<p>This article describes how ECS instances in the VPC provide external services to the Internet through the DNAT function of the NAT gateway.</p> <p><strong><span style="font-size:18px">Prerequisites</span></strong></p> <p>&bull;&nbsp;You have successfully purchased a VPC, and created a DMZ network domain and subnet. For more information, see <a href="https://yun.pingan.com/ssr/help/network/vpc/quick_start.cvcti" target="_blank">Quick Start</a> of VPC.</p> <p>&bull;&nbsp;You have already purchased a ECS instance in the subnet of the DMZ network domain of the VPC.</p> <p><strong><span style="font-size:18px">Limitations</span></strong></p> <p>&bull;&nbsp;You can apply for a maximum of five public IP addresses for one bandwidth package.</p> <p>&bull;&nbsp;The maximum bandwidth is 200 Mbps. If you want to purchase a bandwidth package with a size of more than 200 Mbps, submit a ticket to apply for it.</p> <p><strong><span style="font-size:18px">Step 1: Create a NAT Gateway</span></strong></p> <p>1.&nbsp;Log in to the <a href="https://www.pinganyun.com/console/vpc/overview" target="_blank">VPC Console</a>.</p> <p>2.&nbsp;Click <strong>NAT Gateway</strong> in the left navigation pane to enter the <strong>NAT Gateway</strong> page.</p> <p>3.&nbsp;Click <strong>Create</strong> in the upper-right corner to enter the <strong>Create NAT Gateway</strong> page.</p> <p>4.&nbsp;Create a NAT gateway based on the following information.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142055-1d8fde8b938f.png" style="height:361px; width:830px" /></p> <p><strong>Configuration Service</strong></p> <table border="1" cellpadding="0" cellspacing="0" style="width:0px"> <tbody> <tr> <td style="background-color:#ededed; width:173px"> <p><strong>Configuration item</strong></p> </td> <td style="background-color:#ededed; vertical-align:top; width:610px"> <p><strong>Description</strong></p> </td> </tr> <tr> <td style="width:173px"> <p>Region</p> </td> <td style="vertical-align:top; width:610px"> <p>Select the region for the VPC that needs to create the NAT gateway.</p> </td> </tr> <tr> <td style="width:173px"> <p>VPC</p> </td> <td style="vertical-align:top; width:610px"> <p>Select the VPC that the NAT gateway belongs to.</p> </td> </tr> <tr> <td style="width:173px"> <p>Specification</p> </td> <td style="vertical-align:top; width:610px"> <p>Select the specification for the NAT gateway. Currently the NAT gateway has small and medium specifications which are priced differently. For more information, see <a href="https://yun.pingan.com/ssr/help/network/NAT_Gateway/Product_Profile.spec" target="_blank">Specifications</a> and <a href="https://yun.pingan.com/ssr/help/network/NAT_Gateway/buy.Price" target="_blank">Billing Overview</a>.</p> </td> </tr> <tr> <td style="width:173px"> <p>Billing method</p> </td> <td style="vertical-align:top; width:610px"> <p>Currently, the NAT gateway is charged by hour.</p> </td> </tr> <tr> <td style="width:173px"> <p>Description</p> </td> <td style="vertical-align:top; width:610px"> <p>Enter the custom descriptive name of the NAT gateway.</p> </td> </tr> </tbody> </table> <p>5.&nbsp;Click <strong>Purchase</strong> to enter the <strong>Order Confirmation</strong> page.</p> <p>6.&nbsp;Click <strong>CONFIRM OPEN</strong> to enter the <strong>Payment Result</strong> page.</p> <p>7.&nbsp;Click <strong>MANAGE CONSOLE</strong> to return to the <strong>NAT Gateway</strong> page.</p> <p><strong><span style="font-size:18px">Step 2: Create a Bandwidth Package</span></strong></p> <p>1.&nbsp;Click the name of the NAT gateway created in Step 1 to enter the <strong>NAT Detail</strong> page.</p> <p>2.&nbsp;Click the <strong>Bandwidth </strong>tab.</p> <p>3.&nbsp;On the <strong>Bandwidth </strong>tab, click <strong>Create</strong> in the upper-right corner to enter the <strong>Create Broadband</strong> page.</p> <p>4.&nbsp;Create a broadband package based on the following information.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142311-15c89d5690d3.png" style="height:382px; width:719px" /></p> <p><strong>Basic Information</strong></p> <table border="1" cellpadding="0" cellspacing="0" style="width:0px"> <tbody> <tr> <td style="background-color:#ededed; width:182px"> <p><strong>Configuration item</strong></p> </td> <td style="background-color:#ededed; vertical-align:top; width:601px"> <p><strong>Description</strong></p> </td> </tr> <tr> <td style="width:182px"> <p>ISP</p> </td> <td style="vertical-align:top; width:601px"> <p>Select the Internet service provider.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142936-11e74dd39125.png" style="height:21px; margin:1px; width:50px" />: The carrier link of BGP is online on April 29th, 2020. The launch of this function will not affect (such as the use and new purchases of) existing users who have already purchased MAN. For users who do not purchase the bandwidth package of NAT gateway of MAN carrier, only the purchase of the carrier link of BGP is offered.</p> </td> </tr> <tr> <td style="width:182px"> <p>Total bandwidth</p> </td> <td style="vertical-align:top; width:601px"> <p>Select the bandwidth in the range of 1 to 200. The bandwidth package is billed based on the size.</p> </td> </tr> <tr> <td style="width:182px"> <p>Billing method</p> </td> <td style="vertical-align:top; width:601px"> <p>Currently, the bandwidth package is charged by hour.</p> </td> </tr> <tr> <td style="width:182px"> <p>Internet IP amount</p> </td> <td style="vertical-align:top; width:601px"> <p>Select the number of public IP addresses in the range of one to five.</p> </td> </tr> </tbody> </table> <p>5.&nbsp;Click <strong>Purchase</strong> to enter the <strong>Order Confirmation</strong> page.</p> <p>6.&nbsp;Click <strong>CONFIRM OPEN</strong> to enter the <strong>Payment Result</strong> page.</p> <p>7.&nbsp;Click <strong>MANAGE CONSOLE</strong> to return to the <strong>NAT Gateway</strong> page.</p> <p><strong><span style="font-size:18px">Step 3: Create a DNAT Rule</span></strong></p> <p>1.&nbsp;Click the instance name of the NAT gateway created in Step 1 to enter the <strong>NAT Detail</strong> page.</p> <p>2.&nbsp;Click the <strong>DNAT Rule </strong>tab.</p> <p>3.&nbsp;On the <strong>DNAT Rule </strong>tab, click <strong>Create</strong> in the upper-right corner to enter the <strong>Create DNAT Rule</strong> page.</p> <p>4.&nbsp;Create a DNAT rule based on the following information.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142346-1d14e7e2904d.png" style="height:556px; width:663px" /></p> <p><strong>Basic Information</strong></p> <table border="1" cellpadding="0" cellspacing="0" style="width:0px"> <tbody> <tr> <td style="background-color:#ededed; width:186px"> <p><strong>Configuration item</strong></p> </td> <td style="background-color:#ededed; vertical-align:top; width:597px"> <p><strong>Description</strong></p> </td> </tr> <tr> <td style="width:186px"> <p>Mapping type</p> </td> <td style="vertical-align:top; width:597px"> <p><strong>IP Mapping</strong> and <strong>Port Mapping</strong> can be selected.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142936-11e74dd39125.png" style="height:21px; margin:1px; width:50px" /><strong>:</strong></p> <p>&bull;&nbsp;When a service occupies only a few fixed ports to provide services, you can use the port mapping function to maximize the usage of a single public IP.</p> <p>&bull;&nbsp;When a service needs unfixed number or a large number of ports, you can use the IP mapping function, so that one ECS instance only needs to occupy one public IP</p> </td> </tr> <tr> <td style="width:186px"> <p>Internet IP</p> </td> <td style="vertical-align:top; width:597px"> <p>Select one or multiple public IP addresses. If the type of DNAT rule is port mapping, you need to enter the port number.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142936-11e74dd39125.png" style="height:21px; margin:1px; width:50px" /><strong>:</strong> The public IP selected here is the public IP applied in Step 2.</p> </td> </tr> <tr> <td style="width:186px"> <p>Private IP</p> </td> <td style="vertical-align:top; width:597px"> <p>You can select the ECS instance in the VPC which provides external services to the Internet through one of the two following ways:</p> <p>&bull;&nbsp;Click <strong>Select Instance</strong>, and perform the following operations:</p> <p>1.&nbsp;Click <strong>Add Instance</strong>, and the <strong>Add Instance</strong> dialog box will open.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142936-11e74dd39125.png" style="height:21px; margin:1px; width:50px" /><strong>:</strong> The ECS instances listed in the dialog box are in the DMZ network domain of the VPC where the NAT gateway belongs to.</p> <p>2.&nbsp;Select the ECS instance that needs to provide external services to the Internet, and click <strong>Confirm</strong>.</p> <p>3.&nbsp;If the type of the DNAT rule is port mapping, you need to enter the port number.</p> <p>&bull;&nbsp;Click <strong>Custom IP address</strong>, and perform the following operations:</p> <p>1.&nbsp;Fill in the IP address of the ECS instance that provides external services.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142936-11e74dd39125.png" style="height:21px; margin:1px; width:50px" />: Please confirm that the IP address is in the subnet of the DMZ network domain of the VPC that the NAT gateway belongs to.</p> <p>2.&nbsp;If the type of the DNAT rule is port mapping, enter the port number.</p> </td> </tr> <tr> <td style="width:186px"> <p>Protocol type</p> </td> <td style="vertical-align:top; width:597px"> <p>If the type of the DNAT rule is port mapping, you need to select the protocol type. There are two protocol types, including TCP and UDP. You can select one or two protocol types of them.</p> </td> </tr> <tr> <td style="width:186px"> <p>Description</p> </td> <td style="vertical-align:top; width:597px"> <p>Customize the description of the DNAT rule.</p> </td> </tr> </tbody> </table> <p>5.&nbsp;Click <strong>Create</strong> to return to the <strong>DNAT Rule </strong>tab, where you can view the newly created DNAT rule.</p> <p><strong><span style="font-size:18px">Step 4: Configure the Security Group</span></strong></p> <p>1.&nbsp;Log in to the <a href="https://yun.pingan.com/console/ecs/overview" target="_blank">ECS Console</a>.</p> <p>2.&nbsp;Click <strong>Networks</strong> &gt; <strong>Security Group</strong> in the left navigation pane to enter the <strong>Security Group</strong> page.</p> <p>3.&nbsp;Click <strong>Create</strong> in the upper-right corner, and the <strong>Create Security Group</strong> dialog box will open.</p> <p>4.&nbsp;Select the VPC and DMZ network domains which the NAT gateway belongs to, and click <strong>Confirm</strong> to create a security group.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142450-134f09b9905c.png" style="height:309px; width:767px" /></p> <p>5.&nbsp;Click the name of the security group created to enter the <strong>Security Group Information</strong> page.</p> <p>6.&nbsp;On the <strong>ECS</strong> <strong>Instance</strong> tab, click <strong>Add</strong> in the upper-right corner, and the <strong>Binding </strong>dialog box will open.</p> <p>7.&nbsp;Select the ECS instances that need to provide external services, and click <strong>Confirm</strong> to add the ECS instances to the security group.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142516-16d59da6987f.png" style="height:328px; width:830px" /></p> <p>8.&nbsp;Click the <strong>Security Group Rules</strong> tab, and click <strong>Create</strong> in the upper-right corner of the tab. The dialog box of <strong>Create Security Group Rules</strong> will open.</p> <p>9.&nbsp;Create a security group based on the following information.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142543-19e4bddc9c7f.png" style="height:557px; width:763px" /></p> <table border="1" cellpadding="0" cellspacing="0" style="width:0px"> <tbody> <tr> <td style="background-color:#ededed; width:209px"> <p><strong>Configuration item</strong></p> </td> <td style="background-color:#ededed; vertical-align:top; width:574px"> <p><strong>Description</strong></p> </td> </tr> <tr> <td style="width:209px"> <p><strong>Rules direction</strong></p> </td> <td style="vertical-align:top; width:574px"> <p>Select the direction of security group rule as IN: it means that it allows the authorized IP to access the instance in the security group.</p> </td> </tr> <tr> <td style="width:209px"> <p><strong>Protocol type</strong></p> </td> <td style="vertical-align:top; width:574px"> <p>Select the type of network protocol. Currently TCP, UDP, and ICMP are supported.</p> </td> </tr> <tr> <td style="width:209px"> <p><strong>Port range</strong></p> </td> <td style="vertical-align:top; width:574px"> <p>If the protocol type is selected as TCP or UDP, you need to enter the port range. The value range for the port is 1 to 65535.</p> </td> </tr> <tr> <td style="width:209px"> <p><strong>Authorize IP</strong></p> </td> <td style="vertical-align:top; width:574px"> <p>Enter the authorized IP address.</p> </td> </tr> <tr> <td style="width:209px"> <p><strong>Description</strong></p> </td> <td style="vertical-align:top; width:574px"> <p>Customize the description of the security group rule.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201707142936-11e74dd39125.png" style="height:21px; margin:1px; width:50px" /><strong>:</strong> A maximum of 50 characters.</p> </td> </tr> </tbody> </table> <p>10.&nbsp;Click <strong>Confirm</strong>, and you will see an&nbsp;<strong>Operation succeeded&nbsp;</strong>message at the bottom of the page.</p>