DNAT — Inbound Forwarding
DNAT (Destination NAT) lets external traffic reach a specific private instance without giving that instance a public IP address. You define a mapping — an EIP and port on the gateway's public side, and a private IP and port on the inside — and the gateway rewrites the destination before forwarding each matching packet.
Typical Use Cases
Remote management access. Map a public port (e.g., 2222) to SSH on a private instance (22). Administrators connect to the EIP on the public port, and the gateway forwards the session to the instance. The instance never needs a public IP.
Exposing a single service endpoint. A backend API, internal dashboard, or single-tenant service that needs to be reachable from specific external clients. Rather than assigning an EIP to the instance, you create one DNAT entry that routes that specific port to it.
Reducing public IP usage. A single EIP with multiple DNAT entries can serve multiple private instances — each on a different port. For example, EIP:2221 → instance-A:22 and EIP:2222 → instance-B:22 share one public address while keeping the instances fully separate.
Testing and staging environments. Expose a development server or staging endpoint temporarily without restructuring your network. Create the DNAT entry when needed, delete it when done.
How It Works
When an external client connects to the gateway's EIP on a configured port:
The packet arrives at the NAT Gateway. It matches a DNAT entry by
EIP + port + protocol.The gateway rewrites the destination IP and port to the configured private IP and port.
The packet is delivered to the private instance inside the VPC.
When the instance replies, the gateway rewrites the source back to the EIP and external port before forwarding the response to the client.
DNAT Entries
Each entry maps one public EIP:port to one private IP:port. The console's NAT Rules tab lists each entry with the following fields:
DNAT entry ID
System-assigned identifier for the entry.
Elastic IPv4 address
The EIP that receives the inbound traffic. One EIP per entry.
Public port
The port on the EIP that external clients connect to (e.g., 2222, or a range like 9000-9009).
Private IP address
The private IP of the destination instance or service.
Private port
The port on the destination instance. Must match the width of the public port range.
Protocol
tcp, udp, or any. When any is selected, public and private ports must be empty.
Multiple entries can reference the same EIP, provided each uses a distinct public-port + protocol combination.
Port Ranges
Public and private ports can be individual ports or equal-width ranges. Each public port maps to the private port at the same offset.
8080
80
Port 8080 inbound → instance port 80
2222
22
Port 2222 inbound → instance port 22
9000-9009
3000-3009
Ports 9000–9009 each map to 3000–3009 respectively
Choosing a Protocol
Use tcp or udp for port forwarding. Use any only when you want to forward all protocols without specifying ports.
Avoid any for management ports such as SSH or RDP. Those services use TCP and should be mapped with explicit ports.
Last updated