NAT Gateway
Overview
A NAT Gateway lets virtual machines (VMs) on a private VPC subnet reach the internet outbound, while still keeping them private (the internet cannot reach in).
If you are new to the terms:
- VPC (Virtual Private Cloud). A private virtual network you define on the platform.
- Private subnet. A block of internal IP addresses (RFC1918 ranges like
10.0.0.0/16,172.16.0.0/12,192.168.0.0/16) that are not routable on the internet. - NAT (Network Address Translation). A technique where a router rewrites the source IP of outbound packets to its own public IP, so replies come back to it and can be returned to the original sender.
Without a NAT gateway, VMs in a private subnet can talk to each other inside the VPC, but they cannot fetch package updates, call external APIs, or otherwise reach anything on the internet.
Key facts about the NAT gateway on this platform:
- One NAT gateway per VPC, at most.
- You choose which private subnets in the VPC route through it.
- You can disable it temporarily without deleting it.
- Bandwidth is metered and can be billed per GB.
- It is billed hourly while it exists, regardless of whether NAT is currently enabled.
Concepts
| Term | Plain English |
|---|---|
| Hypervisor group | A location (data center). Made up of one or more hypervisors (physical servers). |
| Credit Value | The monthly base price in platform credits. Divided by hours-per-month to get the hourly rate. |
| Bandwidth Rate | Per-GB price for traffic that flows through the gateway. |
| Bandwidth Accounting | Which direction(s) count toward the bandwidth meter: uploads, downloads, or both. |
| Bandwidth Overage | What happens when the bandwidth allowance is exceeded. |
Admin: how to configure
NAT Gateway is enabled per hypervisor group. There is no separate admin list page; admins manage individual gateways from each VPC's detail page in the admin panel.
Enable NAT Gateway on a location
- Open the Hypervisor Group settings page.
- Turn on the NAT Gateway toggle.
- Configure pricing:
| Setting | Description |
|---|---|
| Credit Value | Monthly base cost in credits. The hourly charge is credit_value / hours_per_month. |
| Bandwidth Rate | Per-GB cost in credits. Set to 0 to disable per-GB charging. |
| Bandwidth Accounting | Uploads, Downloads, or Both. Controls which direction(s) are metered. |
| Bandwidth Overage | None (no cap), Charge Overage (bill per GB above the included amount), or Revoke Access (suspend the gateway when exceeded). |
- Save.
Once enabled, customers in this location can create a NAT gateway in their VPC.
Manage gateways (admin view)
Open a VPC's detail page in the admin panel. The NAT Gateway card shows the gateway's status, public IP, NAT state, and how many subnets are attached. From here you can act on it the same way the user does.
What end users see
Create a NAT gateway
- Go to Networking > VPC and open the VPC.
- Open the NAT Gateway section.
- Click Create NAT Gateway.
- Optionally set a Name.
- Select which private subnets should route through it. If you leave it empty, all private subnets in the VPC are attached.
- Click Create.
The gateway is provisioned with a dedicated public IP. Creation takes a few moments.
The create option only appears for VPCs whose location has NAT Gateway enabled. If the option is missing, the feature has not been enabled in that location.
Gateway status and NAT state
There are two separate indicators.
Gateway status:
| Status | Meaning |
|---|---|
| Active | Gateway is operational. |
| Inactive | Gateway exists but is not routing. |
| Creating | Provisioning in progress. |
| Deleting | Removal in progress. |
| Pending | Waiting on setup. |
NAT state (whether traffic is flowing):
| State | Meaning |
|---|---|
| Enabled (green) | NAT is active. Private-subnet traffic reaches the internet. |
| Disabled (gray) | NAT is paused. No internet access for the private subnets. |
| Bandwidth Suspended (red) | NAT is disabled because the bandwidth limit was hit. |
Enable, disable, and bandwidth suspension
- Enable turns on NAT routing for the attached subnets.
- Disable stops NAT routing without deleting the gateway. Useful to temporarily cut outbound access.
- When the state is Bandwidth Suspended, the Enable button is greyed out. The gateway resumes automatically when bandwidth resets at the start of the next billing cycle.
Manage subnets
The detail page lists attached subnets.
| Column | Meaning |
|---|---|
| Subnet Name | Name of the attached subnet. |
| Type | Private (only private subnets can be attached). |
| CIDR | The subnet's IP range, in CIDR notation, e.g. 10.0.1.0/24. |
| Actions | Detach. |
To attach another subnet, pick a private subnet from the dropdown and click Attach. Only private subnets not already attached are listed.
To detach, click Detach next to the subnet. VMs in that subnet immediately lose internet access.
Gateway info
| Field | Meaning |
|---|---|
| Name | Gateway identifier. |
| Status | Operational state. |
| NAT State | Whether NAT is routing. |
| Public IP | The gateway's internet-facing IP. |
| Attached Subnets | Number of private subnets routing through it. |
| Bandwidth Used | Current cycle bandwidth consumption. |
| Monthly Cost | Base monthly charge. |
| Hourly Cost | Per-hour charge. |
Bandwidth management
Bandwidth use is tracked per gateway and shown on the detail page. The counter updates periodically.
The location's policy decides what happens:
- None. No cap, no extra charge. Just the base hourly rate.
- Charge Overage. Metered traffic is billed per GB at the configured rate. No hard cap. You pay for what you use.
- Revoke Access. When usage passes the allowance, the gateway is suspended. NAT state becomes Bandwidth Suspended and outbound internet stops. It comes back automatically at the start of the next cycle.
Billing
NAT gateways are charged a base hourly rate for every hour they exist, whether enabled, disabled, or bandwidth-suspended. The rate comes from the location's credit value.
If the location has per-GB bandwidth pricing on, those charges appear separately, metered in the configured direction (uploads, downloads, or both).
Both charges show up in Cloud Service > Usage Report under a NAT Gateways section:
- Gateway name and status (Active / Terminated)
- Billing period
- Total hours active
- Base charges
- Bandwidth charges (sub-row, if any)
Deleting a NAT gateway
- Open the VPC's NAT Gateway section.
- Click Delete Gateway.
- Confirm.
Deletion immediately removes internet access for all attached private subnets, bills any remaining hours for the current period, releases the public IP, and removes all configuration.
Troubleshooting
VMs cannot reach the internet
- Confirm the gateway status is Active and NAT state is Enabled.
- Confirm the VM's subnet is attached to the gateway.
- Confirm the subnet is a private subnet. Public subnets do not need NAT.
- Check whether the gateway is Bandwidth Suspended. If so, wait for the next billing cycle reset.
"No NAT Gateway" option on the VPC
NAT Gateway has not been enabled on the hypervisor group where the VPC lives. Ask your admin to enable it.
State is Bandwidth Suspended
The gateway has exceeded its bandwidth allowance for the current cycle. It will resume at the start of the next cycle. Ask your admin if you need the limit raised or the suspension cleared.
Billing continues after disabling
Disabling NAT stops traffic but does not stop billing. The base hourly charge applies for every hour the gateway exists. To stop billing, delete the gateway.