Different types of private NAT gateway instances correspond to different SNAT rules. This document provides a detailed description of SNAT rules corresponding to different associated instances.
Prerequisites
Creating an SNAT Rule
Direct Connect Gateway
The Direct Connect type of private NAT gateways mainly solve address translation between the VPC and Direct Connect IDC in the same region (e.g., within the Beijing region). They are used for mutual access between the VPC and Direct Connect resources. To create an SNAT rule for this type of private NAT gateways, you can take the following steps.
1. Log in to the NAT Gateway console and click on the private NAT gateway instance that requires creating an SNAT rule, to enter the details page. 2. On the private NAT gateway instance details page, click the SNAT Rules tab > Create and enter the information such as mapping direction, mapping type, original IP, mapped IP, and remarks to complete the creation of the SNAT rule. The information of each tag is as follows.
Mapping direction:
Local: translates the private IP addresses of the VPC.
Peer: translates the private IP addresses of the network on the opposite end of the VPC. If the peer is an IDC network, the IP addresses of the IDC are translated.
Mapping type:
Layer-3: only translates the IP addresses.
Layer-4: maps IP addresses and ports to random ports within a specified IP pool.
Original IP: indicates the IP address to be translated. When the mapping direction is set to local, it is the IP address of the VPC; when the mapping direction is set to peer, it is the IP address of the machine within the IDC.
Mapped IP/Mapped IP pool: configures the translated IP/IP pool. The original IP can provide services through this mapped IP/IP pool.
3. After an SNAT rule is created, editing ACL rules is supported for local mapping, but not for peer mapping.
Note:
SNAT rules cannot be duplicate.
SNAT rules do not support peer Layer-4.
Layer-3 rules have a higher priority than Layer-4 rules.
For the same ACL, the Layer-4 rule with a higher priority is matched first, and subsequent rules are not matched.
ACL rules can be hidden or shown under each rule, and support display in pages.
Cloud Connect Network (CCN)
The CCN type private NAT gateways mainly solve address translation between cross-region VPCs, and address translation between the VPC and Direct Connect IDC (e.g., from Beijing to Shanghai). They are used for cross-region access from the VPCs to other public network resources through the CCN.
Note:
When a private NAT gateway instance is created, if you select CCN for the associated instance, 2 VPCs will be automatically generated after the instance is created, and are used for route configuration during address translation.
The 2 VPCs cannot be deleted separately. Their lifecycle is the same as that of the NAT gateway instance. They are respectively named Local VPC and Peer VPC, and both belong to the NAT gateway.
The CCN type private NAT gateways support FullNAT private network addresses. In multi-network scenarios connected through the CCN, please plan the local and peer networks before configuring the SNAT rules.
Local network: supports Layer-3 SNAT, Layer-4 SNAPT, and Layer-4 DNAT rules for the private IPs of this network.
Peer network: only supports Layer-3 SNAT for the private IPs of this network.
Note:
If the private IP addresses of both VPC and IDC networks are translated, the IDC is considered as the peer network and the VPC is the local network since IDC can only perform Layer-3 SNAT translation.
After planning the local and peer networks, you can take the following steps to create an SNAT rule:
2. On the private NAT gateway instance list page, click on the private NAT gateway instance that requires creating an SNAT rule, to enter the details page.
3. On the private NAT gateway instance details page, click the SNAT Rules tab > Create and enter the information such as mapping direction, mapping type, original IP, mapped IP, and remarks. Then click OK to complete the creation of the SNAT rule. The information of each tag is as follows:
Mapping direction:
Local: translates the private IP addresses of the VPC.
Peer: translates the private IP addresses of the network on the opposite end of the VPC. If the peer is an IDC network, the IP addresses of the IDC are translated.
Mapping type:
Layer-3: only translates the IP addresses.
Layer-4: maps IP addresses and ports to random ports within a specified IP pool.
Original IP: indicates the IP address of the local subnet within the VPC, which needs to be translated.
Mapped IP/Mapped IP pool: configures the translated IP/IP Pool. The original IP can provide services through this mapped IP/IP pool.
4. After an SNAT rule is created, editing ACL rules is supported for local mapping, but not for peer mapping.
After configuring the SNAT rule, you must further configure the routing policies for 2 transit VPCs for the NAT gateway, to ensure the normal operation of the CCN type NAT gateway instance. The specific process is as follows:
1. Configure the routing policies for the 2 transit VPCs for the NAT gateway.
2. Create 2 custom route tables in the CCN, and respectively bind them to the 2 transit VPCs of the NAT gateway. After association, the routes of the transit VPCs will be published to the custom route tables in the CCN.
3. Add the border network 1 to the CCN and bind it to the CCN route table 1. Then add the border network 2 to the CCN and bind it to the CCN route table 2.
After configuration, the data flow is border network 1 > CCN > NAT local transit VPC > NAT peer transit VPC endpoint > CCN > border network 2.
Virtual Private Cloud (VPC)
The VPC type private NAT gateways mainly solve address translation of a specified subnet within a VPC. They are used to translate the private IP of the specified subnet within the VPC to a new IP for communication with other networks. To create an SNAT rule for this type of private NAT gateways, you can take the following steps.
1. Log in to the NAT Gateway console and click on the NAT gateway instance that requires creating an SNAT rule. 2. On the SNAT Rules tab, click Create and enter the information such as mapping type, original IP, mapped IP, and remarks to complete the creation of the SNAT rule. The information of each tag is as follows.
Mapping type:
Layer-3: only translates the IP addresses.
Layer-4: maps IP addresses and ports to random ports within a specified IP pool.
Original IP: indicates the original IP to be translated, such as the IP of a customer's local subnet. The specific original IP must be entered only for Layer-3, but is not required for Layer-4 (defaults to all IPs of the NAT's local subnet).
Mapped IP/Mapped IP pool: indicates the translated IP or IP range. For Layer-3 IP translation, enter the IP address; for Layer-4 IP and port translation, enter the IP range or IP address.
3. After an SNAT rule is created, editing ACL rules is supported.
There is an ACL rule under each SNAT rule, which is fully enabled by default. If you need to specify certain data flows for matching the NAT rule, you can set the ACL rule. If all packets should match the NAT rule, no action is needed.
The ACL rules can be hidden or shown under each rule, and support display in pages.
Modifying an SNAT Rule
1. Log in to the NAT Gateway console and click on the private NAT gateway instance that requires editing the SNAT rules. 2. On the private NAT gateway instance details page, click the SNAT Rules tab. On the right side of the SNAT rule entry, click Modify to enter the edit dialog box.
3. Modify the original IP address, mapped IP/IP pool, or description in the SNAT rule, and then click OK to complete the modification.
Querying SNAT Rules
1. Log in to the NAT Gateway console and click on the private NAT gateway instance that requires querying the SNAT rules. 2. On the private NAT gateway instance details page, click the SNAT Rules tab > SNAT List. In the search box at the top right, click to select the filter criteria. It supports query by original IP and mapped IP.
3. Click on for quick search. Deleting SNAT Rules
Single Deletion
1. Log in to the NAT Gateway console and click on the private NAT gateway instance that requires editing the SNAT rules. 2. On the private NAT gateway instance details page, click the SNAT Rules tab, and then click Delete on the right side of the SNAT rule entry.
3. Click Confirm to delete the selected SNAT rule.
Batch Deletion
1. Log in to the NAT Gateway console and click on the private NAT gateway instance that requires editing the SNAT rules. 2. On the private NAT gateway instance details page, click the SNAT Rules tab, select multiple SNAT rules, and click Delete at the top.
3. In the pop-up window, click Delete to complete batch deletion.
Was this page helpful?