百度智能云
All Product Document

          Virtual Private Cloud

          • Virtual Private Cloud
          • >
          • Operation Guide
          • >
          • NAT Gateway

          NAT Gateway

          Last Updated2021-04-27

          The NAT gateway of Baidu AI Cloud supports the connection of BCC, DCC and BBC instances in the private subnet private users with Internet network or other Baidu AI Cloud services.

          The NAT gateway supports SNAT and DNAT functions.

          • SNAT: The source network address translation provides the proxy services for cloud servers without a public IP in VPC to access the internet. Moreover, the SNAT function of the NAT gateway can be also used as a simple firewall to protect the private network information from direct exposure to the public network.
          • DNAT: The destination network address translation maps the public network IPs on the NAT gateway to the BCC instance for use, so that the BCC instance can provide internet services. The DNAT supports IP mapping and port mapping, and all ports belong to IP mapping. All this is equivalent to configuration of one Elastic IP for the target BCC instance. Any request to access the public network IP will be forwarded to the target BCC instance. A specific port belongs to the port mapping. The NAT gateway will forward the request to access the public network IP by a specified protocol and port to the specified port of the target BCC instance.

          There are three types of NAT gateways. Multiple public network IPs are bound to one NAT gateway and only supports the use of a shared bandwidth:

          • A small NAT gateway supports binding of a maximum of 5 public network IPs, with the maximum connections of about 10,000, and the maximum forwarding capability of 1Gbps.
          • A medium NAT gateway supports binding of a maximum of 10 public network IPs, with the maximum connections of about 50,000, and the maximum forwarding capability of 2Gbps.
          • A large NAT gateway supports binding of a maximum of 15 public network IPs, with the maximum connections of about 200,000, and the maximum forwarding capability of 5Gbps.

          Applicable Scenarios:

          • Binding of individual EIPs: The cloud server accesses Internet, and realize the conversion of intranet IPs into individual public network IP addresses by the NAT gateway.
          • Shared bandwidth: Combined with the shared bandwidth by the NAT gateway, it realizes the conversion of intranet IPs into multiple public network IP addresses by the NAT gateway.

          Before configuring, you need to know

          • To access the internet subnet by the NAT gateway, the subnet type must be an NAT exclusive subnet.
          • Each VPC supports a maximum of 3 NAT gateways.
          • One common EIP or multiple IPs in the shared bandwidth can be bound to SNAT or DNAT, but the binding of one common EIP and IPs of the shared bandwidth package is not supported.
          • The number of EIPs of SNAT and DNAT is less than or equal to the number of EIPs which can be bound to NAT.
          • SNAT and DNAT can share one shared bandwidth, but the public network IPs cannot conflict. One public network IP cannot be used for SNAT and DNAT simultaneously.
          • Up to 40 entries can be added to one SNAT table.
          • Up to 64 public IPs can be associated with one SNAT entry.
          • A maximum of 100 port forward entries can be added to one DNAT table.

          Create NAT Gateway

          1.On the VPC instance list page, select the VPC instance which has been created and click it to enter the details page. To create an NAT gateway in the non-default VPC, you should first create one subnet in the VPC.

          2.Select "NAT Gateway" in the navigation bar, and click the "Create NAT Gateway" key.

          3.Fill in the following configuration information:

          Configuration items Description
          Payment Method Select "Prepay" or "Postpay".
          Current region It supports Beijing, Baoding, Guangzhou, Suzhou, Wuhan and Hong Kong, and switches the regions on the top left corner.
          Network card name Customized NAT gateway name
          Type Select the NAT gateway type, and the small, medium and large gateways are supported.
          SNAT public network IP Select the public network connection type of SNAT, including two types: Elastic IP and shared bandwidth.
          DNAT public network IP Select the public network connection type of DNAT gateway, including two types: Elastic IP and shared bandwidth.
          Description Edit relevant description information of the NAT gateway.

          4.Click "Create" to create a NAT gateway.

          Configure a Route Table Associated with the Subnet

          1.Select "Route Table" in the navigation bar.

          2.Click "Add a Route" in the list of route tables.

          3.Configure the route table associated with the subnet which needs to access Internet.

          • Source network segment: To access the Internet subnet by the NAT gateway, the subnet type must be an NAT exclusive subnet.
          • Enter destination network segment: 0.0.0.0/0
          • Route type: Select "NAT Gateway".
          • Next hop instance: Select the created NAT gateway ID. All the next hops accessing the public network traffic in the subnet direct to the NAT gateway instance.

          Note:

          • The general-purpose subnet already supports the use of NAT gateway, therefore it does not support adding NAT exclusive subnet any more.
          • With instances bound to EIP in the subnet, if EIP route conflicts with NAT route after adding NAT route, EIP route will be preferred.
          • Because all subnets in VPC interwork by default, the BCC instances in the NAT exclusive subnet and the common subnet can still communicate.

          4.Click "Confirm" to complete the router configuration. The traffic will direct to the NAT gateway when the BCCs in the subnet associated with the route table accesses the Intenet.

          Configure SNAT Table

          1. Click NAT instance name or click "Set SNAT" in the operation to enter the page of SNAT table.
          2. Click "Add SNAT Entry" on the top of the SNAT list, and the "Add SNAT Entry" pop-up box appears.
          3. Fill in the following configuration information:
          Configuration items Description
          Entry name Customized entry name
          Source network segment Required. The BCC instances under this network segment will access the public network through the SNAT feature.
          Public network IP address Required. Select the public IP from SNAT public IPs for Internet access.
          1. Click "OK" to complete the addition of SNAT entry.

          Explanation:

          • Before configuring SNAT entry, please make sure that NAT route has been added to the VPC where the NAT gateway is located.
          • If no SNAT entry is configured, all SNAT public IPs will be polled to access the Internet; if SNAT entry is configured, public IPs specified by SNAT entry is polled to access the Internet.

          Configure DNAT Table

          1.Click NAT instance name or click "Set DNAT" in the operation to enter the page of DNAT table.

          2.Click "Add DNAT Entry" on the top of the DNAT list, and the "Add DNAT Entry" pop-up box appears.

          3.Fill in the following configuration information:

          Configuration items Description
          Entry name Customized entry name
          Public network IP address Required, select one IP in the DNAT public network IP.
          Intranet IP address Required, enter the private network IP of the target instance which must be in the NAT exclusive subnet of the VPC.
          Protocol Required, forward the protocol type of the port. "All Protocols" by default, protocol type: All protocols, TCP and UDP
          Source port Required, public network port, external ports for port forwarding, value range: integral numbers within 1-65535.
          Target port Required, intranet port, internal ports for port forwarding, value range: integral numbers within 1-65535.

          4.Click "Confirm" to add DNAT entries.

          Note:

          • Before configuring DNAT entry, please make sure that NAT route has been added to the VPC where the NAT gateway is located.
          • Before unbinding an EIP, ensure the EIP is not occupied any DNAT entries.

          View the List of EIP Bound to the NAT

          Log in to the page of instance list of the console "Product Service > Elastic IP" to view the EIP instances bound to the NAT. Within 7 days after the EIP expires, the EIP remains bound to the NAT. If the EIP expires 7 days ago, the EIP is automatically unbound from the NAT and the EIP is released.

          View Monitoring

          1. Log in the administrative console, select "Product Service>Virtual Private Cloud (VPC)", select NAT gateway in the navbar to the left, and enter the list of NAT gateway instances.
          2. Select "Monitor" behind the instance, and the monitoring floating window at the right side of the page appears.
          3. Click "View More" to enter the monitoring of the details page of the instance.
          4. View the NAT gateway monitoring information and back-end server monitoring information.
          5. Click the "Alarm Details" in the monitoring page to enter the page of alarm strategy configuration and manage the alarm strategy of the NAT gateway. Please see BCM administration alarm for detailed operating steps.

          Note:

          • When the number of back-end servers is less than 10, the monitoring information of all the back-end server is displayed by default. When the number of back-end servers is more than 10, the monitoring information of the previous 10 back-end servers is displayed. The users can customize and select the monitoring information of back-end servers to be displayed. The maximum number of back-end servers the users can select is 10.
          Previous
          Service Network Interface Card
          Next
          VPN Gateway