<p><strong>Background Information</strong></p> <p>VPCs in regions except East China region can be connected to the Internet via NAT gateways. The NAT gateway performs IP address translation and enables ECS instance to access to the Internet provide services to Internet users in a secure and efficient way.</p> <p>Traffic in the inbound and outbound direction between VPC and the Internet are blocked by default. It requires to configure the security group in both inbound and outbound direction for VPC and Internet connection.</p> <p>The following example illustrates how to connect ECS instances in VPC-1 to the Internet via a NAT gateway.</p> <p><strong>Prerequisites</strong></p> <p>ECS instances are deployed in the subnet of DMZ network of VPC-1.</p> <p><strong>Procedure</strong></p> <p><strong>Note:</strong> The following is a brief description of the procedure. For more information, see the operation manual of the NAT gateway.</p> <p>1.&nbsp;&nbsp;&nbsp;Create a NAT gateway for VPC-1.</p> <p>2.&nbsp;&nbsp;&nbsp;Create a bandwidth package to generate an Internet IP address.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20212704181457-1c917ec2902d.png" style="height:256px; width:830px" /></p> <p>3.&nbsp;&nbsp;&nbsp;Create an SNAT rule and specify the subnet IP address of DMZ network of VPC-1 as the source CIDR. The Internet IP address is the one or address pool generated in Step 2. Multiple ECS instances in the subnet can access the Internet via the Internet IP.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20212704181534-13e9666f9040.png" style="height:686px; width:788px" /></p> <p>&nbsp;</p> <p>4.&nbsp;&nbsp;Create a DNAT rule to enable an ECS instance to access the Internet via the Internet IP. Specify the Internet IP in Step 2 as the Internet IP and specify the IP address of the ECS of DMZ network of VPC-1 as the VPC IP.</p> <p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20212704181636-1e5d55359498.png" style="height:671px; width:830px" /></p> <p>5.&nbsp;&nbsp;Create a security group for the DMZ network of VPC-1. For more information, see <a href="https://www.pinganyun.com/ssr/help/network/vpc/og.safety.csg" target="_blank">Create a Security Group</a>.</p> <p>6.&nbsp;&nbsp;Add the ECS instance of the DMZ network of VPC-1 that needs to be connected to the Internet to the Security Group 1. For more information, see <a href="https://www.pinganyun.com/ssr/help/network/vpc/og.safety.misg.aisg" target="_blank">Bind an Instance to a Security Group</a>.</p> <p>7.&nbsp; Configure a rule for the security group and authorize the IN and OUT direction access. For more information, see <a href="https://www.pinganyun.com/ssr/help/network/vpc/og.safety.msgr.csgr" target="_blank">Create a Security Group Rule</a>.</p>