# NAT Gateway Resources NAT Gateway is a fully managed service. Once created, it handles translation, routing, and availability automatically. ## What It Does * **Outbound translation (SNAT):** Replaces the private source IP of outbound packets with one of the gateway's Elastic IPv4 addresses, then restores the original destination on the reply. * **Inbound forwarding (DNAT):** Rewrites the destination of packets arriving on a public `EIP:port` to a configured private `IP:port` inside the VPC. Both modes are defined through SNAT and DNAT entries on the gateway. A single gateway can run both. ## Gateway Attributes The gateway detail page in the console surfaces the following attributes: | Attribute | Description | | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **State** | Current lifecycle state (see below). | | **Region** | The region the gateway was created in. | | **Attached global VPC** | The VPC the gateway belongs to. | | **Attached subnets** | Subnets whose default route points to the gateway. The gateway serves subnets in the **same region** as itself — either all of them or a specific selection. It cannot serve subnets in other regions of the same VPC. | | **Attached border gateway** | Border Gateway in the same VPC, if the gateway also serves traffic sourced from that Border Gateway. | | **Bound elastic IPv4 addresses** | EIPs bound to the gateway. Each row shows the IP, bandwidth cap, network billing method, and the number of NAT rules that reference it. | | **ICMP echo reply** | When enabled, the gateway replies to ICMP echo requests (ping) directed at its EIPs. | | **Deployed security group** | Security group applied to the gateway. | | **Resource group** | Resource group the gateway belongs to for access and billing grouping. | | **Pricing model** | [Pay-as-you-go by hour](#billing) — billed in Capacity Units (CU) based on peak concurrent connections and CPS. | ## Gateway Lifecycle | State | Meaning | | ------------ | ----------------------------------------------------------------------------------------------------------------------------- | | **Creating** | Being provisioned. Usually under a minute. | | **Active** | Ready. You can create and manage SNAT and DNAT entries. | | **Updating** | A configuration change is being applied. Traffic continues uninterrupted. | | **Deleting** | Being removed. Gateway routes and related bindings are being withdrawn. | | **Error** | Provisioning or a change failed. Check the event log; if it does not recover, contact [support](mailto:support@zenlayer.com). | ## Subnet Scope Subnet scope controls which sources get a default route to the NAT Gateway. SNAT entries then decide which source subnets or CIDRs are translated to which EIPs. * **All subnets** — Every subnet in the VPC uses the gateway for outbound traffic. Subnets added later are automatically included. * **Selected subnets** — Only the subnets you specify are covered. New subnets are not included unless you update the selection. ## Limits | Resource | Limit | | --------------------------- | ----- | | NAT Gateways per Global VPC | 5 | | DNAT entries per gateway | 100 | | SNAT entries per gateway | 10 | | EIPs per gateway | 20 | ## Relationship to Elastic IPs A NAT Gateway does not own EIPs — SNAT and DNAT entries reference EIPs you have already allocated. * Allocate EIPs before creating entries that reference them. * Releasing an EIP that is still referenced by an active entry will cause that entry to stop working. Remove the entry first. * The same EIP can appear in both a SNAT entry (shared outbound) and DNAT entries (specific port forwards) on the same gateway. *** ## Billing Public NAT Gateway is billed **pay-as-you-go by hour**. Each gateway instance costs **$27.27/month** (billed hourly), plus a variable charge calculated in Capacity Units (CU). Data transfer on bound EIPs is billed separately through each EIP's network billing method. > **Note:** Pricing shown is for illustration — check the console for current rates. ### What a CU measures A **CU (Capacity Unit)** is the smallest unit used to measure the traffic-handling work done by the gateway in an hour. The gateway tracks two dimensions, both visible on the gateway's **Performance** tab: | Metric | Meaning | | ------------------------------------------- | --------------------------------------------------------------------------- | | **Concurrent Connections** (counts/min) | The number of connections being handled simultaneously, sampled per minute. | | **CPS — Connections Per Second** (counts/s) | The number of *new* connections established per second. | Each dimension is converted to CUs using a fixed coefficient: | Metric | CU Coefficient | | ---------------------- | -------------- | | Concurrent Connections | 10,000 | | CPS | 1,000 | The CU count for the hour is the **maximum** of the two — whichever dimension dominates the workload drives the bill. ### CU Fee Formula ``` CU fee = CU unit price (USD/CU/h) × CUs per hour × Hours CUs per hour = max(CUs for concurrent connections, CUs for CPS) CUs for concurrent = Peak concurrent connections in the hour / 10,000 CUs for CPS = Peak CPS in the hour / 1,000 ``` Both dimensions use the **peak** value observed within the hour — short bursts at the top of the hour set the CU count for that hour. ### Example A pay-as-you-go public NAT Gateway is created and released one hour later. During that hour: | Metric | Peak value | CU calculation | | ---------------------- | ---------- | ---------------------------- | | Concurrent Connections | 50,000 | 50,000 / 10,000 = **5.0 CU** | | CPS | 2,000 | 2,000 / 1,000 = **2.0 CU** | CUs per hour = max(5.0, 2.0) = **5.0 CU** At a CU unit price of $0.04/CU/h: ``` CU fee = $0.04/CU/h × 5.0 CU × 1 h = $0.20 ``` > **Note:** Pricing shown is for illustration — check the console for current rates. ### What CU does not cover * **Data transfer** — Outbound and inbound bytes on each bound EIP are billed through that EIP's own network billing method (e.g., by bandwidth cap or by data transfer). CU charges cover only the gateway's connection-handling work. * **Elastic IP holding fee** — Each EIP has its own charges; CU does not include them. ### Monitoring CU usage Use the gateway's **Performance** tab to see the trend lines that drive CU. The two charts used for billing are: * **Concurrent Connections (counts/min)** * **CPS (counts/s)** The **Bandwidth** and **Packet Transmission** charts on the same page are useful for operational monitoring but are **not** used to calculate CU. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.console.zenlayer.com/welcome/elastic-compute/networking/01-overview-3/02-nat-gateway.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.