Routing through a NAT instance
A NAT instance is a special VM with pre-configured routing and IP address translation rules.
Yandex Cloud allows you to configure internet connections for multiple VMs via a NAT instance using static routing. In this case, only one public IP address is used: the one assigned to the NAT instance.
To set up routing through a NAT instance:
- Prepare your cloud.
- Create a test VM.
- Create a NAT instance.
- Set up static routing in the cloud network.
- Test the NAT instance.
If you no longer need the resources you created, delete them.
You can also deploy the infrastructure for hosting a NAT instance via Terraform using a ready-made configuration file.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of NAT instance support includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or static public IP (see Yandex Virtual Private Cloud pricing).
Prepare the infrastructure
- Create a cloud network, such as
my-vpc
. - In the cloud network, create subnets, e.g.:
public-subnet
to host the NAT instance.private-subnet
to host your test VM.
Create a test VM
- In the management console
, select a folder where you want to create your test VM. - In the list of services, select Compute Cloud.
- Click Create virtual machine.
- Under Basic parameters:
- In the Name field, enter a name for the VM, such as
test-vm
. - In the Availability zone field, select the availability zone where the
private-subnet
is located.
- In the Name field, enter a name for the VM, such as
- Under Image/boot disk selection, select an image and a Linux-based OS version.
- Under Network settings:
- In the Subnet field, select a subnet for the test VM, such as
private-subnet
. - In the Public IP field, select No address.
- In the Internal IPv4 address field, select Auto.
- In the Subnet field, select a subnet for the test VM, such as
- Under Access:
- Enter username in the Login field.
- Paste the contents of the public SSH key file in the SSH key field. You need to create a key pair for SSH connection yourself.
- Click Create VM.
Save the username, private SSH key, and internal IP for the test VM.
Create a security group
Security groups include rules that allow your VMs to be accessed via SSH. In this tutorial, you will create a security group called nat-instance-sg
.
To create a security group:
-
In the management console
, select Virtual Private Cloud. -
Open the Security groups tab.
-
Create a security group:
-
Click Create group.
-
In the Name field, enter the group name:
nat-instance-sg
. -
In the Network field, select the
my-vpc
network. -
Under Rules, create the following rules using the instructions below the table:
Traffic
directionDescription Port range Protocol Destination name /
SourceCIDR blocks Outgoing any
All
Any
CIDR
0.0.0.0/0
Incoming ssh
22
TCP
CIDR
0.0.0.0/0
Incoming ext-http
80
TCP
CIDR
0.0.0.0/0
Incoming ext-https
443
TCP
CIDR
0.0.0.0/0
- Select the Egress or Ingress tab.
- Click Add rule.
- In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from. To open all ports, click Select the full range.
- In the Protocol field, specify the desired protocol or leave Any to allow traffic transmission over any protocol.
- In the Destination name or Source field, select the
CIDR
, and the rule will apply to a range of IP addresses. In the CIDR blocks field, enter0.0.0.0/0
. - Click Save. Repeat the steps to create all the rules from the table.
-
Click Save.
-
Create a NAT instance
- In the management console
, select a folder where you want to create a NAT instance. - In the list of services, select Compute Cloud.
- Click Create virtual machine.
- Under Basic parameters:
- In the Name field, enter a VM name for the NAT instance, such as
nat-instance
. - In the Availability zone field, select the availability zone where the
public-subnet
is located.
- In the Name field, enter a VM name for the NAT instance, such as
- Under Image/boot disk selection, go to the Marketplace tab and select the NAT instance image.
- Under Network settings:
- In the Subnet field, select a subnet for the NAT instance, such as
public-subnet
. - In the Public IP field, select
Auto
. - In the Internal IPv4 address field, select
Auto
.
- In the Subnet field, select a subnet for the NAT instance, such as
- Under Access:
- Enter username in the Login field.
- Paste the contents of the public SSH key file in the SSH key field. You need to create a key pair for SSH connection yourself.
- Click Create VM.
Save the username, private SSH key, and internal and public IPs for the NAT instance.
Set up static routing
Note
Creating an NAT instance only automatically configures a single network interface. You can enable other interfaces manually. Assign an IP address to each new interface and specify a route for it in a route table. In each subnet, the correct gateway is the first address: x.x.x.1
.
-
Create a route table and add a static route to it:
-
In the management console
, select a folder where you want to create a static route. -
In the list of services, select Virtual Private Cloud.
-
In the left-hand panel, select
-
Click Create.
-
In the Name field, enter a name for the route table, such as
nat-instance-route
.- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
In the Network field, select a network, such as
my-vpc
. -
Under Static routes, click Add a route.
-
In the window that opens, enter
0.0.0.0/0
in the Destination prefix field. -
In the Next hop field, select
IP address
. -
In the IP address field, specify the internal IP address of the NAT instance. Click Add.
-
Click Create a routing table.
-
-
Link the route table to the subnet where the test VM is located, such as
private-subnet
:- In the left-hand panel, select
- Click
- In the window that opens, select the
nat-instance-route
table in the Route table field and click Link.
- In the left-hand panel, select
You can also use the created route for other subnets in the same network, except for the subnet where the NAT instance is located.
Test the NAT instance
-
Connect to the NAT instance over SSH by specifying:
- Path to the private SSH key file of the NAT instance.
- NAT instance username.
- NAT instance public IP.
Run the following command in the terminal window:
ssh -i <path_to_NAT_instance_private_SSH_key_file> \ <NAT_instance_username>@<NAT_instance_public_IP>
-
On the NAT instance, create a file with the test VM's private SSH key, such as
private-key
:sudo nano private-key
Paste the contents of the test VM's private SSH key into the file.
-
From the NAT instance, connect to the test VM in the same cloud network via SSH. To do this, specify:
- Path to the test VM's private SSH key file, such as
private-key
. - Test VM username.
- Test VM's internal IP.
Run the following command in the terminal window:
ssh -i <path_to_test_VM_private_SSH_key_file> \ <test_VM_username>@<test_VM_internal_IP>
- Path to the test VM's private SSH key file, such as
-
Make sure the test VM is connected to the internet via the public IP of the NAT instance. Enter the following command in the terminal:
curl ifconfig.co
If it returns the public IP address of the NAT instance, everything is correct.
How to delete the resources you created
To stop paying for the created resources, delete the test VM and the NAT instance.
How to create an infrastructure using Terraform
With Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically determines which part of your configuration is already deployed and what should be added or removed.
To set up routing through a NAT instance using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, step 1).
-
Prepare a file with the infrastructure description:
Ready-made archiveCreating files manually- Create a directory for the file with the infrastructure description.
- Download the archive
(2 KB). - Unpack the archive to the directory. As a result, it should contain the
nat-instance.tf
configuration file and thenat-instance.auto.tfvars
file with user data.
-
Create a directory for the file with the infrastructure description.
-
Create the
nat-instance.tf
configuration file in the directory:nat-instance.tf# Declaring variables for user-defined parameters variable "folder_id" { type = string } variable "vm_user" { type = string } variable "vm_user_nat" { type = string } variable "ssh_key_path" { type = string } # Adding other variables locals { network_name = "my-vpc" subnet_name1 = "public-subnet" subnet_name2 = "private-subnet" sg_nat_name = "nat-instance-sg" vm_test_name = "test-vm" vm_nat_name = "nat-instance" route_table_name = "nat-instance-route" } # Provider configuration terraform { required_providers { yandex = { source = "yandex-cloud/yandex" version = ">= 0.47.0" } } } provider "yandex" { folder_id = var.folder_id } # Creating a cloud network resource "yandex_vpc_network" "my-vpc" { name = local.network_name } # Creating subnets resource "yandex_vpc_subnet" "public-subnet" { name = local.subnet_name1 zone = "ru-central1-a" network_id = yandex_vpc_network.my-vpc.id v4_cidr_blocks = ["192.168.1.0/24"] } resource "yandex_vpc_subnet" "private-subnet" { name = local.subnet_name2 zone = "ru-central1-a" network_id = yandex_vpc_network.my-vpc.id v4_cidr_blocks = ["192.168.2.0/24"] route_table_id = yandex_vpc_route_table.nat-instance-route.id } # Creating a security group resource "yandex_vpc_security_group" "nat-instance-sg" { name = local.sg_nat_name network_id = yandex_vpc_network.my-vpc.id egress { protocol = "ANY" description = "any" v4_cidr_blocks = ["0.0.0.0/0"] } ingress { protocol = "TCP" description = "ssh" v4_cidr_blocks = ["0.0.0.0/0"] port = 22 } ingress { protocol = "TCP" description = "ext-http" v4_cidr_blocks = ["0.0.0.0/0"] port = 80 } ingress { protocol = "TCP" description = "ext-https" v4_cidr_blocks = ["0.0.0.0/0"] port = 443 } } # Adding a ready-to-use VM image resource "yandex_compute_image" "ubuntu-1804-lts" { source_family = "ubuntu-1804-lts" } resource "yandex_compute_image" "nat-instance-ubuntu" { source_family = "nat-instance-ubuntu" } # Creating boot disks resource "yandex_compute_disk" "boot-disk-ubuntu" { name = "boot-disk-ubuntu" type = "network-hdd" zone = "ru-central1-a" size = "20" image_id = yandex_compute_image.ubuntu-1804-lts.id } resource "yandex_compute_disk" "boot-disk-nat" { name = "boot-disk-nat" type = "network-hdd" zone = "ru-central1-a" size = "20" image_id = yandex_compute_image.nat-instance-ubuntu.id } # Creating a VM resource "yandex_compute_instance" "test-vm" { name = local.vm_test_name platform_id = "standard-v3" zone = "ru-central1-a" resources { core_fraction = 20 cores = 2 memory = 2 } boot_disk { disk_id = yandex_compute_disk.boot-disk-ubuntu.id } network_interface { subnet_id = yandex_vpc_subnet.private-subnet.id security_group_ids = [yandex_vpc_security_group.nat-instance-sg.id] } metadata = { user-data = "#cloud-config\nusers:\n - name: ${var.vm_user}\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh-authorized-keys:\n - ${file("${var.ssh_key_path}")}" } } # Creating a NAT instance resource "yandex_compute_instance" "nat-instance" { name = local.vm_nat_name platform_id = "standard-v3" zone = "ru-central1-a" resources { core_fraction = 20 cores = 2 memory = 2 } boot_disk { disk_id = yandex_compute_disk.boot-disk-nat.id } network_interface { subnet_id = yandex_vpc_subnet.public-subnet.id security_group_ids = [yandex_vpc_security_group.nat-instance-sg.id] nat = true } metadata = { user-data = "#cloud-config\nusers:\n - name: ${var.vm_user_nat}\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh-authorized-keys:\n - ${file("${var.ssh_key_path}")}" } } # Creating a routing table and a static route resource "yandex_vpc_route_table" "nat-instance-route" { name = "nat-instance-route" network_id = yandex_vpc_network.my-vpc.id static_route { destination_prefix = "0.0.0.0/0" next_hop_address = yandex_compute_instance.nat-instance.network_interface.0.ip_address } }
-
Create the
nat-instance.auto.tfvars
file with user data in the directory:nat-instance.auto.tfvarsfolder_id = "<folder_ID>" vm_user = "<VM_username>" vm_user_nat = "<NAT_instance_username>" ssh_key_path = "<path_to_public_SSH_key>"
For more information about the parameters of resources used in Terraform, see the provider documentation:
-
In the
nat-instance.auto.tfvars
file, set the user-defined parameters:folder_id
: folder id.vm_user
: VM username.vm_user_nat
: NAT instance username.ssh_key_path
: Path to the file with a public SSH key to authenticate the user on the VM. For details, see Creating an SSH key pair.
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-