# DNAT — Inbound Forwarding

DNAT (Destination NAT) lets external traffic reach a specific private instance without giving that instance a public IP address. You define a mapping — an EIP and port on the gateway's public side, and a private IP and port on the inside — and the gateway rewrites the destination before forwarding each matching packet.

## Typical Use Cases

**Remote management access.** Map a public port (e.g., `2222`) to SSH on a private instance (`22`). Administrators connect to the EIP on the public port, and the gateway forwards the session to the instance. The instance never needs a public IP.

**Exposing a single service endpoint.** A backend API, internal dashboard, or single-tenant service that needs to be reachable from specific external clients. Rather than assigning an EIP to the instance, you create one DNAT entry that routes that specific port to it.

**Reducing public IP usage.** A single EIP with multiple DNAT entries can serve multiple private instances — each on a different port. For example, `EIP:2221` → `instance-A:22` and `EIP:2222` → `instance-B:22` share one public address while keeping the instances fully separate.

**Testing and staging environments.** Expose a development server or staging endpoint temporarily without restructuring your network. Create the DNAT entry when needed, delete it when done.

## How It Works

When an external client connects to the gateway's EIP on a configured port:

1. The packet arrives at the NAT Gateway. It matches a DNAT entry by `EIP + port + protocol`.
2. The gateway rewrites the destination IP and port to the configured private IP and port.
3. The packet is delivered to the private instance inside the VPC.
4. When the instance replies, the gateway rewrites the source back to the EIP and external port before forwarding the response to the client.

![DNAT Flow](/files/TQqOA25EsHUA8SV53XJF)

## DNAT Entries

Each entry maps one public `EIP:port` to one private `IP:port`. The console's **NAT Rules** tab lists each entry with the following fields:

| Field                    | Description                                                                                       |
| ------------------------ | ------------------------------------------------------------------------------------------------- |
| **DNAT entry ID**        | System-assigned identifier for the entry.                                                         |
| **Elastic IPv4 address** | The EIP that receives the inbound traffic. One EIP per entry.                                     |
| **Public port**          | The port on the EIP that external clients connect to (e.g., `2222`, or a range like `9000-9009`). |
| **Private IP address**   | The private IP of the destination instance or service.                                            |
| **Private port**         | The port on the destination instance. Must match the width of the public port range.              |
| **Protocol**             | `tcp`, `udp`, or `any`. When `any` is selected, public and private ports must be empty.           |

Multiple entries can reference the same EIP, provided each uses a distinct public-port + protocol combination.

## Port Ranges

Public and private ports can be individual ports or equal-width ranges. Each public port maps to the private port at the same offset.

| Public port | Private port | Result                                             |
| ----------- | ------------ | -------------------------------------------------- |
| `8080`      | `80`         | Port 8080 inbound → instance port 80               |
| `2222`      | `22`         | Port 2222 inbound → instance port 22               |
| `9000-9009` | `3000-3009`  | Ports 9000–9009 each map to 3000–3009 respectively |

## Choosing a Protocol

Use `tcp` or `udp` for port forwarding. Use `any` only when you want to forward all protocols without specifying ports.

Avoid `any` for management ports such as SSH or RDP. Those services use TCP and should be mapped with explicit ports.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.console.zenlayer.com/welcome/elastic-compute/networking/01-overview-3/04-dnat.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.