Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Setting up a NAT gateway

Written by
Updated at October 17, 2024

The minimum required roles to create and configure a NAT gateway are vpc.admin and vpc.gateways.user.

To create and set up a NAT gateway:

  1. In the management console, go to the folder where you need to create a gateway.

  2. In the list of services, select Virtual Private Cloud.

  3. In the left-hand panel, select Gateways.

  4. Click Create.

  5. Enter a name for the gateway. The naming requirements are as follows:

    • The name must be from 3 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • The first character must be a letter and the last character cannot be a hyphen.

  6. (Optional) Add a gateway description.

  7. The default gateway type is Egress NAT.

  8. Click Save.

  9. In the left-hand panel, select Routing tables.

  10. Click Create to add a new table, or select an existing one.

  11. Click Add a route.

  12. In the window that opens, select Gateway in the Next hop field.

  13. In the Gateway field, select the NAT gateway you created. The destination prefix will be propagated automatically.

  14. Click Add.

  15. Click Save.

Next, link the route table to a subnet to route traffic from it via the NAT gateway:

  1. In the left-hand panel, select Subnets.
  2. In the required subnet row, click .
  3. In the menu that opens, select Link routing table.
  4. In the window that opens, select the created table from the list.
  5. Click Link.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View a description of the CLI create gateway command:

    yc vpc gateway create --help

  2. Create a gateway in the default folder:

    yc vpc gateway create \
   --name test-gateway

  3. Get the gateway ID:

    yc vpc gateway list

    Command result:

    +----------------------+--------------+-------------+
|          ID          |     NAME     | DESCRIPTION |
+----------------------+--------------+-------------+
| enpkq1v2e7p0******** | test-gateway |             |
+----------------------+--------------+-------------+

  4. Create a route table with the gateway as the next hop and the 0.0.0.0/0 destination prefix:

    yc vpc route-table create \
  --name=test-route-table \
  --network-name=<network_name> \
  --route destination=0.0.0.0/0,gateway-id=enpkq1v2e7p0********

    Where --network-name is the name of the network in which you are creating the table.

  5. Associate the table with the subnet:

    yc vpc subnet update <subnet_name> \
  --route-table-name=test-route-table

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To create a NAT gateway, specify it as the next hop in the route table, and link the table to the subnet, use the following configuration:

data "yandex_vpc_network" "net" {
  folder_id = "<folder_ID>"
  name      = "<network_name>"
}

resource "yandex_vpc_subnet" "subnet" {
  folder_id      = "<folder_ID>"
  name           = "<subnet_name>"
  v4_cidr_blocks = ["10.20.30.0/24"]
  zone           = "ru-central1-a"
  network_id     = data.yandex_vpc_network.net.id
  route_table_id = yandex_vpc_route_table.rt.id
}

resource "yandex_vpc_gateway" "nat_gateway" {
  folder_id      = "<folder_ID>"
  name = "test-gateway"
  shared_egress_gateway {}
}

resource "yandex_vpc_route_table" "rt" {
  folder_id      = "<folder_ID>"
  name       = "test-route-table"
  network_id = "<network_ID>"

  static_route {
    destination_prefix = "0.0.0.0/0"
    gateway_id         = yandex_vpc_gateway.nat_gateway.id
  }
}

Where folder_id is the ID of the folder hosting the subnet.

  1. Create a NAT gateway. Use the create REST API method for the Gateway resource or the GatewayService/Create gRPC API call, and provide the following in the request:

    • ID of the folder where the gateway will be placed, in the folderId parameter.

    • Gateway name, in the name parameter. The name format is as follows:

      • The name must be from 3 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • The first character must be a letter and the last character cannot be a hyphen.

  2. Link the NAT gateway to the new routing table. For this, use the create REST API method for the RouteTable resource or the RouteTableService/Create gRPC API call, and provide the following in the request:

    • ID of the folder where the route table will be placed, in the folderId parameter.

    • Route table name, in the name parameter. The name format is as follows:

      • The name must be from 3 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • The first character must be a letter and the last character cannot be a hyphen.

    • ID of the network where the route table will be placed, in the networkId parameter.

    • 0.0.0.0/0 as the destination subnet prefix, in the staticRoutes[].destinationPrefix parameter.

    • NAT gateway name, in the staticRoutes[].gatewayId parameter.

      To get the NAT gateway ID, use the list REST API method for the Gateway resource or the GatewayService/List gRPC API call and provide the folder ID in the folderId request parameter.

  3. Link the route table to the subnet. For this, use the update REST API method for the Subnet resource or the SubnetService/Update gRPC API call, and provide the following in the request:

    • Subnet ID, in the subnetId parameter.

      To get the subnet ID, use the list REST API method for the Subnet resource or the SubnetService/List gRPC API call and provide the folder ID in the folderId request parameter.

      To learn how to find out the folder ID, see Getting the folder ID.

    • Route table ID, in the routeTableId parameter.

    • Name of the routeTableId parameter, in the updateMask parameter.

    Warning

    This API method overrides all parameters of the object being modified that were not explicitly passed in the request to the default values. To avoid this, list the settings you want to change in the updateMask parameter (one line separated by commas).

Previous
Creating static routes
Next
Getting information about a NAT gateway