Skip to main content

NAT Gateway

Overview

A NAT Gateway lets virtual machines (VMs) on a private VPC subnet reach the internet outbound, while still keeping them private (the internet cannot reach in).

If you are new to the terms:

  • VPC (Virtual Private Cloud). A private virtual network you define on the platform.
  • Private subnet. A block of internal IP addresses (RFC1918 ranges like 10.0.0.0/16, 172.16.0.0/12, 192.168.0.0/16) that are not routable on the internet.
  • NAT (Network Address Translation). A technique where a router rewrites the source IP of outbound packets to its own public IP, so replies come back to it and can be returned to the original sender.

Without a NAT gateway, VMs in a private subnet can talk to each other inside the VPC, but they cannot fetch package updates, call external APIs, or otherwise reach anything on the internet.

Key facts about the NAT gateway on this platform:

  • One NAT gateway per VPC, at most.
  • You choose which private subnets in the VPC route through it.
  • You can disable it temporarily without deleting it.
  • Bandwidth is metered and can be billed per GB.
  • It is billed hourly while it exists, regardless of whether NAT is currently enabled.

Concepts

TermPlain English
Hypervisor groupA location (data center). Made up of one or more hypervisors (physical servers).
Credit ValueThe monthly base price in platform credits. Divided by hours-per-month to get the hourly rate.
Bandwidth RatePer-GB price for traffic that flows through the gateway.
Bandwidth AccountingWhich direction(s) count toward the bandwidth meter: uploads, downloads, or both.
Bandwidth OverageWhat happens when the bandwidth allowance is exceeded.

Admin: how to configure

NAT Gateway is enabled per hypervisor group. There is no separate admin list page; admins manage individual gateways from each VPC's detail page in the admin panel.

Enable NAT Gateway on a location

  1. Open the Hypervisor Group settings page.
  2. Turn on the NAT Gateway toggle.
  3. Configure pricing:
SettingDescription
Credit ValueMonthly base cost in credits. The hourly charge is credit_value / hours_per_month.
Bandwidth RatePer-GB cost in credits. Set to 0 to disable per-GB charging.
Bandwidth AccountingUploads, Downloads, or Both. Controls which direction(s) are metered.
Bandwidth OverageNone (no cap), Charge Overage (bill per GB above the included amount), or Revoke Access (suspend the gateway when exceeded).
  1. Save.

Once enabled, customers in this location can create a NAT gateway in their VPC.

Manage gateways (admin view)

Open a VPC's detail page in the admin panel. The NAT Gateway card shows the gateway's status, public IP, NAT state, and how many subnets are attached. From here you can act on it the same way the user does.

What end users see

Create a NAT gateway

  1. Go to Networking > VPC and open the VPC.
  2. Open the NAT Gateway section.
  3. Click Create NAT Gateway.
  4. Optionally set a Name.
  5. Select which private subnets should route through it. If you leave it empty, all private subnets in the VPC are attached.
  6. Click Create.

The gateway is provisioned with a dedicated public IP. Creation takes a few moments.

note

The create option only appears for VPCs whose location has NAT Gateway enabled. If the option is missing, the feature has not been enabled in that location.

Gateway status and NAT state

There are two separate indicators.

Gateway status:

StatusMeaning
ActiveGateway is operational.
InactiveGateway exists but is not routing.
CreatingProvisioning in progress.
DeletingRemoval in progress.
PendingWaiting on setup.

NAT state (whether traffic is flowing):

StateMeaning
Enabled (green)NAT is active. Private-subnet traffic reaches the internet.
Disabled (gray)NAT is paused. No internet access for the private subnets.
Bandwidth Suspended (red)NAT is disabled because the bandwidth limit was hit.

Enable, disable, and bandwidth suspension

  • Enable turns on NAT routing for the attached subnets.
  • Disable stops NAT routing without deleting the gateway. Useful to temporarily cut outbound access.
  • When the state is Bandwidth Suspended, the Enable button is greyed out. The gateway resumes automatically when bandwidth resets at the start of the next billing cycle.

Manage subnets

The detail page lists attached subnets.

ColumnMeaning
Subnet NameName of the attached subnet.
TypePrivate (only private subnets can be attached).
CIDRThe subnet's IP range, in CIDR notation, e.g. 10.0.1.0/24.
ActionsDetach.

To attach another subnet, pick a private subnet from the dropdown and click Attach. Only private subnets not already attached are listed.

To detach, click Detach next to the subnet. VMs in that subnet immediately lose internet access.

Gateway info

FieldMeaning
NameGateway identifier.
StatusOperational state.
NAT StateWhether NAT is routing.
Public IPThe gateway's internet-facing IP.
Attached SubnetsNumber of private subnets routing through it.
Bandwidth UsedCurrent cycle bandwidth consumption.
Monthly CostBase monthly charge.
Hourly CostPer-hour charge.

Bandwidth management

Bandwidth use is tracked per gateway and shown on the detail page. The counter updates periodically.

The location's policy decides what happens:

  • None. No cap, no extra charge. Just the base hourly rate.
  • Charge Overage. Metered traffic is billed per GB at the configured rate. No hard cap. You pay for what you use.
  • Revoke Access. When usage passes the allowance, the gateway is suspended. NAT state becomes Bandwidth Suspended and outbound internet stops. It comes back automatically at the start of the next cycle.

Billing

NAT gateways are charged a base hourly rate for every hour they exist, whether enabled, disabled, or bandwidth-suspended. The rate comes from the location's credit value.

If the location has per-GB bandwidth pricing on, those charges appear separately, metered in the configured direction (uploads, downloads, or both).

Both charges show up in Cloud Service > Usage Report under a NAT Gateways section:

  • Gateway name and status (Active / Terminated)
  • Billing period
  • Total hours active
  • Base charges
  • Bandwidth charges (sub-row, if any)

Deleting a NAT gateway

  1. Open the VPC's NAT Gateway section.
  2. Click Delete Gateway.
  3. Confirm.

Deletion immediately removes internet access for all attached private subnets, bills any remaining hours for the current period, releases the public IP, and removes all configuration.

Troubleshooting

VMs cannot reach the internet

  1. Confirm the gateway status is Active and NAT state is Enabled.
  2. Confirm the VM's subnet is attached to the gateway.
  3. Confirm the subnet is a private subnet. Public subnets do not need NAT.
  4. Check whether the gateway is Bandwidth Suspended. If so, wait for the next billing cycle reset.

"No NAT Gateway" option on the VPC

NAT Gateway has not been enabled on the hypervisor group where the VPC lives. Ask your admin to enable it.

State is Bandwidth Suspended

The gateway has exceeded its bandwidth allowance for the current cycle. It will resume at the start of the next cycle. Ask your admin if you need the limit raised or the suspension cleared.

Billing continues after disabling

Disabling NAT stops traffic but does not stop billing. The base hourly charge applies for every hour the gateway exists. To stop billing, delete the gateway.