- User Guide
- Service Overview
- Basic Concepts
- Shared SNAT
Shared SNAT¶
The VPC service provides free SNAT function, which allows ECSs to use a limited number of public IP addresses to gain one-way access to the Internet for operations, such as updating software. However, Internet users cannot directly access the ECSs.
Figure 1 shows how shared SNAT works. The SNAT device forwards traffic from ECSs to the Internet and the response traffic from the Internet to the ECSs. When forwarding ECS traffic to the Internet, the SNAT device converts the source IP addresses (ECS private IP addresses) in the data packets into the public IP addresses set on the SNAT device. When processing the response packets from the Internet to the ECSs, the SNAT device changes the public IP addresses in the response data packets to the private IP addresses of the ECSs.
To enable shared SNAT using the API, refer to Updating a Router and set enable_snat to true.
To enable shared SNAT on the management console:
Log in to the management console.
On the console homepage, under , click Virtual Private Cloud.
On the Virtual Private Cloud page, locate the VPC for which shared SNAT is to be enabled, and click Modify.
In the displayed dialog box, enable Shared SNAT.
Click OK.
After being configured for a VPC, shared SNAT takes effect for the whole VPC. If EIPs are bound to ECSs in a VPC for which shared SNAT is configured, Internet traffic is preferentially forwarded using the EIPs. If you want to prevent an ECS from connecting to the Internet, you can configure an outbound rule for the security group associated with the ECS.
For example:
To prevent an ECS from connecting to the Internet but allow the ECS to access 192.168.10.0/24, configure the following rule for the security group associated with the ECS:
Delete the default outbound rule that allows all outgoing data packets from the security group.
After this rule is deleted, ECSs associated with this security group are not allowed to access any network, including the internal networks in the VPC of the ECSs.
Add the required outbound rule.
The following shows the added outbound rule that allows the ECS to access the 192.168.10.0/24 CIDR block.
The differences between shared SNAT and custom routes are as follows:
Shared SNAT provides the SNAT function for a specified VPC through an API or the management console and enables all ECSs in the VPC to gain one-way access to the Internet.
A custom route enables ECSs to access the Internet through an SNAT server that has an EIP bound. The ECSs' access requests are routed to the SNAT server based on the route table.
Shared SNAT takes effect for the whole VPC by default, while a custom route takes effect for the VPC or subnet for which routes have been configured.
A custom route has a higher priority than a shared SNAT.