NAT Gateway
Overview
A NAT Gateway provides outbound internet connectivity for instances on private VPC subnets. Without a NAT gateway, instances in private subnets can communicate within the VPC but cannot reach the internet. The NAT gateway acts as a controlled exit point, allowing outbound traffic while keeping instances private.
Key characteristics:
- One per VPC -- Each VPC can have at most one NAT gateway
- Subnet-level control -- Choose which private subnets route through the gateway
- Enable/Disable toggle -- Temporarily disable internet access without deleting the gateway
- Bandwidth tracking -- Monitor and optionally limit outbound traffic
- Hourly billing -- Charged per hour with optional per-GB bandwidth charges
Admin Setup
Enabling NAT Gateway
NAT Gateway is configured per hypervisor group (location):
- Navigate to the Hypervisor Group settings page
- Enable the NAT Gateway toggle
- Configure pricing:
| Setting | Description |
|---|---|
| Credit Value | Monthly base cost in credits (divided by hours per month for hourly rate) |
| Bandwidth Rate | Per-GB traffic cost in credits (set to 0 for no bandwidth charges) |
| Bandwidth Accounting | Which direction(s) to meter: Uploads, Downloads, or Both |
| Bandwidth Overage | Action when bandwidth limit is exceeded: None (no limit), Charge Overage (per-GB charges), or Revoke Access (suspend the gateway) |
- Save
Managing Gateways (Admin)
Admins can view NAT gateways from the VPC detail page in the admin panel. The gateway card shows status, public IP, NAT state, and attached subnet count.
User Guide
Creating a NAT Gateway
NAT gateways are managed from the VPC detail page:
- Navigate to Networking > VPC and open your VPC
- Go to the NAT Gateway section
- Click Create NAT Gateway
- Enter an optional Name
- Select which Private Subnets should route through the gateway (if none selected, all private subnets are attached)
- Click Create
The gateway provisions with a dedicated public IP address. Creation typically takes a few moments.
Only VPCs in locations where NAT Gateway is enabled will show the create option. If you don't see it, the feature has not been enabled for your VPC's location.
Gateway Status
| Status | Description |
|---|---|
| Active | Gateway is operational |
| Inactive | Gateway exists but is not routing traffic |
| Creating | Provisioning in progress |
| Deleting | Removal in progress |
| Pending | Waiting for setup to complete |
NAT State
In addition to the gateway status, the NAT state indicates whether traffic is flowing:
| State | Description |
|---|---|
| Enabled (green) | NAT is active -- private subnet traffic routes to the internet |
| Disabled (gray) | NAT is paused -- no internet access for private subnets |
| Bandwidth Suspended (red) | NAT is disabled because bandwidth limit was exceeded |
Enabling and Disabling NAT
Use the Enable and Disable buttons on the gateway detail to toggle internet access:
- Enable -- Activates NAT routing for attached subnets
- Disable -- Stops NAT routing, removing internet access for private subnets
This is useful for temporarily restricting outbound access without deleting the gateway.
When the gateway is Bandwidth Suspended, the enable button is disabled. The gateway will automatically resume when your bandwidth usage resets at the start of the next billing cycle.
Managing Subnets
The gateway detail page shows a table of attached subnets:
| Column | Description |
|---|---|
| Subnet Name | Name of the attached subnet |
| Type | Private (only private subnets can be attached) |
| CIDR | The subnet's IP range |
| Actions | Detach button |
Attaching a subnet: Select a private subnet from the dropdown and click Attach. Only private subnets not already attached are shown.
Detaching a subnet: Click Detach next to the subnet. Instances in that subnet will lose internet access immediately.
Gateway Information
The gateway detail page displays:
| Field | Description |
|---|---|
| Name | Gateway identifier |
| Status | Current operational state |
| NAT State | Whether NAT routing is active |
| Public IP | The gateway's internet-facing IP address |
| Attached Subnets | Number of private subnets using the gateway |
| Bandwidth Used | Current billing cycle bandwidth consumption |
| Monthly Cost | Base monthly charge |
| Hourly Cost | Per-hour charge |
Bandwidth Management
Tracking
Bandwidth usage is tracked per gateway and displayed on the detail page. The metric updates periodically as traffic flows through the gateway.
Bandwidth Policies
Depending on the location's configuration, one of three bandwidth policies applies:
No Limit (None):
All traffic is allowed with no restrictions or additional charges beyond the base hourly rate.
Charge Overage: Traffic is metered and charged per GB at the configured bandwidth rate. There is no hard cap -- you pay for what you use.
Revoke Access: When bandwidth exceeds the allowance, the gateway is automatically suspended:
- The NAT state changes to Bandwidth Suspended
- All outbound internet access is blocked
- The enable button is disabled
- The gateway automatically resumes when the bandwidth counter resets at the start of the next billing cycle
Billing
Hourly Cost
NAT gateways are charged a base hourly rate for every hour they exist (whether enabled or disabled). The rate is determined by the location's NAT Gateway credit value.
Bandwidth Charges
If the location has bandwidth billing configured, additional per-GB charges appear as separate line items in the usage report. The direction of metered traffic (uploads, downloads, or both) depends on the location's bandwidth accounting setting.
Usage Reports
NAT gateway charges appear in the Cloud Service > Usage Report under a dedicated NAT Gateways section, showing:
- Gateway name and status (Active/Terminated)
- Billing period
- Total hours active
- Base charges
- Bandwidth charges (if any, shown as a sub-row)
Deleting a NAT Gateway
To delete a gateway:
- Open the VPC's NAT Gateway section
- Click Delete Gateway
- Confirm the action
Deleting a gateway:
- Immediately removes internet access for all attached private subnets
- Bills any remaining hours for the current period
- Releases the public IP address
- Permanently removes all configuration
Troubleshooting
Instances cannot reach the internet
- Verify the NAT gateway status is Active and NAT state is Enabled
- Check that the instance's subnet is attached to the gateway
- Confirm the subnet is a private subnet (public subnets don't need NAT)
- Check if the gateway is Bandwidth Suspended -- if so, wait for the next billing cycle reset
"No NAT Gateway" option on VPC
NAT Gateway has not been enabled on the hypervisor group where the VPC resides. Contact your administrator to enable it.
Gateway shows "Bandwidth Suspended"
The gateway has exceeded its bandwidth allowance for the current billing cycle. It will automatically resume at the start of the next cycle. Contact your administrator if you need the limit increased or the suspension cleared.
NAT gateway billing continues after disabling
NAT gateways are billed for every hour they exist, regardless of whether NAT routing is enabled or disabled. To stop billing, delete the gateway.