Routing through a NAT instance using the management console
To configure routing through a NAT instance using the Yandex Cloud management console:
- Prepare your cloud.
- Create a security group.
- Create a test VM.
- Create a NAT instance.
- Set up static routing in the cloud network.
- Test the NAT instance.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of NAT instance support includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or static external IP address (see Yandex Virtual Private Cloud pricing).
Prepare the infrastructure
-
Create a cloud network, e.g.,
my-vpc
. -
In the cloud network, create subnets, e.g.:
public-subnet
to host the NAT instance.private-subnet
to host your test VM.
Create a security group
Security groups include rules that allow your VMs to be accessed via SSH. In this tutorial, you will create a security group named nat-instance-sg
.
To create a security group:
-
In the management console
, select Virtual Private Cloud. -
Open the
Security groups tab. -
Create a security group:
-
Click Create security group.
-
In the Name field, specify the name:
nat-instance-sg
. -
In the Network field, select
my-vpc
. -
Under Rules, create the following rules using the instructions below the table:
Traffic
directionDescription Port range Protocol Destination name /
SourceCIDR blocks Outgoing any
All
Any
CIDR
0.0.0.0/0
Incoming ssh
22
TCP
CIDR
0.0.0.0/0
Incoming ext-http
80
TCP
CIDR
0.0.0.0/0
Incoming ext-https
443
TCP
CIDR
0.0.0.0/0
-
Select the Egress or Ingress tab.
-
Click Add rule.
-
In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from. To open all ports, click Select the full range.
-
In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
-
In the Destination name or Source field, select the
CIDR
, and the rule will apply to a range of IP addresses. In the CIDR blocks field, specify0.0.0.0/0
. -
Click Save. Repeat the steps to create all the rules from the table.
-
Click Save.
-
Create a test VM
-
In the management console
, select the folder to create your VM in. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, select an image and a Linux-based OS version.
-
Under Location, select the availability zone where the
private-subnet
subnet is located. -
Under Network settings:
- In the Subnet field, select a subnet for the test VM, e.g.,
private-subnet
. - In the Public IP field, select
No address
. - In the Security groups field, select the
nat-instance-sg
security group you created earlier. - Expand the Additional section; in the Internal IPv4 address field, select
Auto
.
- In the Subnet field, select a subnet for the test VM, e.g.,
-
Under Access, specify the information required to access the VM:
- In the Login field, enter a username, e.g.,
yc-user
. -
In the SSH key field, paste the contents of the public key file.
You need to create a key pair for the SSH connection yourself. To learn how, see Connecting to a VM via SSH.
- In the Login field, enter a username, e.g.,
-
Under General information, specify the VM name:
test-vm
. -
Click Create VM.
Save the username, private SSH key, and internal IP address for the test VM.
Create a NAT instance
-
In the management console
, select the folder to create your VM in. -
In the list of services, select Compute Cloud.
-
In the left-hand panel, select
Virtual machines. -
Click Create virtual machine.
-
Under Boot disk image, go to the Marketplace tab and select the NAT instance image.
-
Under Location, select the availability zone where the
public-subnet
subnet is located. -
Under Network settings:
- In the Subnet field, select a subnet for the NAT instance, e.g.,
public-subnet
. - In the Public IP field, select
Auto
. - In the Security groups field, select the
nat-instance-sg
security group you created earlier. - Expand the Additional section; in the Internal IPv4 address field, select
Auto
.
- In the Subnet field, select a subnet for the NAT instance, e.g.,
-
Under Access, specify the information required to access the VM:
- In the Login field, enter a username, e.g.,
yc-user
. -
In the SSH key field, paste the contents of the public key file.
You need to create a key pair for the SSH connection yourself. To learn how, see Connecting to a VM via SSH.
- In the Login field, enter a username, e.g.,
-
Under General information, specify the VM name:
nat-instance
. -
Click Create VM.
Save the username, private SSH key, and internal and public IP addresses for the NAT instance.
Set up static routing
Note
When creating a NAT instance automatically, only one network interface is configured. You can enable other interfaces manually. Assign an IP address to each new interface and specify a route for it in a route table. In each subnet, the first IP address will represent the correct gateway. For example, for the 192.168.0.128/25
subnet, the first subnet address will be 192.168.0.129
.
-
Create a route table and add a static route to it:
-
In the management console
, select a folder where you want to create a static route. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
Routing tables. -
Click Create.
-
In the Name field, enter a name for the route table, e.g.,
nat-instance-route
. The naming requirements are as follows:- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
In the Network field, select a network, e.g.,
my-vpc
. -
Under Static routes, click Add a route.
-
In the window that opens, enter
0.0.0.0/0
in the Destination prefix field. -
In the Next hop field, select
IP address
. -
In the IP address field, specify the internal IP address of the NAT instance. Click Add.
-
Click Create a routing table.
-
-
Link the route table to the subnet where the test VM is located, e.g.,
private-subnet
:- In the left-hand panel, select
Subnets. - Click
in the row of the subnet with the test VM and select Link routing table. - In the window that opens, select the
nat-instance-route
table in the Link routing table field and click Link.
- In the left-hand panel, select
You can also use the created route for other subnets in the same network, except for the subnet where the NAT instance is located.
Warning
Do not link the route table to the subnet where the NAT instance is located. Otherwise, route loops will occur, where the NAT instance will direct packets to itself rather than to the local network.
Test the NAT instance
-
Connect to the VM via a private IP address, using the NAT instance as a jump host:
ssh -J <NAT_instance_username>@<NAT_instance_public_IP_address> \ <VM_user_name>@<VM_internal_IP_address>
You can also connect to the test VM using the standard input/output redirection (
-W
flag) to forward the connection through a NAT instance:ssh -o ProxyCommand="ssh -i <NAT_key_file_path/name> -W %h:%p <NAT_username>@<NAT_public_IP_address>" \ -i <VM_key_file_path/name> <VM_user_name>@<VM_internal_IP_address>
Use this command for connection in the following cases:
- Your VM is running an OpenSSH version below 7.3.
- Your SSH keys are stored outside the default directory or have non-standard names.
-
Type yes to connect to the NAT instance and re-enter yes to connect to the test VM.
Note
When you type yes, the command may not be displayed in the terminal, but it will run anyway.
-
Make sure the test VM is connected to the internet via the public IP address of the NAT instance. Run this command:
curl ifconfig.co
If it returns the public IP address of the NAT instance, the configuration is correct.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the test VM and NAT instance.
- Delete the security group.
- Delete the static public IP if you reserved one.