NAT Gateway

This topic describes how to set up and manage a Network Address Translation (NAT) gateway. A NAT gateway  gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections.

Highlights

  • You can add a NAT gateway to your VCN to give instances in a private subnet access to the internet.
  • Instances in a private subnet don't have public IP addresses. With the NAT gateway, they can initiate connections to the internet and receive responses, but not receive inbound connections initiated from the internet.
  • NAT gateways are highly available and support TCP, UDP, and ICMP ping traffic.

Overview of NAT

NAT is a networking technique commonly used to give an entire private network access to the internet without assigning each host a public IPv4 address. The hosts can initiate connections to the internet and receive responses, but not receive inbound connections initiated from the internet.

When a host in the private network initiates an internet-bound connection, the NAT device's public IP address becomes the source IP address for the outbound traffic. The response traffic from the internet therefore uses that public IP address as the destination IP address. The NAT device then routes the response to the host in the private network that initiated the connection.

Overview of NAT Gateways

The Networking service offers a reliable and highly available NAT solution for your VCN in the form of a NAT gateway.

Example scenario: Imagine you have resources that need to receive inbound traffic from the internet (for example, web servers). You also have private resources that need to be protected from inbound traffic from the internet. All of these resources need to initiate connections to the internet to request software updates from sites on the internet.

You set up a VCN and add a public subnet to hold the web servers. When launching the instances, you assign public IP addresses to them so they can receive inbound internet traffic. You also add a private subnet to hold the private instances. They cannot have public IP addresses because they are in a private subnet.

You add an internet gateway to the VCN. You also add a route rule in the public subnet's route table that directs internet-bound traffic to the internet gateway. The public subnet's instances can now initiate connections to the internet and also receive inbound connections initiated from the internet. Remember that you can use security rules to control the types of traffic that are allowed in and out of the instances at the packet level.

You add a NAT gateway to the VCN. You also add a route rule in the private subnet's route table that directs internet-bound traffic to the NAT gateway. The private subnet's instances can now initiate connections to the internet. The NAT gateway allows responses, but it does not allow connections that are initiated from the internet. Without that NAT gateway, the private instances would instead need to be in the public subnet and have public IP addresses to get their software updates.

When routing the response traffic from the internet back to the subnet, by default a NAT gateway routes the traffic to the destination directly. You can associate a route table with the NAT gateway, and define route rules for NAT gateway ingress routing in that route table. For example, if you want the NAT gateway to route the response traffic to a firewall first, you can create a route rule for the destination subnet CIDR with the firewall private IP as the target in the NAT gateway route table.

The following diagram illustrates the basic network layout for the example. The arrows indicate whether connections can be initiated in only one direction or both.

This image shows the basic layout of a VCN with a NAT gateway and internet gateway
Callout 1: Public Subnet Route Table
Destination CIDR Route Target
0.0.0.0/0 Internet Gateway
Callout 2: Private Subnet Route Table
Route Target Route Target
0.0.0.0/0 NAT Gateway
Note

A NAT gateway can be used only by resources in the gateway's own VCN. If the VCN is peered with another, resources in the other VCN cannot access the NAT gateway.

Also, resources in an on-premises network connected to the NAT gateway's VCN with FastConnect or an Site-to-Site VPN cannot use the NAT gateway.

Here are a few basics about NAT gateways:

  • The NAT gateway supports TCP, UDP, and ICMP ping traffic.
  • The gateway supports a maximum of approximately 20,000 concurrent connections to a single destination address and port.
  • The Networking service can either allocate a new public IP address for a new NAT Gateway, or you can specify a specific existing reserved public IP to use for a newly created NAT Gateway.
  • There's a limit on the number of NAT gateways per VCN. You can request an increase to that limit. See Service Limits for a list of applicable limits and instructions for requesting a limit increase..

Routing for a NAT Gateway

You control routing in your VCN at the subnet level, so you can specify which subnets in your VCN use a NAT gateway. You can have more than one NAT gateway on a VCN (although you must request an increase in your limits). For example, if you want an external application to distinguish traffic from the VCN's different subnets, you could set up a different NAT gateway (and thus a different public IP address) for each subnet. A given subnet can route traffic to only a single NAT gateway.

Blocking Traffic Through a NAT Gateway

You create a NAT gateway in the context of a specific VCN. In other words, the NAT gateway is automatically always attached to only one VCN of your choice. However, you can block or allow traffic through the NAT gateway at any time. By default, the gateway allows traffic upon creation. Blocking the NAT gateway prevents all traffic from flowing, regardless of any existing route rules or security rules in your VCN. For instructions on how to block traffic, see To block/allow traffic for a NAT gateway.

Transitioning to a NAT Gateway

If you're switching from using a NAT instance in your VCN to a NAT gateway, consider that the public IP address for your NAT device will change.

If you're switching from using an internet gateway to a NAT gateway, the instances with access to the NAT gateway no longer need public IP addresses to reach the internet. Also, the instances no longer need to be in a public subnet. You can't switch a subnet from public to private. However, you can delete the ephemeral public IPs from your instances if you like.

Deleting a NAT Gateway

To delete a NAT gateway, its traffic does not have to be blocked, but there must not be a route table that lists it as a target. For instructions, see To delete a NAT gateway.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: see IAM Policies for Networking.

Setting Up a NAT Gateway

Task 1: Create the NAT gateway
  1. In the Console, confirm you're viewing the compartment that contains the VCN that you want to add the NAT gateway to. For information about compartments and access control, see Access Control.
  2. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  3. Click the VCN you're interested in.
  4. Under Resources, click NAT Gateways.
  5. Click Create NAT Gateway.
  6. Enter the following values:

    • Name: A friendly name for the NAT gateway. It doesn't have to be unique. Avoid entering confidential information.
    • Create in compartment: The compartment where you want to create the NAT gateway, if different from the compartment you're currently working in.
    • Choose IP Address Type: Specify whether the public IP address is reserved or ephemeral.
      • Ephemeral IP Address: Choose this option to let Oracle specify an ephemeral IP address for you from the Oracle IP pool. This is the default.
      • Reserved IP Address: Choose this option to specify an existing reserved IP address by name, or to create a new reserved IP address by assigning a name and selecting a source IP pool for the address. If you don't select a pool you've created, the default Oracle IP pool is used.
    • Route Table Association: (advanced option) You can associate a specific VCN route table with this gateway. If you associate a route table, afterwards the gateway must always have a route table associated with it. You can modify the rules in the current route table or replace it with another route table.
    • Tags: (advanced option) If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.
  7. Click Create NAT Gateway.

    The NAT gateway is then created and displayed on the NAT Gateways page in the compartment you chose. The gateway allows traffic by default. At any time, you can block or allow traffic through it.

Task 2: Update routing for the subnet

When you create a NAT gateway, you must also create a route rule that directs the desired traffic from the subnet to the NAT gateway. You do this for each subnet that needs to access the gateway.

  1. Determine which subnets in your VCN need access to the NAT gateway.
  2. For each of those subnets, update the subnet's route table to include a new rule:

    1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
    2. Click the VCN you're interested in.
    3. Under Resources, click Route Tables.
    4. Click the route table you're interested in.
    5. Click Add Route Rule and enter the following values:

      • Target Type: NAT Gateway.
      • Destination CIDR Block: 0.0.0.0/0
      • Compartment: The compartment where the NAT gateway is located.
      • Target NAT Gateway: The NAT gateway.
      • Description: An optional description of the rule.
    6. Click Add Route Rule.

Any subnet traffic with a destination that matches the rule is routed to the NAT gateway. For more information about setting up route rules, see VCN Route Tables.

Later, if you no longer need the NAT gateway and want to delete it, you must first delete all the route rules in your VCN that specify the NAT gateway as the target.

Tip

Without the required routing, traffic doesn't flow over the NAT gateway. If a situation occurs where you need to temporarily stop the traffic flow over the gateway, you can simply remove the route rule that enables traffic. Or you can block traffic through the gateway entirely. You do not need to delete it.

Using the Console

To block/allow traffic for a NAT gateway
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click NAT Gateways.
  4. For the NAT gateway you're interested in, click the Actions menu and then click Block Traffic (or Allow Traffic if you're enabling traffic for the NAT gateway).
  5. Confirm when prompted.

    When the traffic is blocked, the NAT gateway's icon turns gray, and the label changes to BLOCKED. When the traffic is allowed, the NAT gateway's icon turns green, and the label changes to AVAILABLE.

To update a NAT gateway
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click NAT Gateways.
  4. For the NAT gateway you're interested in, click the Actions menu, and then click Edit.
  5. Make your changes and click Save Changes.
To delete a NAT gateway

Prerequisite: There must not be a route table that lists the NAT gateway as a target.

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click NAT Gateways.
  4. For the NAT gateway you want to delete, click the Actions menu, and then click Terminate.
  5. Confirm when prompted.
To manage route tables for a NAT gateway
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click NAT Gateways.
  4. Click the Actions menu for the NAT gateway, and then click Associate Different Route Table. From there you can change the associated route table for this gateway or associate a route table to a gateway that doesn't already have an associated route table. After a route table is associated to a gateway, the gateway must always have a route table associated with it.
To manage tags for a NAT gateway
  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. Under Resources, click NAT Gateways.
  4. Click the Actions menu for the NAT gateway, and then click View Tags. From there you can view the existing tags, edit them, and apply new ones.

For more information, see Resource Tags.

To move a NAT gateway to a different compartment

You can move a NAT gateway from one compartment to another. When you move a NAT gateway to a new compartment, inherent policies apply immediately.

  1. Open the navigation menu, click Networking, and then click Virtual cloud networks.
  2. Click the VCN you're interested in.
  3. In Resources, click NAT Gateways.
  4. Find the NAT gateway in the list, click the the Actions menu, and then click Move Resource.
  5. Choose the destination compartment from the list.
  6. Click Move Resource.

The NAT gateway moves to the new compartment immediately. Depending on your permissions, you can select the compartment in the left side menu to view the NAT gateway.

For more information about using compartments and policies to control access to your cloud network, see Access Control. For general information about compartments, see Managing Compartments.