# NAT Gateway Best Practices The recommendations below are grouped by what you're trying to protect: **capacity & cost**, the **SNAT** path, and the **DNAT** path. A troubleshooting checklist follows. ## Capacity & Cost CU billing is driven by the **higher** of *peak concurrent connections* and *peak CPS* in each hour (see [Billing](/welcome/elastic-compute/networking/01-overview-3/02-nat-gateway.md#billing)). The same two metrics also bound real performance, since each EIP has a finite ephemeral-port range. Optimize for both at once. * **Size the EIP pool to your peak concurrency.** Each EIP supports a bounded number of concurrent connections. Estimate peak concurrency, divide by the per-EIP limit, and bind that many EIPs (with a buffer). Spreading traffic across EIPs expands the available port range proportionally. * **Watch CPS, not just concurrency.** Short-lived connection workloads — batch jobs, scrapers, polling, per-request HTTP clients — usually hit the CPS ceiling first. If CPS is consistently the higher-CU dimension, add EIPs, distribute across multiple gateways, or consolidate via a connection pool. * **Track which dimension drives the bill.** Open the gateway's **Performance** tab and compare the *Concurrent Connections* and *CPS* charts. The dominant one is what you'll pay for and what will tip you into a performance limit. ## SNAT * **Route only the subnets that need egress.** Database tiers, internal queues, and compliance-scoped subnets shouldn't have a default route to the gateway at all. Use the gateway's subnet selection (instead of *all subnets*) and keep SNAT entries scoped to matching CIDRs. * **Verify routes after every change.** After creating a gateway or changing its subnet association, open [VPC → Route Tables](https://console.zenlayer.com/zec/route-table), filter by type **NAT Gateway**, and confirm each covered subnet has a default route to the gateway *before* shifting live traffic. * **Avoid overlapping SNAT entries.** Source scopes that overlap are rejected. Prefer one well-scoped entry per source range over multiple narrower entries that interleave. ## DNAT * **Use non-standard public ports for management access.** Map e.g. `2222 → 22` for SSH, `33890 → 3389` for RDP. Automated scanners focus on default ports; moving the public-facing port cuts unsolicited connection attempts with no instance-side change. * **Pair every DNAT entry with a source-IP filter.** DNAT picks *which port reaches which private IP* but doesn't restrict who can connect. For sensitive endpoints, add a security group rule on the target instance that allows only known source CIDRs. * **Match the protocol explicitly.** Use `tcp` or `udp` for port-mapped entries. Reserve `any` for entries that intentionally forward all protocols to a private IP without a port — don't use it as a "just in case" default for management ports. * **Delete DNAT entries for decommissioned services.** Unused entries keep accepting inbound connection attempts. Audit the DNAT list periodically and remove anything that's no longer in use or has moved behind a load balancer. *** ## Troubleshooting | Symptom | What to check | | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Instances can't reach the internet** after creating a SNAT entry | (1) The instance's subnet is associated with the NAT Gateway. (2) The VPC route table shows a NAT Gateway default route for that subnet. (3) A SNAT entry matches the subnet or CIDR and references at least one usable EIP. | | **SNAT entry creation fails with an overlap error** | Another SNAT entry already covers the same source scope. Narrow the new entry or update the existing one — don't create a second overlapping entry. | | **External clients connect, but the backend never receives the traffic** | (1) DNAT entry's internal IP and port are correct and the service is listening. (2) Target instance security group allows inbound on the internal port from the expected sources. (3) Protocol in the DNAT entry matches what the client uses. | | **Connections succeed but latency is high or throughput is low** | Open the **Performance** tab and compare *Concurrent Connections* and *CPS*. If CPS is the higher-CU dimension, add EIPs or split the workload across multiple gateways to relieve per-EIP port pressure. | | **Gateway stuck in `Error` state** | Check the event log. Most common causes: an EIP referenced by an active entry was released, or a resource conflict at creation time. If recreation doesn't recover it, contact [support](mailto:support@zenlayer.com). | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.console.zenlayer.com/welcome/elastic-compute/networking/01-overview-3/06-best-practices.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.