Alibaba Cloud NAT Gateway (NAT for short) provides two functions: public network NAT and private network NAT.The public network NAT gateway uses custom SNATDNAT rules can provide external public network services and active access to public networks for cloud servers;The private network NAT gateway (also known as VPC NAT gateway) enables ECS instances in the VPC to achieve mutual access between VPC and VPC, as well as between VPC and offline IDC through the private network address translation service.
Single instance provides 10 gigabit throughput and millions of connections to meet the cloud requirements of super large businesses
High reliability
NAT gateway for disaster recovery across machine rooms, creating stable public network gateway services
low cost
Support shared bandwidth. Multiple VPC ECS share public bandwidth, greatly reducing the cost of public bandwidth
Easy operation and maintenance
Graphical console flexibly defines various NAT rules, and 22+monitoring indicators make operation and maintenance easier
Product Functions
Public address translationFlexible SNAT/DNAT management, simple and fast construction of VPC public network access and service capabilities.
Source Address Translation (SNAT)Multiple ECSs in the VPC can use the same public network address to access the public network through the SNAT function, so as to avoid security risks caused by ECS being directly exposed to the public network.
Destination address translation (DNAT)The server in the VPC can be accessed by public network users through the designated service port opened by DNAT, and can use the same public network address to open services for multiple servers.
Multiple elastic public network addressesA single NAT gateway supports the binding of multiple elastic public network IPs to quickly realize the horizontal expansion of public network addresses.
Private network address translationFlexible SNAT/DNAT management, using the designated address for private network mutual access, effectively solves the problem of private network mutual access address conflicts, and realizes secure and isolated private network mutual access.
Source Address Translation (SNAT)Multiple ECSs in the VPC can use the same private network address to access the docking private network through the SNAT function, mask the actual source address of the ECS, avoid address conflicts, and reduce the risk of direct attacks on the server.
Destination address translation (DNAT)The server in the VPC can be accessed by the docking network through the designated service port opened by DNAT, and the service can be opened using the designated private network address.
Custom translation addressThe private network addresses for mutual access can be flexibly managed to meet the business requirements for mutual access of designated addresses.
High performance and high elasticity
Automatic elasticityThe pay per use (CU) instance supports automatic capacity expansion based on user usage, and can be elastically expanded to 15G throughput at most.
Super performanceThe exclusive NAT instance can support up to 100 gigabytes of throughput and tens of millions of concurrent connections, effectively responding to massive public network access needs.
Visual management
Multidimensional monitoring indicatorsGraphically display traffic indicators in multiple dimensions, and support setting alarms based on each indicator to quickly and timely locate and solve problems.
TOP ECSSupport traffic monitoring display based on ECS dimension, quickly analyze business usage, and accurately find abnormal service traffic servers.
Application scenarios
SNAT security access to the public network
Multi application DNAT service bandwidth sharing
Isolated from services in VPC
Unified public network outlet IP
Cloud compliance supervision of financial industry
Enterprise networking addresses overlap
Scenario description
When cloud services access the Internet, one EIP is usually configured on ECS. When ECS load surges, one EIP cannot support a huge amount of access. At this time, multiple EIPs are required to meet the demand, and SNAT is also required for security.This scenario can use the NAT gateway to add multiple EIPs to a SNAT address pool. When the ECS initiatively initiates an external access connection,ECS will randomly access the Internet through the EIP in the SNAT address pool.
Our functional advantages
Maximum number of super SNAT connections
The default number of connections is up to 2 million, and the expansion supports a maximum number of connections of 10 million
Number of super high SNAT new connections
By default, it provides up to 100000 new connections, and supports up to 1 million new connections for expansion to meet the needs of super large businesses
When an enterprise expands, more than one ECS usually provides services to the outside world.For example, for two ECS instances, each ECS deploys an application service and needs to provide services for the Internet.Since the bandwidth requirements of two ECSs are different in different periods of time, it is easy to waste resources if you purchase bandwidth alone.At this time, you can use the NAT gateway and shared bandwidth to share a share of public network bandwidth among multiple applications to save public network costs.
Our functional advantages
Super throughput
5 Gbps throughput is provided by default, and the maximum throughput is 100 Gbps, which can meet various large-scale Internet services
Flexible billing mode
Shared bandwidth supports multiple flexible billing methods, and 95 billing is more economical
When services are gradually expanded, multiple services with VPC should be securely isolated and easy to manage on the public network.At this time, multiple enhanced NAT gateways can be created in the same VPC. Traffic to different destination addresses can be forwarded through different NAT gateways, and different security protections can be provided for different NAT gateways to achieve more refined deployment of public network access.
Our functional advantages
Flexible and fine flow control
Support flow control based on switch/ECS granularity, and provide rich flow monitoring indicators
A single VPC supports multiple NAT gateways
By default, 5 NAT gateways are supported, and work orders can be submitted to apply for more quota
Through the SNAT function, the NAT gateway provides proxy services for ECS without a public IP address in the VPC to access the Internet.If some ECS instances in the VPC have been assigned fixed public IP addresses, these ECS instances will first access the Internet through the fixed public IP addresses, while other ECS instances in the VPC access the Internet through the SNAT function proxy of the NAT gateway, resulting in inconsistent public network outlet IP addresses of ECS instances in the VPC, which is not conducive to unified management of services.
Our functional advantages
Simple and easy to operate
The NAT gateway provides complete unified public network IP operation guidance, and can complete unified public network management in a few simple steps.
Support multiple scenarios
The NAT gateway can unify the public network outlet for ECS instances that have EIPs bound, or for ECS instances that have DNAT IP mapping set.
With the development of business, the financial industry has gradually put its business on the cloud, and interconnected with the regulatory agency IDC through the way of private line access.The VPC NAT private network gateway becomes the entrance and exit of leased line traffic to meet the needs of enterprise compliance supervision. It uses the specified IP address to provide services through conversion rules.At the same time, it has the traceability ability before and after NAT address conversion to meet the needs of regular compliance audit.
Our functional advantages
Two way access
It supports SNAT and DNAT functions, and can be used by VPC networks to actively access offline IDC, or offline IDC to actively access the cloud private network.
Security Compliance
Use the specified new IP identity and IDC peer to peer access to meet the regulatory needs of specific IP address compliance
High reliability
VPC NAT gateway adopts cluster design to avoid single point of link failure and meet the interconnection requirements of high reliability.
After the merger and acquisition of enterprises, multiple branches were connected to the grid, and the address conflicts of cloud network and offline IDC network occurred frequently.It is not only necessary to solve the need for efficient management of IP address conflicts, but also to realize the interconnection between VPC and offline IDC and VPC.
Our functional advantages
Avoid IP address conflicts
Each enterprise allocates a private network address segment to realize interconnection of transit addresses through NAT conversion
Comprehensive conversion rules
Each enterprise network can SNAT to its own private network address segment, or expose its own external services through DNAT
Good compatibility
It supports both VPC network interconnection and interworking on the whole cloud and hybrid cloud network architecture
SNAT and DNAT are released using the same EIP function
View details
New functions of 2021-07-01
Support VPC based SNAT rule configuration
View details
New functions of 2021-07-01
Support SNAT rule configuration based on custom CIDR
View details
2021-08-18 new version/new specification
VPC NAT gateway product release
View details
2021-10-19 new version/new specification
NAT gateway prepaid resource package publishing
View details
2021-11-17 New Features
DNAT rules support port segments
View details
View all logs
More products and services
EIP
Elastic public network IP can be used with Alibaba Cloud VPC type ECSNAT gatewayThe ENI network card and private SLB are bound and can be dynamically unbound to realize the decoupling of public IP and corresponding resources and meet the requirements of flexible management
SLB
SLB load balancing features out of the box, super performance, elastic scalability, security and reliability, pay on demand, cloud native orientation, etc., including 7-tier application oriented load balancing (ALB) and 4-tier traditional load balancing (CLB)
Cloud Enterprise Network CEN
The cloud enterprise network will provide a global network that can quickly build hybrid cloud and distributed business systems, helping users build an enterprise scale and communication capable cloud network
Private Link
Private network connection helps you secure and stable access to services deployed in other VPCs through private networks in Alibaba Cloud VPCs, greatly simplifying network architecture and avoiding public network security risks
