user guide · 2019. 7. 18. · port mapping: dnat maps a public ip address (outside port) with a...
TRANSCRIPT
NAT Gateway
User Guide
Issue 05
Date 2018-06-08
Contents
1 Overview......................................................................................................................................... 11.1 What Is NAT Gateway?..................................................................................................................................................11.2 NAT Gateway Type and Performance............................................................................................................................ 11.3 Application Scenarios.....................................................................................................................................................21.4 Highlights....................................................................................................................................................................... 21.5 Constraints...................................................................................................................................................................... 3
2 Quick Start...................................................................................................................................... 42.1 Process............................................................................................................................................................................ 42.2 Buying a NAT Gateway..................................................................................................................................................42.3 Adding an SNAT Rule....................................................................................................................................................72.4 Adding a DNAT Rule..................................................................................................................................................... 8
3 Management................................................................................................................................. 103.1 Deleting an SNAT Rule................................................................................................................................................ 103.2 Deleting a DNAT Rule..................................................................................................................................................113.3 Modifying a NAT Gateway...........................................................................................................................................113.4 Deleting a NAT Gateway..............................................................................................................................................12
4 Monitoring.................................................................................................................................... 144.1 Supported Metrics.........................................................................................................................................................144.2 Creating Alarm Rules................................................................................................................................................... 144.3 Querying Metrics..........................................................................................................................................................15
5 FAQs...............................................................................................................................................165.1 Why SNAT Is Used?.....................................................................................................................................................165.2 What Is the Relationship Between a VPC and a NAT Gateway, EIP Bandwidth, and ECS?...................................... 165.3 How Does NAT Gateway Offer High Availability?..................................................................................................... 165.4 Do the NAT Gateway and SNAT Rule Support the Update Operation?...................................................................... 165.5 Which Ports Cannot Be Accessed?.............................................................................................................................. 17
A Change History........................................................................................................................... 18
NAT GatewayUser Guide Contents
Issue 05 (2018-06-08) ii
1 Overview
1.1 What Is NAT Gateway?The NAT Gateway service offers the network address translation (NAT) function for ElasticCloud Servers (ECSs) in a Virtual Private Cloud (VPC), allowing these ECSs to access theInternet using elastic IP addresses (EIPs) or to provide services, for example, destination NAT(DNAT), for external networks.
Figure 1-1 System architecture
1.2 NAT Gateway Type and PerformanceThe NAT Gateway service provides different types for different application scenarios.
l SNATThe NAT gateway type determines two elements of the Source Network AddressTranslation (SNAT) function, the maximum number of connections and the number ofnew connections per second. The data throughput is determined by the bandwidth ofEIPs.
NAT GatewayUser Guide 1 Overview
Issue 05 (2018-06-08) 1
Table 1-1 NAT Gateway type and performance
Type Maximum Number ofSNAT Connections
Number of New SNATConnections perSecond
Small 10,000 1,000
Medium 50,000 5,000
Large 200,000 10,000
Extra-large 1,000,000 30,000
l DNAT
DNAT supports port mappings. After DNAT rules are configured, packets are forwardedbased on the rules.Port mapping: DNAT maps a public IP address (outside port) with a specified protocol toa private IP address (inside port). In this way, data from the Internet toward the public IPaddress will be forwarded to the configured private IP address.A maximum of 1,000 DNAT rules can be configured for each EIP.
1.3 Application Scenariosl The NAT Gateway service supports ECSs and Bare Metal Servers (BMSs).l The NAT Gateway service is used to construct a public network egress for a VPC.
Tenants in the VPC can use shared EIPs to access the Internet. Multiple types of NATgateways are available.
l Access to the public network is implemented by the SNAT function of the NAT Gatewayservice. SNAT allows resources that are not assigned EIPs in a VPC to access the publicnetwork directly and supports a huge number of concurrent connections. Therefore, theNAT Gateway service can be used in the scenarios with a large number of requests andconnections.
l The DNAT function enables multiple ECSs in a VPC to share the same EIP andbandwidth to provide services for the Internet. Users can control bandwidth resourcesmore precisely.
1.4 HighlightsThe NAT Gateway service has the following highlights:
l Flexible deploymentThe NAT Gateway service can be deployed flexibly across subnets and across AZs. Anyfault in a single AZ does not affect the service continuity of NAT Gateway. The typesand public IP address of a NAT gateway can be adjusted at any time.
l Diversified and easy-to-useMultiple types of NAT gateways are available. User can use them after simplyconfiguring them. NAT gateways support easy operation and maintenance (O&M) andquick provisioning. They can run stably and reliably.
NAT GatewayUser Guide 1 Overview
Issue 05 (2018-06-08) 2
l Cost-effectiveMultiple ECSs share an elastic IP address. When you send data through a private IPaddress or provide services for the Internet using a NAT gateway, the NAT Gatewayservice translates the private IP address to a public IP address. Users do not need topurchase additional EIPs and bandwidth resources for their ECSs to access the Internet.This service helps users reduce costs.
1.5 ConstraintsObserve the following constraints when using the NAT Gateway service:l Multiple rules for one NAT gateway can reuse the same EIP, but the rules for different
NAT gateways must use different EIPs.l Each VPC can have only one NAT gateway.l Users cannot manually add the default route in a VPC.l Only one SNAT rule can be added to a subnet in a VPC.l SNAT and DNAT rules cannot share the same EIP.l DNAT rules do not support the mapping between an EIP and a virtual IP address.l When the EIP and NAT Gateway services are configured on the ECS, data is forwarded
through the EIP.
NAT GatewayUser Guide 1 Overview
Issue 05 (2018-06-08) 3
2 Quick Start
2.1 ProcessThe operation process of the NAT Gateway service is as follows.
Figure 2-1 Operation procedure
2.2 Buying a NAT Gateway
ScenariosTo access the Internet using a NAT gateway or to provide external services through ECSs in aVPC, you need to buy a NAT gateway.
NAT GatewayUser Guide 2 Quick Start
Issue 05 (2018-06-08) 4
Prerequisitesl When buying a NAT gateway, you must specify its VPC, subnet, and type.l A VPC cannot have the default route.
Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.
The NAT gateway page is displayed.4. Click Buy NAT Gateway. The page for configuring the NAT gateway shown in Figure
2-2 is displayed.
Figure 2-2 Setting parameters
5. Configure basic NAT gateway information as prompted. For details, see Table 2-1.
Table 2-1 Parameters for creating a NAT gateway
Parameter Description Remarks
Region Specifies the region wherethe NAT gateway islocated.
N/A
NAT GatewayUser Guide 2 Quick Start
Issue 05 (2018-06-08) 5
Parameter Description Remarks
Billing Mode Specifies the billing modefor the NAT gateway. TheNAT Gateway servicesupports on-demandbilling.
Default value
Name Specifies the name of theNAT gateway.
The value is a string of 1to 64 characters consistingof digits, letters,underscores (_), andhyphens (-).
VPC Specifies the VPC towhich the NAT gatewaybelongs.
User can select VPCwhich is not used by otherNAT gateways and has nodefault route.
Subnet Specifies the subnet name.The subnet has at least oneavailable IP address.
Only one subnet can bebound.
Type Specifies the type of theNAT gateway. The valuecan be Small, Medium,Large, and Extra-large.You can click Learn moreon the page to view detailsabout each type.
The throughput isdetermined by the EIPbandwidth.
Description Provides supplementaryinformation about the NATgateway.
The maximum number ofcharacters is 255.
After the preceding parameters are set, the NAT gateway price will be displayed. Youcan click Price Details on the page to view price details.
6. Click Buy Now. On the Confirm Order page, you can check the NAT gatewayinformation.– After confirmation, read and select Huawei VPC Service Announcement and
click Submit Order to start creating the NAT gateway.– If you need to modify the specifications, click Back.
7. In the NAT Gateway list, check the NAT gateway status.The NAT gateway has been created successfully if it is running.
NAT GatewayUser Guide 2 Quick Start
Issue 05 (2018-06-08) 6
2.3 Adding an SNAT Rule
Scenarios
This section guides you on how to add SNAT rules. After you configure an EIP and a subnetin an SNAT rule, the ECSs in the subnet can access the Internet using the EIP.
Prerequisites
A NAT gateway has been created.
Procedure1. Log in to the management console.
2. In the upper left corner, select the target region.
3. On the console homepage, click NAT Gateway under Network.
The NAT gateway page is displayed.
4. Click the target NAT gateway. In the SNAT rule list, click Add SNAT Rule. The AddSNAT Rule dialog box shown in Figure 2-3 is displayed.
Figure 2-3 Add SNAT Rule
5. Specify Subnet and EIP. For details, see Table 2-2.
Table 2-2 Parameters for adding an SNAT rule
Parameter Description
Subnet Specifies the subnet that uses the SNATfunction.
NAT GatewayUser Guide 2 Quick Start
Issue 05 (2018-06-08) 7
Parameter Description
EIP l Select a public IP address used foraccessing the Internet.
l The EIPs displayed in the list are notbound to any ECSs or added for theSNAT rules of other NAT gateways.
NOTE
Multiple SNAT rules can be added to a NAT gateway.
6. Click OK.
2.4 Adding a DNAT Rule
ScenariosThis section describes how to add a DNAT rule to map an outside port to an inside port. Afteryou create a NAT gateway, your applications can provide services for external networks usingthe DNAT rule.
PrerequisitesA NAT gateway has been created.
Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.
The NAT gateway page is displayed.4. Click the target NAT gateway. In the DNAT rule list, click Add DNAT Rule. The Add
DNAT Rule dialog box shown in Figure 2-4 is displayed.
NAT GatewayUser Guide 2 Quick Start
Issue 05 (2018-06-08) 8
Figure 2-4 Add DNAT Rule
5. Set parameters as prompted. For details, see Table 2-3.
Table 2-3 Parameters for adding a DNAT rule
Parameter Description
Elastic IP Address Specifies EIPs that have not been boundor have been added to the DNAT rules inthe current VPC.
Private IP Addresses Specifies the available EIPs in the currentVPC.
Outside Port Enter a value from 1 to 65535.
Inside Port Enter a value from 1 to 65535.
Protocol The options are as follows:l TCPl UDP
6. After the configuration is complete, click OK. Once the rule is created, its status changes
to Running.
NAT GatewayUser Guide 2 Quick Start
Issue 05 (2018-06-08) 9
3 Management
3.1 Deleting an SNAT Rule
ScenariosIf the SNAT rule that you added is incorrectly set or an SNAT rule is no longer required, thissection guides you on how to delete an SNAT rule.
PrerequisitesAn SNAT rule has been added for the NAT gateway.
Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.
The NAT gateway page is displayed.4. Click the target NAT gateway. In the SNAT rule list, click Delete in the Operation
column. The Delete SNAT Rule dialog box shown in Figure 3-1 is displayed.
Figure 3-1 Delete SNAT Rule
NAT GatewayUser Guide 3 Management
Issue 05 (2018-06-08) 10
5. Click OK to delete the SNAT rule.
3.2 Deleting a DNAT Rule
Scenarios
If the DNAT rule that you added is incorrectly set or a DNAT rule is no longer required, thissection guides you on how to delete a DNAT rule.
Prerequisites
A DNAT rule has been added for the NAT gateway.
Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.
The NAT gateway page is displayed.4. Click the target NAT gateway. In the NAT gateway configuration and DNAT rule list,
click Delete in the Operation column. The Delete DNAT Rule dialog box shown inFigure 3-2 is displayed.
Figure 3-2 Delete DNAT Rule
5. Click OK to delete the DNAT rule.
3.3 Modifying a NAT Gateway
Scenarios
This section guides you on how to modify a NAT gateway when the NAT gatewayspecification cannot meet your requirements or you need to modify its name or description.
NAT GatewayUser Guide 3 Management
Issue 05 (2018-06-08) 11
Prerequisites
A NAT gateway has been created.
Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.
The NAT gateway page is displayed.4. Locate the NAT gateway to be modified and click Modify in the Operation column. The
Modify NAT Gateway dialog box shown in Figure 3-3 is displayed.
Figure 3-3 Modify NAT Gateway
5. Modify Name, Type, or Description. For details, see Table 2-1.6. Click OK.
3.4 Deleting a NAT Gateway
Scenarios
This section guides you on how to delete a NAT gateway when you need to release resourcesand save costs.
Prerequisites
All SNAT and DNAT rules on the NAT gateway have been deleted.
NAT GatewayUser Guide 3 Management
Issue 05 (2018-06-08) 12
Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.
The NAT gateway page is displayed.4. Locate the NAT gateway to be deleted and click Delete in the Operation column. The
Delete NAT Gateway dialog box shown in Figure 3-4 is displayed.
Figure 3-4 Delete NAT Gateway
5. Click OK to delete the NAT gateway.
NAT GatewayUser Guide 3 Management
Issue 05 (2018-06-08) 13
4 Monitoring
After NAT Gateway is connected to Cloud Eye, Cloud Eye monitors the number of SNATconnections to enable you to obtain the running statuses of NAT gateways. In addition, youcan create alarm rules to prevent potential risks.
4.1 Supported MetricsTable 4-1 lists NAT Gateway metrics that can be monitored.
Table 4-1 Metrics
Metric Description Value Range Monitored Object
SNAT Connections Specifies thenumber of SNATconnections initiatedby the current user.
≥ 0 count/s Active node of NATGateway
4.2 Creating Alarm Rules
Scenarios
You can set NAT gateway alarm rules to customize the monitored objects and notificationpolicies. Then, you can learn NAT gateway running status in a timely manner.
Procedure1. Log in to the management console.
2. Under Management & Deployment, click Cloud Eye.
3. In the left navigation pane, choose Alarm Management > Alarm Rules.
4. On the Alarm Rules page, click Create Alarm Rule and specify required parameters.
5. After the parameters are set, click Finish.
NAT GatewayUser Guide 4 Monitoring
Issue 05 (2018-06-08) 14
NOTE
For more information about how to set alarm rules, see Cloud Eye User Guide.
4.3 Querying Metrics
Prerequisitesl The NAT gateway is running properly and SNAT rules have been created.l It can take a period of time to obtain and transfer the monitoring data. Therefore, wait for
a while and then check the data.
ScenariosThis section describes how to view NAT Gateway metrics.
Procedure1. Log in to the management console.2. Under Management & Deployment, click Cloud Eye.3. In the navigation pane on the left, choose Cloud Service Monitoring > NAT Gateway.4. Locate the row that contains the target metric and click View Graph in the Operation
column to check detailed information.You can view data during the last one, three, or twelve hours.
NAT GatewayUser Guide 4 Monitoring
Issue 05 (2018-06-08) 15
5 FAQs
5.1 Why SNAT Is Used?Besides requiring services provided by the system, some ECSs also need to access theInternet to obtain information or download software. However, assigning a public IP addressto each ECS consumes already-limited IPv4 addresses, incurs additional costs, and mayincrease the attack surface for a virtual environment. Therefore, enabling multiple ECSs toshare one public IP address is a preferable and more feasible method. This can be done usingSNAT.
5.2 What Is the Relationship Between a VPC and a NATGateway, EIP Bandwidth, and ECS?
l A VPC is a secure, isolated, logical network environment.
l The NAT gateway enables ECSs in the VPC to access the Internet.
l EIP is a service that provides valid static IP addresses on the Internet. The throughput ofa VPC is determined by the EIP bandwidth.
l An ECS is a running instance in the VPC and uses the NAT gateway to access theInternet.
5.3 How Does NAT Gateway Offer High Availability?The NAT gateway supports automatic disaster recovery through hot standby and provides theCloud Eye service and alarm reporting for users, thereby reducing risks and improvingavailability.
5.4 Do the NAT Gateway and SNAT Rule Support theUpdate Operation?
NAT gateways can be updated. SNAT and DNAT rules cannot be updated.
NAT GatewayUser Guide 5 FAQs
Issue 05 (2018-06-08) 16
5.5 Which Ports Cannot Be Accessed?Some carriers will block the following ports for security reasons. It is recommended that youdo not use the following ports.
Protocol
Port Not Supported
TCP 42 135 137 138 139 445 593 1025 1434 1068 3127 3128 3129 3130 4444 55549996
UDP 1026 1027 1434 1068 5554 9996 1028 1433 135 ~ 139
NAT GatewayUser Guide 5 FAQs
Issue 05 (2018-06-08) 17
A Change History
ReleasedOn
Description
2018-06-08 This issue is the third official release, which incorporates the followingchanges:l Added section "Monitoring".l Added an FAQ "Which Ports Cannot Be Accessed?"
2018-04-30 This issue is the fourth official release, which incorporates the followingchange:Added DNAT description.
2018-03-30 This issue is the third official release, which incorporates the followingchange:Added a case to troubleshoot internet connection failure.
2018-01-30 This issue is the second official release, which incorporates the followingchanges:l Modified the description of NAT Gateway deployment advantages.l Added restrictions on the naming rules and description for creating a
NAT gateway.
2017-12-18 This issue is the first official release.
NAT GatewayUser Guide A Change History
Issue 05 (2018-06-08) 18