Contact UsGet started

Setting up a NAT gateway

Written by
Improved by
Updated at May 5, 2025

vpc.admin and vpc.gateways.user are the minimum roles required to create and configure a NAT gateway.

To create and set up a NAT gateway:

  1. In the management console, go to the folder where you need to create a gateway.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Gateways.

  4. Click Create.

  5. Enter a name for the gateway. The naming requirements are as follows:

    • It must be from 2 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  6. (Optional) Add a gateway description.

  7. The default gateway type is Egress NAT.

  8. Click Save.

  9. In the left-hand panel, select Routing tables.

  10. Click Create to add a new table, or select an existing one.

  11. Click Add.

  12. In the window that opens, select Gateway in the Next hop field.

  13. In the Gateway field, select the NAT gateway you created. The destination prefix will apply automatically.

  14. Click Add.

  15. Click Save.

Next, associate the route table with a subnet to route traffic from it through the NAT gateway:

  1. In the left-hand panel, select Subnets.
  2. In the row with the subnet you need, click .
  3. In the menu that opens, select Link routing table.
  4. In the window that opens, select the created table from the list.
  5. Click Link.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI create gateway command:

    yc vpc gateway create --help

  2. Create a gateway in the default folder:

    yc vpc gateway create \
   --name test-gateway

  3. Get the gateway ID:

    yc vpc gateway list

    The command result will be as follows:

    +----------------------+--------------+-------------+
|          ID          |     NAME     | DESCRIPTION |
+----------------------+--------------+-------------+
| enpkq1v2e7p0******** | test-gateway |             |
+----------------------+--------------+-------------+

  4. Create a route table with the gateway as the next hop and the 0.0.0.0/0 destination prefix:

    yc vpc route-table create \
   --name=test-route-table \
   --network-name=<network_name> \
   --route destination=0.0.0.0/0,gateway-id=enpkq1v2e7p0********

    Where --network-name is the name of the network where you are creating the table.

  5. Associate the table with the subnet:

    yc vpc subnet update <subnet_name> \
   --route-table-name=test-route-table

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To create a NAT gateway, specify it as the next hop in the route table, and associate the table with the subnet, use the following configuration:

data "yandex_vpc_network" "net" {
  folder_id = "<folder_ID>"
  name      = "<network_name>"
}

resource "yandex_vpc_subnet" "subnet" {
  folder_id      = "<folder_ID>"
  name           = "<subnet_name>"
  v4_cidr_blocks = ["10.20.30.0/24"]
  zone           = "ru-central1-a"
  network_id     = data.yandex_vpc_network.net.id
  route_table_id = yandex_vpc_route_table.rt.id
}

resource "yandex_vpc_gateway" "nat_gateway" {
  folder_id      = "<folder_ID>"
  name = "test-gateway"
  shared_egress_gateway {}
}

resource "yandex_vpc_route_table" "rt" {
  folder_id      = "<folder_ID>"
  name       = "test-route-table"
  network_id = "<network_ID>"

  static_route {
    destination_prefix = "0.0.0.0/0"
    gateway_id         = yandex_vpc_gateway.nat_gateway.id
  }
}

Where folder_id is the ID of the folder hosting the subnet.

  1. Create a NAT gateway. Use the create REST API method for the Gateway resource or the GatewayService/Create gRPC API call, and provide the following in the request:

    • ID of the folder the gateway will reside in, in the folderId parameter.

    • Gateaway name in the name parameter. The name format is as follows:

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

  2. Associate the NAT gateway with the new route table by using the create REST API method for the RouteTable resource or the RouteTableService/Create gRPC API call, and provide the following in the request:

    • ID of the folder the route table will reside in, in the folderId parameter.

    • Route table name in the name parameter. The name format is as follows:

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • ID of the network the route table will reside in, in the networkId parameter.

    • 0.0.0.0/0 as the destination subnet prefix, in the staticRoutes[].destinationPrefix parameter.

    • NAT gateway ID in the staticRoutes[].gatewayId parameter.

      To get the NAT gateway ID, use the list REST API method for the Gateway resource or the GatewayService/List gRPC API call. In your request, provide the folder ID in the folderId parameter.

  3. Associate the route table with your subnet by using the update REST API method for the Subnet resource or the SubnetService/Update gRPC API call, and provide the following in the request:

    • Subnet ID in the subnetId parameter.

      To get the subnet ID, use the list REST API method for the Subnet resource or the SubnetService/List gRPC API call and provide the folder ID in the folderId request parameter.

      To learn how to find out the folder ID, see Getting the folder ID.

    • Route table ID in the routeTableId parameter.

    • Name of the routeTableId parameter in the updateMask parameter.

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

Previous
Creating a static route
Next
Getting information about a NAT gateway