Tencent Cloud International Account Registration How to Configure Tencent Cloud NAT Gateway

Tencent Cloud / 2026-07-07 12:31:54

Tencent Cloud International Account Registration Overview: What a NAT Gateway Does

A NAT Gateway is the bridge that lets private network instances access the public Internet without exposing them directly. In simple terms: your Elastic Compute (CVM), container services, or other private resources can initiate outbound connections, and the NAT gateway translates their private addresses into a public address so return traffic can come back correctly.

When you configure a NAT gateway well, you gain predictable outbound connectivity, centralized egress control, and fewer security surprises. When you configure it poorly, you often end up with “connection timeout,” “works for some protocols only,” or traffic that leaves but cannot return.

This guide walks through a practical, step-by-step process to configure Tencent Cloud NAT Gateway. It focuses on the configuration logic that matters most: network planning, address selection, route design, security rules, and verification.

Key Concepts Before You Start

Private subnets vs. public networks

Private subnets usually use RFC1918-style private IP ranges (like 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). They are not directly reachable from the Internet. Public networks use routable public IP ranges.

NAT Gateway provides outbound access from private subnets to public destinations. It is not meant to provide inbound access from the Internet to your private instances. If you need inbound access, you typically combine other services like load balancers, CVM public IPs, or private links.

Egress traffic, SNAT, and source address translation

When an instance inside a private subnet sends a request to the Internet, the NAT gateway performs source address translation (SNAT). Your instance might use a private source IP, but the NAT gateway rewrites it so that responses from the Internet return to the NAT gateway, and then back to the correct private instance.

This is why correct routing is essential: your private subnet must route Internet-bound traffic to the NAT gateway.

Route tables and default routes

Outbound access depends on routing. Usually, you add a default route (for example, 0.0.0.0/0 for IPv4) so that traffic destined for the Internet goes to the NAT gateway, not to a blackhole or an internal-only target.

You typically configure routing using a route table associated with the private subnet (or the route entries provided by your VPC design). The NAT gateway itself is the next hop target for those routes.

Region and VPC scope

NAT Gateway and the VPC resources you attach it to are usually bound to the same region. Plan the region first, then create all related networking resources in that region to avoid unnecessary rebuilds.

Step 1: Plan Your Network Layout

Confirm your VPC and subnets

Start by identifying:

  • The VPC that will host the NAT gateway.
  • The private subnet(s) that contain the instances needing outbound Internet access.
  • The target outbound destination scope: full Internet or only specific CIDR blocks.

If you already have instances running, note their subnet and the route table they currently use.

Decide the NAT gateway type and scale

Different NAT Gateway configurations may offer options such as:

  • Whether you use one NAT gateway per VPC or per subnet design.
  • Whether you need throughput scaling or high availability.
  • Whether you need static outbound IP addresses or dynamic behavior.

Even if you are not planning advanced scaling on day one, choose a design that won’t force an overhaul later. For production, consider redundancy and the operational impact of a single point of failure.

Choose the outbound IP strategy

Some organizations need allow-listing at the destination side (for example, whitelisting a corporate API service or a third-party SaaS). In that case, you must ensure the NAT gateway provides stable outbound IPs and that you reference those IPs in allow-lists.

If the destination does not require allow-listing, you may not need static IP planning. Still, understanding what outbound IPs look like helps with troubleshooting and firewall rules.

Step 2: Create the NAT Gateway

In the Tencent Cloud console, navigate to the NAT gateway service and create a new NAT gateway. During creation, you will typically need to provide:

  • VPC: select the VPC where private subnets exist.
  • Zone/Availability options: choose the relevant zone settings according to your deployment.
  • Gateway configuration: specify throughput/scale settings (if applicable) and outbound IP options.

After creation, keep an eye on the NAT gateway’s status. A NAT gateway must become “ready” before you attach routes and test connectivity.

Step 3: Attach NAT Gateway to the Right Subnet

Attach to private subnet(s) that need egress

NAT gateway attachment or association is the point where private traffic is allowed to use the gateway as its next hop. Depending on Tencent Cloud’s current design for NAT gateway and routing, attachment can mean:

  • Linking the NAT gateway to the subnet, or
  • Configuring route table entries that point Internet-bound traffic to the NAT gateway, or
  • Both, in a specific order required by the platform.

For readability, think in terms of: “instances in these subnets should have a path to the NAT gateway.”

Understand how many route tables you have

Many teams accidentally configure a route in a table that is not actually applied to the subnet hosting the instances. Before you add routes, verify which route table your subnet uses.

If you are using multiple private subnets, you may need separate route entries for each subnet’s route table association.

Step 4: Configure Route Table Entries (The Most Important Part)

Add a default route to NAT gateway

The classic setup is to add a route entry that sends all Internet traffic to the NAT gateway. In IPv4 terms, that is commonly:

  • Destination CIDR: 0.0.0.0/0
  • Next hop: NAT gateway

This ensures that when instances try to reach external IPs not covered by more specific routes, they will go through NAT.

Optional: Restrict egress to specific destinations

Tencent Cloud International Account Registration For security and cost control, some teams avoid “send everything to the Internet.” Instead, they add more targeted routes, such as:

  • Only needed third-party service CIDRs
  • Corporate proxy service CIDRs
  • Only public subnets you truly require

The drawback is maintenance: external providers may change IP ranges. For environments that prioritize security, this trade-off is often acceptable.

Check for conflicts with existing routes

If there are existing specific routes (for example, a route to another network, a peering link, or a transit gateway), your default route should not override them. Most systems match the most specific route first. That is good, but it also means a wrong configuration can silently break connectivity.

Tencent Cloud International Account Registration Before finalizing, review route entries in priority/matching order if the interface shows it. Confirm that Internet-bound destinations are truly matched to the NAT gateway route.

Step 5: Security Groups and Network ACL Considerations

A NAT gateway can only do its job if your instance networking rules allow outbound traffic and allow return traffic patterns.

Tencent Cloud International Account Registration Outbound rules in security groups

At the instance level, confirm that security groups allow outbound traffic to the destination ports you need (DNS, HTTPS, HTTP, NTP, etc.). If outbound rules are restricted, the NAT gateway will not fix it.

For example, if your application needs HTTPS, ensure outbound TCP 443 is allowed. If you need DNS resolution, ensure outbound UDP/TCP 53 is allowed to your DNS server (which may be a Tencent-provided DNS, VPC DNS, or a custom resolver).

Inbound rules for return traffic

Return traffic often flows as “inbound” to your instance, so security group rules must permit it. Most stateful firewalls allow return traffic automatically if outbound is permitted. But if you use stateless ACLs or strict rules, you must explicitly allow the relevant inbound patterns.

Network ACL and other filtering layers

If your VPC uses network ACLs or additional firewall services, check those as well. A common troubleshooting story is: routes are correct, NAT is attached, but traffic is blocked by an ACL rule that denies outbound or denies established connections.

Step 6: Configure DNS to Make Domain Access Work

Many “NAT not working” cases are actually DNS issues. Even if outbound routing to IP addresses works, domain-based access requires DNS resolution.

Ensure instances can resolve DNS

Confirm how your instances are configured to use DNS. Typical approaches include:

  • Using the VPC’s default DNS server if provided.
  • Configuring system resolvers inside the operating system.
  • Using a private DNS resolver if you have one.

Then ensure security group rules allow DNS traffic to the DNS server IPs.

Test by resolving a domain first

Before testing HTTPS to a domain, try a DNS lookup from a private instance. If DNS fails, fix DNS first—NAT won’t help domain resolution directly.

Step 7: Verification and Testing

After configuration, verification is where you confirm every assumption is true.

Test connectivity using IP first

From an instance in the private subnet, try accessing a known public IP address on a protocol you expect to work (for example, ping may be blocked depending on ICMP policies, so HTTPS is often better).

If IP-based connectivity fails, focus on route table and security rules.

Test domain access second

Tencent Cloud International Account Registration Next, test domain access (like accessing a public HTTPS site). If domain access fails but IP access works, DNS is the likely issue.

Confirm the outbound IP seen by the destination

If you have access to an external “what is my IP” style endpoint, you can verify whether the NAT gateway’s outbound IP is what you expected. For production, you might instead check logs from your destination service or your own server.

This step matters when you rely on allow-lists and firewall rules on third-party systems.

Check NAT gateway logs or flow logs if available

If Tencent Cloud provides NAT gateway logs, VPC flow logs, or related monitoring, use them. Logs usually reveal whether traffic hits the NAT gateway, whether it is translated, and where it fails. When you find a mismatch, you can narrow the problem rapidly.

Troubleshooting: Common Problems and How to Fix Them

Problem: “Connection timed out” to the Internet

Most common causes:

  • No default route to the NAT gateway (0.0.0.0/0 missing or not applied to the subnet).
  • Route table association wrong (instances are not using the route table you edited).
  • Security group outbound rules block the needed protocol/port.

Fix path:

  • Verify the subnet’s route table association.
  • Verify the route entry matches 0.0.0.0/0 to NAT.
  • Verify instance security group outbound rules.

Problem: DNS works for IP lookups but HTTPS to domains fails

Likely cause: DNS configuration issue or DNS traffic blocked.

Fix path:

  • Test DNS lookup on the instance.
  • Ensure outbound UDP/TCP 53 is allowed to the DNS server.
  • Confirm the DNS server IP is reachable in your network design.

Problem: NAT works for some services but not others

Tencent Cloud International Account Registration Possible causes include:

  • Tencent Cloud International Account Registration Port-specific security group blocks (for example, 443 allowed but 80 blocked, or vice versa).
  • Destination side blocks based on outbound IP or protocol requirements.
  • Protocol-specific behavior like FTP needing special handling (NAT is not always a drop-in solution for all legacy protocols).

Fix path:

  • Confirm exactly which ports and protocols fail.
  • Test with a simpler endpoint that uses the expected protocol.
  • Validate destination allow-list rules if required.

Problem: Outbound IP is not what the destination allow-lists expect

Likely cause: you are not using the expected NAT gateway outbound IP, or there are multiple NAT gateways in the VPC design.

Fix path:

  • Verify which NAT gateway the subnet traffic is using (route table next hop).
  • Verify the outbound IP(s) configured/assigned to the NAT gateway.
  • Re-check allow-list configuration at the destination.

Problem: Routing changes but nothing improves immediately

Some environments require time for route propagation and network changes to take effect. Also, instances may cache DNS results. If you recently changed routing or security rules, retry after a short wait and test with a fresh DNS resolution if needed.

Operational Tips for a Smooth Setup

Use a repeatable checklist

For each subnet or application stack, use a consistent checklist:

  • Correct VPC and region
  • NAT gateway created and ready
  • Subnet route table has a default route to NAT (or targeted routes)
  • Security group outbound allows required ports
  • DNS resolution works
  • Basic connectivity tests pass

Keep documentation of route logic

Routing is easy to misunderstand after a few months. Record:

  • Which subnets rely on NAT
  • Which route entries are used (default route vs. targeted routes)
  • Which outbound IPs are expected for allow-listing

Plan for scaling and maintenance

If your traffic volume grows, confirm that your NAT gateway capacity matches requirements. Also consider whether you need monitoring alerts for unusual drops, spikes, or repeated connection failures.

Example Configuration (Conceptual Walkthrough)

To make the logic concrete, here is a conceptual example of what you would typically do for a single private subnet that needs general Internet access:

  • Create a NAT gateway in the same VPC and region.
  • Edit the route table associated with your private subnet.
  • Add a route: destination CIDR 0.0.0.0/0 → next hop NAT gateway.
  • Ensure the instance security group allows outbound TCP 443 and DNS (UDP/TCP 53).
  • Tencent Cloud International Account Registration Verify DNS from the instance.
  • Verify HTTPS to a domain, then check the observed outbound IP from the destination perspective.

If your organization allows only specific egress destinations, replace the default route with specific CIDR routes, and repeat the same verification steps.

Conclusion

Configuring Tencent Cloud NAT Gateway is less about clicking through menus and more about getting the network story right: private subnet traffic must have a route to the NAT gateway, security rules must permit the necessary protocols and ports, and DNS must work for domain-based access.

Tencent Cloud International Account Registration Once those pieces align, outbound Internet access becomes reliable and predictable. If something still fails, treat it like a diagnosis: verify routing first, then security, then DNS, and finally confirm outbound IP expectations with logs or external checks.

TelegramContact Us
CS ID
@cloudcup
TelegramSupport
CS ID
@yanhuacloud