User Guide - docs.otc.t-systems.com fileNAT Gateway User Guide 1 Overview 2019-03-18 4 1 Overview 1.1 What Is NAT Gateway? The NAT Gateway service provides the network address translation

NAT Gateway

User Guide

Date 2019-03-19

NAT Gateway

User Guide Contents

2019-03-18 ii

Contents

1 Overview ......................................................................................................................................... 4

1.1 What Is NAT Gateway? ................................................................................................................................................ 4

1.2 Product Specifications .................................................................................................................................................. 5

1.3 Application Scenarios ................................................................................................................................................... 6

1.4 Product Advantages ...................................................................................................................................................... 7

1.5 Constraints .................................................................................................................................................................... 7

1.6 Basic Concepts.............................................................................................................................................................. 8

1.6.1 EIP ............................................................................................................................................................................. 8

1.6.2 SNAT Connection ...................................................................................................................................................... 8

2 Getting Started............................................................................................................................... 9

2.1 Using SNAT to Access the Internet............................................................................................................................... 9

2.1.1 Overview ................................................................................................................................................................... 9

2.1.2 Assigning an EIP ...................................................................................................................................................... 10

2.1.3 Creating a NAT Gateway ......................................................................................................................................... 10

2.1.4 Adding an SNAT Rule ............................................................................................................................................. 11

2.2 Inter-Cloud High-Speed Internet Access .................................................................................................................... 13

2.2.1 Overview ................................................................................................................................................................. 13

2.2.2 Creating a Direct Connect Connection .................................................................................................................... 14

2.2.3 Assigning an EIP ...................................................................................................................................................... 14

2.2.4 Creating a NAT Gateway ......................................................................................................................................... 15

2.2.5 Adding an SNAT Rule ............................................................................................................................................. 16

3 Managing NAT Gateways ......................................................................................................... 18

3.1 Creating a NAT Gateway ............................................................................................................................................ 18

3.2 Viewing a NAT Gateway ............................................................................................................................................ 20

3.3 Modifying a NAT Gateway ......................................................................................................................................... 20

3.4 Deleting a NAT Gateway ............................................................................................................................................ 21

4 Managing SNAT Rules .............................................................................................................. 22

4.1 Viewing an SNAT Rule ............................................................................................................................................... 22

4.2 Adding an SNAT Rule ................................................................................................................................................ 22

4.3 Deleting an SNAT Rule .............................................................................................................................................. 24

5 FAQs .............................................................................................................................................. 25

NAT Gateway

User Guide Contents

2019-03-18 iii

5.1 What Are SNAT Connections? ................................................................................................................................... 25

5.2 Why SNAT Is Used? ................................................................................................................................................... 25

5.3 What Is the Relationship Between a VPC and a NAT Gateway, EIP Bandwidth, and ECS? ...................................... 25

5.4 How Does NAT Gateway Offer High Availability? .................................................................................................... 26

5.5 Do the NAT Gateway and SNAT Rule Support the Update Operation? ..................................................................... 26

A Change History ........................................................................................................................... 27

B Glossary ........................................................................................................................................ 29

NAT Gateway

User Guide 1 Overview

2019-03-18 4

1 Overview

1.1 What Is NAT Gateway?

The NAT Gateway service provides the network address translation (NAT) function for

servers, such as Elastic Cloud Servers (ECSs), Bare Metal Servers (BMSs), and Workspace

desktops, in a Virtual Private Cloud (VPC) or servers that connect to a VPC through Direct

Connect or Virtual Private Network (VPN) in local data centers, allowing these servers to

access the Internet using elastic IP addresses (EIPs)

The SNAT function translates private IP addresses to a public IP address by binding EIPs

to servers in a VPC, providing secure and efficient access to the Internet.

Figure 1-1 shows the SNAT architecture.

NAT Gateway


2019-03-18 5

Figure 1-1 SNAT architecture

1.2 Product Specifications

The specification refers to the maximum number of SNAT connections and the number of

new connections per second supported by a NAT gateway. The throughput of a NAT gateway

is determined by the EIP bandwidth.

When purchasing a NAT gateway, select the proper type based on your requirements. Table

1-1 lists the NAT gateway specifications.

Table 1-1 NAT Gateway type and performance

Type Maximum Number of SNAT Connections

Small 10000

Medium 50000

Large 200000

Extra-large 1000000

NAT Gateway


2019-03-18 6

1.3 Application Scenarios

Using SNAT to Access the Internet

If your servers in the VPC issue a large number of public network access requests, you can

use the SNAT function to let the servers share one or more EIPs to access the external

network without exposing their IP addresses. In a VPC, one subnet corresponds to one SNAT

rule, and one SNAT rule is configured with one EIP. NAT Gateway provides different types of

NAT gateways. You can create multiple SNAT rules to meet your service requirements.

Figure 1-2 shows how servers in a VPC access the Internet using SNAT.

Figure 1-2 Using SNAT to access the Internet

Inter-Cloud High-Speed Internet Access

If a large number of servers that in a private cloud or connect to a VPC through a Direct

Connect or VPN connection need to securely access the Internet in a high speed way, the

SNAT can be used in such scenario. The similar scenarios include Internet, games,

e-commerce, and finance.

Figure 1-3 shows the inter-cloud high-speed Internet access

NAT Gateway


2019-03-18 7

Figure 1-3 Inter-cloud high-speed Internet access

1.4 Product Advantages

The NAT Gateway service has the following highlights:

Flexible deployment

The NAT Gateway service can be deployed flexibly across subnets and AZs. Any fault in

a single AZ does not affect the service continuity of NAT Gateway. The types and public

IP address of a NAT gateway can be adjusted at any time.

Diversified and easy-to-use

Multiple types of NAT gateways are available. You can use them after simple

configuration. NAT Gateway supports easy operation and maintenance (O&M) and

quick provisioning. They can run stably and reliably.

Cost-effective

Multiple servers can share an EIP. When the private IP addresses of your servers send

packets using NAT Gateway or your applications provides external services, NAT

Gateway will translate the IP addresses. NAT Gateway frees you from worrying about

insufficient IP address resources and helps you reduce costs.

1.5 Constraints

Observe the following constraints when using the NAT Gateway service:

Multiple rules for one NAT gateway can reuse the same EIP, but the rules for different

NAT gateways must use different EIPs.

Each VPC can have only one NAT gateway.

Users cannot manually add the default route in a VPC.

Only one SNAT rule can be added to a subnet in a VPC.

When both the EIP and NAT Gateway services are configured for a server, data will be

forwarded through the EIP.

The user-defined CIDR block must be a subset of the VPC subnet CIDR blocks.

NAT Gateway


2019-03-18 8

The user-defined CIDR block must be a CIDR block of Direct Connect and cannot

conflicts with VPC's existing subnet CIDR blocks.

1.6 Basic Concepts

1.6.1 EIP

An EIP is an IP address that can be directly accessed over the Internet. A private IP address is

an IP address on a local area network (LAN) in the public cloud system and cannot be routed

through the Internet.

An EIP is a static, public IP address. You can bind an EIP to an ECS in your subnet to enable

the ECS in your VPC to communicate with the Internet through a fixed public IP address.

Each EIP can be used by only one ECS at a time.

1.6.2 SNAT Connection

An SNAT connection consists of the source IP address, source port, destination IP address,

destination port, and transmission-layer protocol. The source IP address and source port are

the EIP and port translated by SNAT to access the destination IP address and port of a public

network. With these five elements, a connection can be distinguished as a unique session.

NAT Gateway

User Guide 2 Getting Started

2019-03-18 9

2 Getting Started

2.1 Using SNAT to Access the Internet

2.1.1 Overview

If your servers (ECSs, BMSs, and desktops) without EIPs assigned need to access the Internet,

the servers can share one or more EIPs to access the Internet through a NAT gateway without

exposing their IP addresses. Figure 2-1 shows how to enable ECSs without EIPs assigned to

access the Internet.

Figure 2-1 Flowchart

NAT Gateway


2019-03-18 10

2.1.2 Assigning an EIP

Scenarios

Assign an EIP and enable your servers in a VPC to access the Internet through a NAT gateway

by sharing the EIP.

Procedure

For details, see the Virtual Private Cloud User Guide. After you assign an EIP, you do not

need to bind it to a server.

2.1.3 Creating a NAT Gateway

Scenarios

This section guides you on how to create a NAT gateway to enable your servers to access the

Internet or to provide services for external networks.

Prerequisites When creating a NAT gateway, you must specify its VPC, subnet, and type.

Ensure that the VPC does not have a default route.

Procedure

1. Log in to the management console.

2. Click in the upper left corner and select the desired region and project.

3. Under Network, click NAT Gateway.

4. On the displayed page, click Create NAT Gateway.

Figure 2-2 Create NAT Gateway

NAT Gateway


2019-03-18 11

5. Set the parameters as prompted. For details, see Table 2-1.

Table 2-1 Parameter description

Parameter Description

Region Specifies the region where the NAT gateway is located.

Name Specifies the name of the NAT gateway. The value is a string of 1

to 64 characters consisting of digits, letters, underscores (_), and

hyphens (-).

VPC Specifies the VPC to which the NAT gateway belongs. You can

select the VPC which is not used by other NAT gateways and has

no default route.

Subnet Specifies the VPC subnet to which the NAT gateway belongs.

The subnet has at least one available IP address.

Type Specifies the type of the NAT gateway.

The value can be Small, Medium, Large, and Extra-large. You

can click Learn more on the page to view details about each type.

Description Provides supplementary information about the NAT gateway. The

maximum number of characters is 255.

6. Click Create Now. The page for you to confirm the NAT gateway specifications is

displayed.

7. If you do not need to modify the information, click Submit.

It takes 1 to 5 minutes to create a NAT gateway.

8. On the NAT Gateway homepage, check the NAT gateway status.

If the status is Running, the NAT gateway is created successfully.

2.1.4 Adding an SNAT Rule

Scenarios

After the NAT gateway is created, you need to add SNAT rules. With an SNAT rule, your

servers in a specified subnet can access the Internet by sharing the same EIP.

An SNAT rule is configured for one subnet or CIDR block. If there are multiple subnets or

CIDR blocks in a VPC, you can create several SNAT rules to make multiple servers share

more EIPs.

Prerequisites

A NAT gateway has been created.

Procedure



NAT Gateway


2019-03-18 12


4. On the displayed page, click the name of the NAT gateway for which you want to add

the SNAT rule.

5. On the SNAT Rules tab, click Add SNAT Rule.

Figure 2-3 Add SNAT Rule

6. Set the parameters as prompted. Table 2-2 describes the parameters.


Parameter Condition Description

Scenario N/A Select VPC when your servers use the SNAT rule

to access the Internet.

This scenario involves servers in a VPC.

Type Set this parameter only

when you select VPC

for Scenario.

Specifies the method used by servers to access the

public network.

Select Subnet when all servers in a subnet in a

VPC need to access the Internet through the

SNAT rule.

Select Custom when specified servers in a subnet

in a VPC need to access the Internet through the

SNAT rule.

Subnet Set this parameter

when you select VPC

for Scenario, and

Subnet for Type.

Specifies the subnet in which servers can access

the Internet through the SNAT rule.

CIDR Block Set this parameter

when you select VPC

for Scenario, and

Specifies a VPC subnet CIDR block. Servers

whose IP addresses in this CIDR block can access

NAT Gateway


2019-03-18 13


Custom for Type. the Internet through the SNAT rule.

EIP Set this parameter

when you select VPC

for Scenario.

Specifies the public IP address used for accessing

the Internet.

Only EIPs that have not been bound to servers or

other NAT gateways are available for selection.

7. Click OK.

You can add multiple SNAT rules for a NAT gateway to suite your service requirements.

2.2 Inter-Cloud High-Speed Internet Access

2.2.1 Overview

If servers in your data center need to access the Internet or to provide external services, NAT

Gateway provides you with high-quality network services. You can buy NAT gateways and

configure SNAT rules to obtain the required services. Figure 2-4 shows how users in a local

data center access the Internet.

NAT Gateway


2019-03-18 14

Figure 2-4 Users in a local data center accessing the Internet

2.2.2 Creating a Direct Connect Connection

Scenarios

You need to create a Direct Connect connection for connecting a VPC to your data center

before enabling your servers in the data center to access the Internet or to provide external

services through NAT gateways.

Procedure

For details on how to enable Direct Connect, see the Enabling Direct Connect in the Direct

Connect User Guide. If you enable Direct Connect in self-service mode, you are advised to

set VPC CIDR to 0.0.0.0/0.

2.2.3 Assigning an EIP

Scenarios

Assign an EIP and enable your servers that are connected to a VPC using direct connections

or VPNs to access the Internet or to provide external services through a NAT gateway.

NAT Gateway


2019-03-18 15

Procedure

For details, see the Virtual Private Cloud User Guide. After you assign an EIP, you do not

need to bind it to a server.

2.2.4 Creating a NAT Gateway

Scenarios





Procedure











NAT Gateway


2019-03-18 16



hyphens (-).



no default route.









displayed.





2.2.5 Adding an SNAT Rule

Scenarios

After a NAT gateway is created, you can add SNAT rules for it. With SNAT rules, servers that

are connected to a VPC through a direct connection can access the Internet by sharing an EIP.

An SNAT rule is configured for one CIDR block. If there are multiple CIDR blocks in Direct

Connect, you can create several SNAT rules to make multiple servers share more EIPs.

Prerequisites


Procedure





the SNAT rule.


NAT Gateway


2019-03-18 17

Figure 2-6 Add SNAT Rule

6. Specify the parameters as prompted. For details, see Table 2-4.



Scenario Select Direct Connect when servers in your data center

need to access the Internet.

The servers in your data center that are connected to a

VPC through Direct Connect or VPN can provide services

for the Internet through the SNAT rule.

CIDR Block Specifies a CIDR block. Local servers whose IP address in

this CIDR block can access the Internet through the SNAT

rule.

EIP Specifies the public IP address used for accessing the

Internet.

Only EIPs that have not been bound to servers or other

NAT gateways are available for selection.

7. Click OK.


NAT Gateway

User Guide 3 Managing NAT Gateways

2019-03-18 18

3 Managing NAT Gateways

3.1 Creating a NAT Gateway

Scenarios





Procedure





NAT Gateway


2019-03-18 19








hyphens (-).



no default route.









displayed.





NAT Gateway


2019-03-18 20

3.2 Viewing a NAT Gateway

Scenarios

After a NAT gateway is created, you can view details about the NAT gateway.

Prerequisites


Procedure




4. On the displayed page, click the name of the target NAT gateway.

5. View the NAT gateway details on the displayed page.

3.3 Modifying a NAT Gateway

Scenarios

This section guides you on how to modify the name, type, or description of a NAT gateway.

Prerequisites


Procedure




4. On the displayed page, locate the target NAT gateway and click Modify in the

Operation column.

5. Modify the name, type, or description of the NAT gateway as prompted.

NAT Gateway


2019-03-18 21

Figure 3-2 Modify NAT Gateway

6. Click OK.

3.4 Deleting a NAT Gateway

Scenarios

You can delete NAT gateways to release resources or save costs.

Prerequisites

All SNAT rules on the NAT gateway have been deleted.

Procedure




4. On the displayed page, locate the target NAT gateway and click Delete in the Operation

column.

5. In the displayed dialog box, click Yes.

NAT Gateway

User Guide 4 Managing SNAT Rules

2019-03-18 22

4 Managing SNAT Rules

4.1 Viewing an SNAT Rule

Scenarios

After you add an SNAT rule to a NAT gateway, you can view the details about the SNAT rule.

Prerequisites

An SNAT rule has been added.

Procedure





5. In the SNAT rule list, view the details about the SNAT rule.

4.2 Adding an SNAT Rule

Scenarios

After the NAT gateway is created, you need to add SNAT rules. With the SNAT rule, servers

in the subnet in a VPC or servers that are connected to a VPC through Direct Connect or VPN

can access the Internet by sharing an EIP.

An SNAT rule is configured for one subnet. If there are multiple subnets in a VPC, you can

create several SNAT rules to share one or more EIPs.

Prerequisites A NAT gateway has been created.

NAT Gateway


2019-03-18 23

Procedure


2. Click in the upper left to select a region and a project.



the SNAT rule.


6. Specify the parameters as prompted. For details, see Table 4-1.



Scenario N/A Specifies the scenarios in which the SNAT

rule is used.

Select VPC when your servers in a VPC

need to access the Internet.

Select Direct Connect when the servers that

are connected to a VPC through Direct

Connect or VPN in your data center need to

access the Internet.

Type Set this parameter only

when you select VPC for

Scenario.

Specifies the method used by servers to

access the public network.

Select Subnet when all servers in a subnet in

a VPC need to access the Internet through the

SNAT rule.

Select Custom when specified servers in a

subnet in a VPC need to access the Internet

through the SNAT rule.

Subnet Set this parameter when

you select VPC for

Scenario, and Subnet for

Type.

Specifies the subnet in which servers can

access the Internet through the SNAT rule.

EIP Set this parameter

when you select VPC

for Scenario.

Set this parameter

when you select

Direct Connect for

Scenario.

Specifies the public IP address used for

accessing the Internet.

Only EIPs that have not been bound to

servers or other NAT gateways are available

for selection.

CIDR Block Set this parameter

when you select VPC

for Scenario, and

Custom for Type.

Set this parameter

when you select

Direct Connect for Scenario.

In the VPC scenario, specify a VPC subnet

CIDR block to enable the servers whose IP

addresses in that CIDR block to access the

Internet through the SNAT rule.

In the Direct Connect scenario, specify a

CIDR block of your data center to enable

your servers to access the Internet through the SNAT rule.

NAT Gateway


2019-03-18 24

7. Click OK.


4.3 Deleting an SNAT Rule

Scenarios

Delete the SNAT rules that you no longer need.

Prerequisites

An SNAT rule has been added for the NAT gateway.

Procedure





5. In the SNAT rule list, locate the target SNAT rule and click Delete in the Operation

column.

6. In the displayed dialog box, click Yes.

NAT Gateway

User Guide 5 FAQs

2019-03-18 25

5 FAQs

5.1 What Are SNAT Connections?

An SNAT connection consists of the source IP address, source port, destination IP address,

destination port, and transmission-layer protocol. With these five elements, a connection can

be distinguished as a unique session. The source IP address and source port are the EIP and

port translated by SNAT to access the destination IP address and port of a public network.

SNAT supports three protocols: TCP, UDP, and ICMP. NAT Gateway supports a maximum of

55000 concurrent connections for each destination IP address and port. If any of the

destination IP address, port number, and protocol (TCP/UDP/ICMP) changes, you can create

another 55000 connections. The number of connections you query on an ECS may be

different from the actual number of SNAT connections. (You can run the netstat command to

query the number of connections.) Assume that an ECS creates 100 connections to a fixed

destination every second. 55000 ports will be used up in about 10 minutes without

considering the dropped idle connections. As a result, connections cannot be created.

If there is no data packet passing through the SNAT connection for a long time, the

connection will be timed out.

5.2 Why SNAT Is Used?

Besides requiring services provided by the system, some ECSs also need to access the Internet

to obtain information or download software. However, assigning a public IP address to each

ECS consumes already-limited IPv4 addresses, incurs additional costs, and may increase the

attack surface for a virtual environment. Therefore, enabling multiple ECSs to share one

public IP address is a preferable and more feasible method. This can be done using SNAT.

5.3 What Is the Relationship Between a VPC and a NAT Gateway, EIP Bandwidth, and ECS?

A VPC is a secure, isolated, logical network environment.

The NAT gateway enables ECSs in the VPC to access the Internet.

EIP is a service that provides valid static IP addresses on the Internet. The throughput of

a VPC is determined by the EIP bandwidth.

NAT Gateway

User Guide 5 FAQs

2019-03-18 26

An ECS is a running instance in the VPC and uses the NAT gateway to access the

Internet.

5.4 How Does NAT Gateway Offer High Availability?

NAT Gateway supports automatic disaster recovery through hot standby, thereby reducing

risks and improving availability.

5.5 Do the NAT Gateway and SNAT Rule Support the Update Operation?

NAT gateways can be updated. SNAT rules cannot be updated.

NAT Gateway

User Guide A Change History

2019-03-18 27

A Change History

Released On Description

2019-03-19 This release incorporates the following changes:

Accepted in OTC-4.0/Agile.


Deleted redundant content from sections 1.2 Product Specifications, 5.1

What Are SNAT Connections?, and 5.4 How Does NAT Gateway Offer

High Availability?.


Optimized the flowchart in section 2.2.1 Overview.

Updated 2.2.2 Creating a Direct Connect Connection.


Updated 2.1.4 Adding an SNAT Rule.

Updated 2.2.5 Adding an SNAT Rule.

Updated 4.2 Adding an SNAT Rule.

Updated 4.3 Deleting an SNAT Rule.


Added 2.2 Inter-Cloud High-Speed Internet Access.

Supported custom CIDR block for SNAT rules.

2018-02-16 Accepted in OTC 3.0.


Added operation scenarios and prerequisites in chapter 2 Getting Started.


Added titles to the figures.

Added operation scenarios and prerequisites in section 3.3 Modifying

a NAT Gateway.


Added the NAT Gateway architecture diagram in section 1.1 What Is

NAT Gateway?.

NAT Gateway

User Guide A Change History

2019-03-18 28

Released On Description

Modified the description of NAT Gateway deployment advantages in

section 1.4 Product Advantages.

Updated the operation flowchart.

Added restrictions on the naming rules and description for creating a

NAT gateway in section 2.1.3 Creating a NAT Gateway.

Added section 3.3 Modifying a NAT Gateway.

2018-01-15 This issue is the first official release.

NAT Gateway

User Guide B Glossary

2019-03-18 29

B Glossary

For details about the terms involved in this document, see Glossary.

https://docs.otc.t-systems.com/en-us/glossary/index.html

Documents

User Guide - docs.otc.t-systems.com fileNAT Gateway User Guide 1 Overview 2019-03-18 4 1 Overview 1.1 What Is NAT Gateway? The NAT Gateway service provides the network address translation