Contact UsGet started

Routing through a NAT instance using the management console

Written by
Updated at October 30, 2024

To configure routing through a NAT instance using the Yandex Cloud management console:

  1. Prepare your cloud.
  2. Create a security group.
  3. Create a test VM.
  4. Create a NAT instance.
  5. Set up static routing in the cloud network.
  6. Test the NAT instance.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of NAT instance support includes:

Prepare the infrastructure

  1. Create a cloud network, e.g., my-vpc.

  2. In the cloud network, create subnets, e.g.:

    • public-subnet to host the NAT instance.
    • private-subnet to host your test VM.

Create a security group

Security groups include rules that allow your VMs to be accessed via SSH. In this tutorial, you will create a security group named nat-instance-sg.

To create a security group:

  1. In the management console, select Virtual Private Cloud.

  2. Open the Security groups tab.

  3. Create a security group:

    1. Click Create security group.

    2. In the Name field, specify the name: nat-instance-sg.

    3. In the Network field, select my-vpc.

    4. Under Rules, create the following rules using the instructions below the table:

      Traffic
      direction      		 Description Port range Protocol Destination name /
      Source      		 CIDR blocks
      Outgoing any All Any CIDR 0.0.0.0/0
      Incoming ssh 22 TCP CIDR 0.0.0.0/0
      Incoming ext-http 80 TCP CIDR 0.0.0.0/0
      Incoming ext-https 443 TCP CIDR 0.0.0.0/0

    5. Select the Egress or Ingress tab.

    6. Click Add rule.

    7. In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from. To open all ports, click Select the full range.

    8. In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.

    9. In the Destination name or Source field, select the CIDR, and the rule will apply to a range of IP addresses. In the CIDR blocks field, specify 0.0.0.0/0.

    10. Click Save. Repeat the steps to create all the rules from the table.

    11. Click Save.

Create a test VM

  1. In the management console, select the folder to create your VM in.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select an image and a Linux-based OS version.

  6. Under Location, select the availability zone where the private-subnet subnet is located.

  7. Under Network settings:

    • In the Subnet field, select a subnet for the test VM, e.g., private-subnet.
    • In the Public IP field, select No address.
    • In the Security groups field, select the nat-instance-sg security group you created earlier.
    • Expand the Additional section; in the Internal IPv4 address field, select Auto.

  8. Under Access, specify the information required to access the VM:

    • In the Login field, enter a username, e.g., yc-user.

    • In the SSH key field, paste the contents of the public key file.

      You need to create a key pair for the SSH connection yourself. To learn how, see Connecting to a VM via SSH.

  9. Under General information, specify the VM name: test-vm.

  10. Click Create VM.

Save the username, private SSH key, and internal IP address for the test VM.

Create a NAT instance

  1. In the management console, select the folder to create your VM in.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, go to the Marketplace tab and select the NAT instance image.

  6. Under Location, select the availability zone where the public-subnet subnet is located.

  7. Under Network settings:

    • In the Subnet field, select a subnet for the NAT instance, e.g., public-subnet.
    • In the Public IP field, select Auto.
    • In the Security groups field, select the nat-instance-sg security group you created earlier.
    • Expand the Additional section; in the Internal IPv4 address field, select Auto.

  8. Under Access, specify the information required to access the VM:

    • In the Login field, enter a username, e.g., yc-user.

    • In the SSH key field, paste the contents of the public key file.

      You need to create a key pair for the SSH connection yourself. To learn how, see Connecting to a VM via SSH.

  9. Under General information, specify the VM name: nat-instance.

  10. Click Create VM.

Save the username, private SSH key, and internal and public IP addresses for the NAT instance.

Set up static routing

Note

When creating a NAT instance automatically, only one network interface is configured. You can enable other interfaces manually. Assign an IP address to each new interface and specify a route for it in a route table. In each subnet, the first IP address will represent the correct gateway. For example, for the 192.168.0.128/25 subnet, the first subnet address will be 192.168.0.129.

  1. Create a route table and add a static route to it:

    1. In the management console, select a folder where you want to create a static route.

    2. In the list of services, select Virtual Private Cloud.

    3. In the left-hand panel, select Routing tables.

    4. Click Create.

    5. In the Name field, enter a name for the route table, e.g., nat-instance-route. The naming requirements are as follows:

      • The name must be from 3 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • The first character must be a letter and the last character cannot be a hyphen.

    6. In the Network field, select a network, e.g., my-vpc.

    7. Under Static routes, click Add a route.

    8. In the window that opens, enter 0.0.0.0/0 in the Destination prefix field.

    9. In the Next hop field, select IP address.

    10. In the IP address field, specify the internal IP address of the NAT instance. Click Add.

    11. Click Create a routing table.

  2. Link the route table to the subnet where the test VM is located, e.g., private-subnet:

    1. In the left-hand panel, select Subnets.
    2. Click in the row of the subnet with the test VM and select Link routing table.
    3. In the window that opens, select the nat-instance-route table in the Link routing table field and click Link.

You can also use the created route for other subnets in the same network, except for the subnet where the NAT instance is located.

Warning

Do not link the route table to the subnet where the NAT instance is located. Otherwise, route loops will occur, where the NAT instance will direct packets to itself rather than to the local network.

Test the NAT instance

  1. Connect to the VM via a private IP address, using the NAT instance as a jump host:

    ssh -J <NAT_instance_username>@<NAT_instance_public_IP_address> \
  <VM_user_name>@<VM_internal_IP_address>

    You can also connect to the test VM using the standard input/output redirection (-W flag) to forward the connection through a NAT instance:

    ssh -o ProxyCommand="ssh -i <NAT_key_file_path/name> -W %h:%p <NAT_username>@<NAT_public_IP_address>" \
  -i <VM_key_file_path/name> <VM_user_name>@<VM_internal_IP_address>

    Use this command for connection in the following cases:

    • Your VM is running an OpenSSH version below 7.3.
    • Your SSH keys are stored outside the default directory or have non-standard names.

  2. Type yes to connect to the NAT instance and re-enter yes to connect to the test VM.

    Note

    When you type yes, the command may not be displayed in the terminal, but it will run anyway.

  3. Make sure the test VM is connected to the internet via the public IP address of the NAT instance. Run this command:

    curl ifconfig.co

    If it returns the public IP address of the NAT instance, the configuration is correct.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the test VM and NAT instance.
  2. Delete the security group.
  3. Delete the static public IP if you reserved one.

See also

Previous
Overview
Next
Terraform