Public NAT gateways and private NAT gateways are used in different scenarios to provide network address translation (NAT).
Public NAT Gateways
Public NAT gateways provide NAT with 20 Gbit/s of bandwidth for Elastic Cloud Servers (ECSs) and Bare Metal Servers (BMSs) in a Virtual Private Cloud (VPC), or servers in on-premises data centers that connect to a VPC through Direct Connect or Virtual Private Network (VPN), allowing these servers to share elastic IP addresses (EIPs) to access the Internet or to provide services accessible from the Internet.
Public NAT gateways support source NAT (SNAT) and destination NAT (DNAT).
SNAT translates private IP addresses into EIPs, allowing servers in a VPC to share an EIP to access the Internet in a secure and efficient way.
DNAT enables servers in a VPC to share an EIP to provide services accessible from the Internet through IP address mapping or port mapping.
Figure 2 shows the DNAT architecture.
Private NAT Gateways
Private NAT gateways provide private address translation services for Elastic Cloud Servers (ECSs) and Bare Metal Servers (BMSs) in a VPC. You can configure SNAT and DNAT rules to translate the source and destination IP addresses into transit IP addresses, so that servers in the VPC can communicate with other VPCs or on-premises data centers.
Specifically,
SNAT enables multiple servers across AZs in a VPC to share a transit IP address to access on-premises data centers or other VPCs.
DNAT enables servers that share the same transit IP address in a VPC to provide services accessible from on-premises data centers or other VPCs.
Transit Subnet
A transit subnet functions as a transit network. You can configure a transit IP address for the transit subnet so that servers in a local VPC can share the transit IP address to access on-premises data centers or other VPCs.
Transit VPC
The transit VPC is the VPC that the transit subnet is a part of.
The preceding figure shows two ways a private NAT gateway can be deployed.
Communications between two VPCs with an overlapping CIDR block
Under normal conditions, VPCs with an overlapping CIDR block cannot access each other. But with private NAT gateways, you can configure SNAT and DNAT rules to translate the private IP addresses of the VPCs to transit IP addresses. In this way, servers in the two VPCs can communicate with each other.
Using a specific IP address to access a remote private network
A private NAT gateway lets you use a specific IP address to access an on-premises data center or a VPC on a remote private network. The on-premises data center is connected to the transit VPC through Direct Connect or VPN. The VPC is connected to the transit VPC through a VPC Peering connection. In the figure, VPC 1 uses a private NAT gateway to access the remote private network. To do this, SNAT rules need to be configured to translate the private IP address in VPC 1 into specific IP addresses that can communicate with the private network, on the left.
NOTE:Private NAT gateways are available for OBT in the following regions: CN North-Beijing4, CN North-Ulanqab1, CN East-Shanghai1, CN South-Guangzhou, CN Southwest-Guiyang1, CN-Hong Kong, AP-Bangkok, AP-Singapore, and LA-Sao Paulo1.
How Do I Access the NAT Gateway Service?
Management console
You can use the console to perform operations on NAT gateways. Log in to the management console and choose NAT Gateway from the service list.
APIs
Use APIs if you need to integrate NAT Gateway into a third-party system for secondary development. For details, see NAT Gateway API Reference.
