Abstract: The NAT gateway is the entrance and exit of the VPC ECS on the cloud to access the Internet. The Alibaba Cloud NAT Gateway console only supports switch granularity by default when creating SNAT entries. How to set the SNAT rules of ECS granularity, this article will reveal for you.
background
The NAT gateway is the entrance and exit of the VPC ECS on the cloud to access the Internet. The Alibaba Cloud NAT Gateway console only supports switch granularity by default when creating SNAT entries. That is, after the SNAT entry is created, all VPC ECSs connected to the specified switch can only use the same SNAT rule to actively access the Internet.
But here comes the problem. If the business is suddenly adjusted, several VPC ECSs that are not behind the same switch need to use the same public IP or public IP pool to access the Internet without affecting other services. The following two figures show a schematic diagram of this business scenario change.
How to deal with it? Very simple, the SNAT SourceCIDR/32 function provided by the Alibaba Cloud NAT Gateway API can handle this scenario simply and perfectly.
SNAT SourceCIDR /32 API interface
Interface introduction
Call the Alibaba Cloud NAT gateway API interface: CreateSnatEntry . The following figure shows the request parameters of CreatSnatEntry.
When using SNAT SourceCIDR/32 to create an ECS-granular SNAT entry, the request parameter SourceCIDR is required, and the network segment of SourceCIDR fills in the network segment of the VPC ECS, such as xx.xx.xx.xx/32. The request parameter SourceVSwitchId must not be specified at this time .
Note : The SNAT rule that sets the ECS granularity through SourceCIDR is not open by default. Please apply for it through a work order before using it.
Operation verification
Before setting the SNAT rule at the ECS granularity, you can see the SNAT entry at the switch granularity set for the original service on the console.
Call the CreateSnatEntry interface to make SourceCIDR=172.16.1.193/32 (ECS3) map another SNAT IP=114.55.xx.200, and SourceCIDR=172.31.2.227/32 also map to SNAT IP=114.55.xx.200.
At this point, you can see the newly created ECS granular SNAT entry on the console.
Then we log in to 5 VPC ECSs to check whether the SNAT entry takes effect, whether ECS1, ECS2, and ECS5 can use SNAT IP=118.31.xx.210 to access the Internet, and ECS3 and ECS4 use SNAT IP=114.55.xx.200 to access the Internet.
It can be seen that the source IP addresses of the five VPC ECSs when accessing the Internet have all been translated according to the set SNAT rules. ECS3 and ECS4 are ECS granular SNAT implemented by SourceCIDR/32.
Notice
Both the EIP and the public IP in the old NAT bandwidth package can call the API to implement SNAT SourceCIDR/32 to set SNAT entries for ECS granularity. This feature will be available on subsequent consoles, so stay tuned.
Before using this function, you must apply for activation through a work order.
The ECS granularity SNAT entry can be used together with the SNAT POOL function to easily build a more flexible and reliable way to access the Internet.