets arriving on a public EIP:port to a configured private IP:port inside the VPC.

Both modes are defined through SNAT and DNAT entries on the gateway. A single gateway can run both.

hashtag
Gateway Attributes

The gateway detail page in the console surfaces the following attributes:

Attribute
Description

State

Current lifecycle state (see below).

Region

The region the gateway was created in.

Attached global VPC

The VPC the gateway belongs to.

Attached subnets

Subnets whose default route points to the gateway. The gateway serves subnets in the same region as itself — either all of them or a specific selection. It cannot serve subnets in other regions of the same VPC.

Attached border gateway

Border Gateway in the same VPC, if the gateway also serves traffic sourced from that Border Gateway.

Bound elastic IPv4 addresses

EIPs bound to the gateway. Each row shows the IP, bandwidth cap, network billing method, and the number of NAT rules that reference it.

ICMP echo reply

When enabled, the gateway replies to ICMP echo requests (ping) directed at its EIPs.

Deployed security group

Security group applied to the gateway.

Resource group

Resource group the gateway belongs to for access and billing grouping.

Pricing model

Pay-as-you-go by hour — billed in Capacity Units (CU) based on peak concurrent connections and CPS.

hashtag
Gateway Lifecycle

State
Meaning

Creating

Being provisioned. Usually under a minute.

Active

Ready. You can create and manage SNAT and DNAT entries.

Updating

A configuration change is being applied. Traffic continues uninterrupted.

Deleting

Being removed. Gateway routes and related bindings are being withdrawn.

Error

Provisioning or a change failed. Check the event log; if it does not recover, contact supportenvelope.

hashtag
Subnet Scope

Subnet scope controls which sources get a default route to the NAT Gateway. SNAT entries then decide which source subnets or CIDRs are translated to which EIPs.

  • All subnets — Every subnet in the VPC uses the gateway for outbound traffic. Subnets added later are automatically included.

  • Selected subnets — Only the subnets you specify are covered. New subnets are not included unless you update the selection.

hashtag
Limits

Resource
Limit

NAT Gateways per Global VPC

5

DNAT entries per gateway

100

SNAT entries per gateway

10

EIPs per gateway

20

hashtag
Relationship to Elastic IPs

A NAT Gateway does not own EIPs — SNAT and DNAT entries reference EIPs you have already allocated.

  • Allocate EIPs before creating entries that reference them.

  • Releasing an EIP that is still referenced by an active entry will cause that entry to stop working. Remove the entry first.

  • The same EIP can appear in both a SNAT entry (shared outbound) and DNAT entries (specific port forwards) on the same gateway.

hashtag
Billing

Public NAT Gateway is billed pay-as-you-go by hour. Each gateway instance costs $27.27/month (billed hourly), plus a variable charge calculated in Capacity Units (CU). Data transfer on bound EIPs is billed separately through each EIP's network billing method.

Note: Pricing shown is for illustration — check the console for current rates.

hashtag
What a CU measures

A CU (Capacity Unit) is the smallest unit used to measure the traffic-handling work done by the gateway in an hour. The gateway tracks two dimensions, both visible on the gateway's Performance tab:

Metric
Meaning

Concurrent Connections (counts/min)

The number of connections being handled simultaneously, sampled per minute.

CPS — Connections Per Second (counts/s)

The number of new connections established per second.

Each dimension is converted to CUs using a fixed coefficient:

Metric
CU Coefficient

Concurrent Connections

10,000

CPS

1,000

The CU count for the hour is the maximum of the two — whichever dimension dominates the workload drives the bill.

hashtag
CU Fee Formula

Both dimensions use the peak value observed within the hour — short bursts at the top of the hour set the CU count for that hour.

hashtag
Example

A pay-as-you-go public NAT Gateway is created and released one hour later. During that hour:

Metric
Peak value
CU calculation

Concurrent Connections

50,000

50,000 / 10,000 = 5.0 CU

CPS

2,000

2,000 / 1,000 = 2.0 CU

CUs per hour = max(5.0, 2.0) = 5.0 CU

At a CU unit price of $0.04/CU/h:

Note: Pricing shown is for illustration — check the console for current rates.

hashtag
What CU does not cover

  • Data transfer — Outbound and inbound bytes on each bound EIP are billed through that EIP's own network billing method (e.g., by bandwidth cap or by data transfer). CU charges cover only the gateway's connection-handling work.

  • Elastic IP holding fee — Each EIP has its own charges; CU does not include them.

hashtag
Monitoring CU usage

Use the gateway's Performance tab to see the trend lines that drive CU. The two charts used for billing are:

  • Concurrent Connections (counts/min)

  • CPS (counts/s)

The Bandwidth and Packet Transmission charts on the same page are useful for operational monitoring but are not used to calculate CU.

PreviousNAT GatewayNextSNAT — Outbound Access

Last updated