Setting up a NAT gateway
The minimum required roles to create and configure a NAT gateway are vpc.admin
and vpc.gateways.user
.
To create and set up a NAT gateway:
-
In the management console
, go to the folder where you need to create a gateway. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select Gateways.
-
Click Create.
-
Enter a name for the gateway. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
(Optional) Add a gateway description.
-
The default gateway type is
Egress NAT
. -
Click Save.
-
In the left-hand panel, select Routing tables.
-
Click Create to add a new table, or select an existing one.
-
Click Add a route.
-
In the window that opens, select
Gateway
in the Next hop field. -
In the Gateway field, select the NAT gateway you created. The destination prefix will be propagated automatically.
-
Click Add.
-
Click Save.
Next, link the route table to a subnet to route traffic from it via the NAT gateway:
- In the left-hand panel, select
Subnets. - In the row with the subnet you need, click
. - In the menu that opens, select Link routing table.
- In the window that opens, select the created table from the list.
- Click Link.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the CLI create gateway command:
yc vpc gateway create --help
-
Create a gateway in the default folder:
yc vpc gateway create \ --name test-gateway
-
Get the gateway ID:
yc vpc gateway list
Command result:
+----------------------+--------------+-------------+ | ID | NAME | DESCRIPTION | +----------------------+--------------+-------------+ | enpkq1v2e7p0******** | test-gateway | | +----------------------+--------------+-------------+
-
Create a route table with the gateway as the next hop and the
0.0.0.0/0
destination prefix:yc vpc route-table create \ --name=test-route-table \ --network-name=<network_name> \ --route destination=0.0.0.0/0,gateway-id=enpkq1v2e7p0********
Where
--network-name
is the name of the network you are creating the table in. -
Associate the table with the subnet:
yc vpc subnet update <subnet_name> \ --route-table-name=test-route-table
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To create a NAT gateway, specify it as the next hop in the route table, and link the table to the subnet, use the following configuration:
data "yandex_vpc_network" "net" {
folder_id = "<folder_ID>"
name = "<network_name>"
}
resource "yandex_vpc_subnet" "subnet" {
folder_id = "<folder_ID>"
name = "<subnet_name>"
v4_cidr_blocks = ["10.20.30.0/24"]
zone = "ru-central1-a"
network_id = data.yandex_vpc_network.net.id
route_table_id = yandex_vpc_route_table.rt.id
}
resource "yandex_vpc_gateway" "nat_gateway" {
folder_id = "<folder_ID>"
name = "test-gateway"
shared_egress_gateway {}
}
resource "yandex_vpc_route_table" "rt" {
folder_id = "<folder_ID>"
name = "test-route-table"
network_id = "<network_ID>"
static_route {
destination_prefix = "0.0.0.0/0"
gateway_id = yandex_vpc_gateway.nat_gateway.id
}
}
Where folder_id
is the ID of the folder hosting the subnet.
-
Create a NAT gateway. Use the create REST API method for the Gateway resource or the GatewayService/Create gRPC API call, and provide the following in the request:
-
ID of the folder the gateway will reside in, in the
folderId
parameter. -
Gateaway name in the
name
parameter. The name format is as follows:- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
-
Link the NAT gateway to the new routing table. For this, use the create REST API method for the RouteTable resource or the RouteTableService/Create gRPC API call, and provide the following in the request:
-
ID of the folder the route table will reside in, in the
folderId
parameter. -
Route table name in the
name
parameter. The name format is as follows:- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
ID of the network the route table will reside in, in the
networkId
parameter. -
0.0.0.0/0
as the destination subnet prefix, in thestaticRoutes[].destinationPrefix
parameter. -
NAT gateway name in the
staticRoutes[].gatewayId
parameter.To get the NAT gateway ID, use the list REST API method for the Gateway resource or the GatewayService/List gRPC API call. In your request, provide the folder ID in the
folderId
parameter.
-
-
Link the route table to the subnet. For this, use the update REST API method for the Subnet resource or the SubnetService/Update gRPC API call, and provide the following in the request:
-
Network ID in the
subnetId
parameter.To get the subnet ID, use the list REST API method for the Subnet resource or the SubnetService/List gRPC API call and provide the folder ID in the
folderId
request parameter.To learn how to find out the folder ID, see Getting the folder ID.
-
Route table ID in the
routeTableId
parameter. -
The name of the
routeTableId
parameter in theupdateMask
parameter.
Warning
The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the
updateMask
parameter as a single comma-separated string. -