user guide · 2019. 7. 18. · port mapping: dnat maps a public ip address (outside port) with a...

20
NAT Gateway User Guide Issue 05 Date 2018-06-08

Upload: others

Post on 09-Mar-2021

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

NAT Gateway

User Guide

Issue 05

Date 2018-06-08

Page 2: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Contents

1 Overview......................................................................................................................................... 11.1 What Is NAT Gateway?..................................................................................................................................................11.2 NAT Gateway Type and Performance............................................................................................................................ 11.3 Application Scenarios.....................................................................................................................................................21.4 Highlights....................................................................................................................................................................... 21.5 Constraints...................................................................................................................................................................... 3

2 Quick Start...................................................................................................................................... 42.1 Process............................................................................................................................................................................ 42.2 Buying a NAT Gateway..................................................................................................................................................42.3 Adding an SNAT Rule....................................................................................................................................................72.4 Adding a DNAT Rule..................................................................................................................................................... 8

3 Management................................................................................................................................. 103.1 Deleting an SNAT Rule................................................................................................................................................ 103.2 Deleting a DNAT Rule..................................................................................................................................................113.3 Modifying a NAT Gateway...........................................................................................................................................113.4 Deleting a NAT Gateway..............................................................................................................................................12

4 Monitoring.................................................................................................................................... 144.1 Supported Metrics.........................................................................................................................................................144.2 Creating Alarm Rules................................................................................................................................................... 144.3 Querying Metrics..........................................................................................................................................................15

5 FAQs...............................................................................................................................................165.1 Why SNAT Is Used?.....................................................................................................................................................165.2 What Is the Relationship Between a VPC and a NAT Gateway, EIP Bandwidth, and ECS?...................................... 165.3 How Does NAT Gateway Offer High Availability?..................................................................................................... 165.4 Do the NAT Gateway and SNAT Rule Support the Update Operation?...................................................................... 165.5 Which Ports Cannot Be Accessed?.............................................................................................................................. 17

A Change History........................................................................................................................... 18

NAT GatewayUser Guide Contents

Issue 05 (2018-06-08) ii

Page 3: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

1 Overview

1.1 What Is NAT Gateway?The NAT Gateway service offers the network address translation (NAT) function for ElasticCloud Servers (ECSs) in a Virtual Private Cloud (VPC), allowing these ECSs to access theInternet using elastic IP addresses (EIPs) or to provide services, for example, destination NAT(DNAT), for external networks.

Figure 1-1 System architecture

1.2 NAT Gateway Type and PerformanceThe NAT Gateway service provides different types for different application scenarios.

l SNATThe NAT gateway type determines two elements of the Source Network AddressTranslation (SNAT) function, the maximum number of connections and the number ofnew connections per second. The data throughput is determined by the bandwidth ofEIPs.

NAT GatewayUser Guide 1 Overview

Issue 05 (2018-06-08) 1

Page 4: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Table 1-1 NAT Gateway type and performance

Type Maximum Number ofSNAT Connections

Number of New SNATConnections perSecond

Small 10,000 1,000

Medium 50,000 5,000

Large 200,000 10,000

Extra-large 1,000,000 30,000

l DNAT

DNAT supports port mappings. After DNAT rules are configured, packets are forwardedbased on the rules.Port mapping: DNAT maps a public IP address (outside port) with a specified protocol toa private IP address (inside port). In this way, data from the Internet toward the public IPaddress will be forwarded to the configured private IP address.A maximum of 1,000 DNAT rules can be configured for each EIP.

1.3 Application Scenariosl The NAT Gateway service supports ECSs and Bare Metal Servers (BMSs).l The NAT Gateway service is used to construct a public network egress for a VPC.

Tenants in the VPC can use shared EIPs to access the Internet. Multiple types of NATgateways are available.

l Access to the public network is implemented by the SNAT function of the NAT Gatewayservice. SNAT allows resources that are not assigned EIPs in a VPC to access the publicnetwork directly and supports a huge number of concurrent connections. Therefore, theNAT Gateway service can be used in the scenarios with a large number of requests andconnections.

l The DNAT function enables multiple ECSs in a VPC to share the same EIP andbandwidth to provide services for the Internet. Users can control bandwidth resourcesmore precisely.

1.4 HighlightsThe NAT Gateway service has the following highlights:

l Flexible deploymentThe NAT Gateway service can be deployed flexibly across subnets and across AZs. Anyfault in a single AZ does not affect the service continuity of NAT Gateway. The typesand public IP address of a NAT gateway can be adjusted at any time.

l Diversified and easy-to-useMultiple types of NAT gateways are available. User can use them after simplyconfiguring them. NAT gateways support easy operation and maintenance (O&M) andquick provisioning. They can run stably and reliably.

NAT GatewayUser Guide 1 Overview

Issue 05 (2018-06-08) 2

Page 5: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

l Cost-effectiveMultiple ECSs share an elastic IP address. When you send data through a private IPaddress or provide services for the Internet using a NAT gateway, the NAT Gatewayservice translates the private IP address to a public IP address. Users do not need topurchase additional EIPs and bandwidth resources for their ECSs to access the Internet.This service helps users reduce costs.

1.5 ConstraintsObserve the following constraints when using the NAT Gateway service:l Multiple rules for one NAT gateway can reuse the same EIP, but the rules for different

NAT gateways must use different EIPs.l Each VPC can have only one NAT gateway.l Users cannot manually add the default route in a VPC.l Only one SNAT rule can be added to a subnet in a VPC.l SNAT and DNAT rules cannot share the same EIP.l DNAT rules do not support the mapping between an EIP and a virtual IP address.l When the EIP and NAT Gateway services are configured on the ECS, data is forwarded

through the EIP.

NAT GatewayUser Guide 1 Overview

Issue 05 (2018-06-08) 3

Page 6: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

2 Quick Start

2.1 ProcessThe operation process of the NAT Gateway service is as follows.

Figure 2-1 Operation procedure

2.2 Buying a NAT Gateway

ScenariosTo access the Internet using a NAT gateway or to provide external services through ECSs in aVPC, you need to buy a NAT gateway.

NAT GatewayUser Guide 2 Quick Start

Issue 05 (2018-06-08) 4

Page 7: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Prerequisitesl When buying a NAT gateway, you must specify its VPC, subnet, and type.l A VPC cannot have the default route.

Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.

The NAT gateway page is displayed.4. Click Buy NAT Gateway. The page for configuring the NAT gateway shown in Figure

2-2 is displayed.

Figure 2-2 Setting parameters

5. Configure basic NAT gateway information as prompted. For details, see Table 2-1.

Table 2-1 Parameters for creating a NAT gateway

Parameter Description Remarks

Region Specifies the region wherethe NAT gateway islocated.

N/A

NAT GatewayUser Guide 2 Quick Start

Issue 05 (2018-06-08) 5

Page 8: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Parameter Description Remarks

Billing Mode Specifies the billing modefor the NAT gateway. TheNAT Gateway servicesupports on-demandbilling.

Default value

Name Specifies the name of theNAT gateway.

The value is a string of 1to 64 characters consistingof digits, letters,underscores (_), andhyphens (-).

VPC Specifies the VPC towhich the NAT gatewaybelongs.

User can select VPCwhich is not used by otherNAT gateways and has nodefault route.

Subnet Specifies the subnet name.The subnet has at least oneavailable IP address.

Only one subnet can bebound.

Type Specifies the type of theNAT gateway. The valuecan be Small, Medium,Large, and Extra-large.You can click Learn moreon the page to view detailsabout each type.

The throughput isdetermined by the EIPbandwidth.

Description Provides supplementaryinformation about the NATgateway.

The maximum number ofcharacters is 255.

After the preceding parameters are set, the NAT gateway price will be displayed. Youcan click Price Details on the page to view price details.

6. Click Buy Now. On the Confirm Order page, you can check the NAT gatewayinformation.– After confirmation, read and select Huawei VPC Service Announcement and

click Submit Order to start creating the NAT gateway.– If you need to modify the specifications, click Back.

7. In the NAT Gateway list, check the NAT gateway status.The NAT gateway has been created successfully if it is running.

NAT GatewayUser Guide 2 Quick Start

Issue 05 (2018-06-08) 6

Page 9: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

2.3 Adding an SNAT Rule

Scenarios

This section guides you on how to add SNAT rules. After you configure an EIP and a subnetin an SNAT rule, the ECSs in the subnet can access the Internet using the EIP.

Prerequisites

A NAT gateway has been created.

Procedure1. Log in to the management console.

2. In the upper left corner, select the target region.

3. On the console homepage, click NAT Gateway under Network.

The NAT gateway page is displayed.

4. Click the target NAT gateway. In the SNAT rule list, click Add SNAT Rule. The AddSNAT Rule dialog box shown in Figure 2-3 is displayed.

Figure 2-3 Add SNAT Rule

5. Specify Subnet and EIP. For details, see Table 2-2.

Table 2-2 Parameters for adding an SNAT rule

Parameter Description

Subnet Specifies the subnet that uses the SNATfunction.

NAT GatewayUser Guide 2 Quick Start

Issue 05 (2018-06-08) 7

Page 10: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Parameter Description

EIP l Select a public IP address used foraccessing the Internet.

l The EIPs displayed in the list are notbound to any ECSs or added for theSNAT rules of other NAT gateways.

NOTE

Multiple SNAT rules can be added to a NAT gateway.

6. Click OK.

2.4 Adding a DNAT Rule

ScenariosThis section describes how to add a DNAT rule to map an outside port to an inside port. Afteryou create a NAT gateway, your applications can provide services for external networks usingthe DNAT rule.

PrerequisitesA NAT gateway has been created.

Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.

The NAT gateway page is displayed.4. Click the target NAT gateway. In the DNAT rule list, click Add DNAT Rule. The Add

DNAT Rule dialog box shown in Figure 2-4 is displayed.

NAT GatewayUser Guide 2 Quick Start

Issue 05 (2018-06-08) 8

Page 11: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Figure 2-4 Add DNAT Rule

5. Set parameters as prompted. For details, see Table 2-3.

Table 2-3 Parameters for adding a DNAT rule

Parameter Description

Elastic IP Address Specifies EIPs that have not been boundor have been added to the DNAT rules inthe current VPC.

Private IP Addresses Specifies the available EIPs in the currentVPC.

Outside Port Enter a value from 1 to 65535.

Inside Port Enter a value from 1 to 65535.

Protocol The options are as follows:l TCPl UDP

6. After the configuration is complete, click OK. Once the rule is created, its status changes

to Running.

NAT GatewayUser Guide 2 Quick Start

Issue 05 (2018-06-08) 9

Page 12: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

3 Management

3.1 Deleting an SNAT Rule

ScenariosIf the SNAT rule that you added is incorrectly set or an SNAT rule is no longer required, thissection guides you on how to delete an SNAT rule.

PrerequisitesAn SNAT rule has been added for the NAT gateway.

Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.

The NAT gateway page is displayed.4. Click the target NAT gateway. In the SNAT rule list, click Delete in the Operation

column. The Delete SNAT Rule dialog box shown in Figure 3-1 is displayed.

Figure 3-1 Delete SNAT Rule

NAT GatewayUser Guide 3 Management

Issue 05 (2018-06-08) 10

Page 13: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

5. Click OK to delete the SNAT rule.

3.2 Deleting a DNAT Rule

Scenarios

If the DNAT rule that you added is incorrectly set or a DNAT rule is no longer required, thissection guides you on how to delete a DNAT rule.

Prerequisites

A DNAT rule has been added for the NAT gateway.

Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.

The NAT gateway page is displayed.4. Click the target NAT gateway. In the NAT gateway configuration and DNAT rule list,

click Delete in the Operation column. The Delete DNAT Rule dialog box shown inFigure 3-2 is displayed.

Figure 3-2 Delete DNAT Rule

5. Click OK to delete the DNAT rule.

3.3 Modifying a NAT Gateway

Scenarios

This section guides you on how to modify a NAT gateway when the NAT gatewayspecification cannot meet your requirements or you need to modify its name or description.

NAT GatewayUser Guide 3 Management

Issue 05 (2018-06-08) 11

Page 14: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Prerequisites

A NAT gateway has been created.

Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.

The NAT gateway page is displayed.4. Locate the NAT gateway to be modified and click Modify in the Operation column. The

Modify NAT Gateway dialog box shown in Figure 3-3 is displayed.

Figure 3-3 Modify NAT Gateway

5. Modify Name, Type, or Description. For details, see Table 2-1.6. Click OK.

3.4 Deleting a NAT Gateway

Scenarios

This section guides you on how to delete a NAT gateway when you need to release resourcesand save costs.

Prerequisites

All SNAT and DNAT rules on the NAT gateway have been deleted.

NAT GatewayUser Guide 3 Management

Issue 05 (2018-06-08) 12

Page 15: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

Procedure1. Log in to the management console.2. In the upper left corner, select the target region.3. On the console homepage, click NAT Gateway under Network.

The NAT gateway page is displayed.4. Locate the NAT gateway to be deleted and click Delete in the Operation column. The

Delete NAT Gateway dialog box shown in Figure 3-4 is displayed.

Figure 3-4 Delete NAT Gateway

5. Click OK to delete the NAT gateway.

NAT GatewayUser Guide 3 Management

Issue 05 (2018-06-08) 13

Page 16: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

4 Monitoring

After NAT Gateway is connected to Cloud Eye, Cloud Eye monitors the number of SNATconnections to enable you to obtain the running statuses of NAT gateways. In addition, youcan create alarm rules to prevent potential risks.

4.1 Supported MetricsTable 4-1 lists NAT Gateway metrics that can be monitored.

Table 4-1 Metrics

Metric Description Value Range Monitored Object

SNAT Connections Specifies thenumber of SNATconnections initiatedby the current user.

≥ 0 count/s Active node of NATGateway

4.2 Creating Alarm Rules

Scenarios

You can set NAT gateway alarm rules to customize the monitored objects and notificationpolicies. Then, you can learn NAT gateway running status in a timely manner.

Procedure1. Log in to the management console.

2. Under Management & Deployment, click Cloud Eye.

3. In the left navigation pane, choose Alarm Management > Alarm Rules.

4. On the Alarm Rules page, click Create Alarm Rule and specify required parameters.

5. After the parameters are set, click Finish.

NAT GatewayUser Guide 4 Monitoring

Issue 05 (2018-06-08) 14

Page 17: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

NOTE

For more information about how to set alarm rules, see Cloud Eye User Guide.

4.3 Querying Metrics

Prerequisitesl The NAT gateway is running properly and SNAT rules have been created.l It can take a period of time to obtain and transfer the monitoring data. Therefore, wait for

a while and then check the data.

ScenariosThis section describes how to view NAT Gateway metrics.

Procedure1. Log in to the management console.2. Under Management & Deployment, click Cloud Eye.3. In the navigation pane on the left, choose Cloud Service Monitoring > NAT Gateway.4. Locate the row that contains the target metric and click View Graph in the Operation

column to check detailed information.You can view data during the last one, three, or twelve hours.

NAT GatewayUser Guide 4 Monitoring

Issue 05 (2018-06-08) 15

Page 18: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

5 FAQs

5.1 Why SNAT Is Used?Besides requiring services provided by the system, some ECSs also need to access theInternet to obtain information or download software. However, assigning a public IP addressto each ECS consumes already-limited IPv4 addresses, incurs additional costs, and mayincrease the attack surface for a virtual environment. Therefore, enabling multiple ECSs toshare one public IP address is a preferable and more feasible method. This can be done usingSNAT.

5.2 What Is the Relationship Between a VPC and a NATGateway, EIP Bandwidth, and ECS?

l A VPC is a secure, isolated, logical network environment.

l The NAT gateway enables ECSs in the VPC to access the Internet.

l EIP is a service that provides valid static IP addresses on the Internet. The throughput ofa VPC is determined by the EIP bandwidth.

l An ECS is a running instance in the VPC and uses the NAT gateway to access theInternet.

5.3 How Does NAT Gateway Offer High Availability?The NAT gateway supports automatic disaster recovery through hot standby and provides theCloud Eye service and alarm reporting for users, thereby reducing risks and improvingavailability.

5.4 Do the NAT Gateway and SNAT Rule Support theUpdate Operation?

NAT gateways can be updated. SNAT and DNAT rules cannot be updated.

NAT GatewayUser Guide 5 FAQs

Issue 05 (2018-06-08) 16

Page 19: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

5.5 Which Ports Cannot Be Accessed?Some carriers will block the following ports for security reasons. It is recommended that youdo not use the following ports.

Protocol

Port Not Supported

TCP 42 135 137 138 139 445 593 1025 1434 1068 3127 3128 3129 3130 4444 55549996

UDP 1026 1027 1434 1068 5554 9996 1028 1433 135 ~ 139

NAT GatewayUser Guide 5 FAQs

Issue 05 (2018-06-08) 17

Page 20: User Guide · 2019. 7. 18. · Port mapping: DNAT maps a public IP address (outside port) with a specified protocol to a private IP address (inside port). In this way, data from the

A Change History

ReleasedOn

Description

2018-06-08 This issue is the third official release, which incorporates the followingchanges:l Added section "Monitoring".l Added an FAQ "Which Ports Cannot Be Accessed?"

2018-04-30 This issue is the fourth official release, which incorporates the followingchange:Added DNAT description.

2018-03-30 This issue is the third official release, which incorporates the followingchange:Added a case to troubleshoot internet connection failure.

2018-01-30 This issue is the second official release, which incorporates the followingchanges:l Modified the description of NAT Gateway deployment advantages.l Added restrictions on the naming rules and description for creating a

NAT gateway.

2017-12-18 This issue is the first official release.

NAT GatewayUser Guide A Change History

Issue 05 (2018-06-08) 18