本文介绍如何通过NAT网关的DNAT功能和共享带宽功能实现多个应用共享一份公网带宽,节省公网成本。

背景信息

假设部署了四个面向互联网的应用,需要使用三个公网IP。另外需要一个ECS和一个IP作为服务器管理的跳板机来使用,并准备一个公网IP暂时备用。整体资源规划如下:

  • 带宽需求总量:150Mbps
  • 公网IP需求总量:5个,其中一个公网IP留作备用
  • ECS需求总量:5个
  • 公网IP与ECS的映射关系:
    • IP1->ECS1
    • IP2->ECS2
    • IP3->ECS3/ECS4(其中80端口映射给ECS3的80端口;443端口映射给ECS4的443端口)
    • IP4->ECS5(运维跳板机,仅开放22端口)
    • IP5:暂不添加DNAT规则

创建VPC与ECS。注意

VPC(ID: vpc-11af8lxxx)-与ECS资源相关情况如下:
说明 ECS实例不需要单独配置公网IP。
实例名称 私网IP
ECS1 192.168.1.1
ECS2 192.168.1.2
ECS3 192.168.1.3
ECS4 192.168.1.4

前提条件

  1. 为了方便调用API,本教程使用了一个用Python语言编写的Command Line工具。单击此处下载CLI工具。
    Linux环境下可以直接使用wget命令进行下载。
    wget http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/42691/cn_zh/1468947102311/api.py
  2. 创建AccessKey。

    您需要为调用API的账号创建一个AccessKey,用于身份验证。

  3. 为CLI工具配置AccessKey。

步骤一 创建NAT网关

  1. 调用CreateNatGateway接口创建NAT网关。
    [admin@tester:xxx]$ python api.py CreateNatGateway RegionId=cn-shanghai VpcId=vpc-11af8lxxx BandwidthPackage.1.IpCount=4 BandwidthPackage.1.Bandwidth=150 BandwidthPackage.1.Zone=cn-shanghai-a Name=MyNatGW Description="My first NAT Gateway"
     =====Request URL======
     https://ecs.aliyuncs.com/?SignatureVersion=1.0&VpcId=vpc-11af8lxxx&Name=MyNatGW&Format=json&TimeStamp=2016-05-23T03%3A26%3A21Z&BandwidthPackage.1.IpCount=5&RegionId=cn-shanghai&AccessKeyId=jZgi0oyrQXXXXXXX&SignatureMethod=HMAC-SHA1&Version=2014-05-26&Signature=I4KKhWgjJdImTqk4rCifAB3LbLw%3D&action=CreateNatGateway&SignatureNonce=1ebae49c-2096-11e6-b781-2cf0ee28adf2&BandwidthPackage.1.Bandwidth=150&BandwidthPackage.1.Zone=cn-shanghai-a&Description=My+first+NAT+Gateway
     =====Request URL end======
     ====== Got Response ======
     {
       "BandwidthPackageIds": {
         "BandwidthPackageId": [
           "bwp-11odxu2k7"
         ]
       },
       "ForwardTableIds": {
         "ForwardTableId": [
           "ftb-11tc6xgmv"
         ]
       },
       "NatGatewayId": "ngw-112za33e4",
       "RequestId": "2315DEB7-5E92-423A-91F7-4C1EC9AD97C3"
  2. 调用DescribeNatGateways接口查看NAT网关的详细信息。
    [admin@tester:xxx]$ python api.py DescribeNatGateways RegionId=cn-shanghai VpcId=vpc-11af8lxxx
     =====Request URL======
     https://ecs.aliyuncs.com/?SignatureVersion=1.0&VpcId=vpc-11af8lxxx&Format=json&TimeStamp=2016-05-23T03%3A27%3A14Z&RegionId=cn-shanghai&AccessKeyId=jZgi0oyrQ6ihgKp9&SignatureMethod=HMAC-SHA1&Version=2014-05-26&Signature=JvXErso9g0fZdRTgBtNLepe%2F1e4%3D&action=DescribeNatGateways&SignatureNonce=3e1424eb-2096-11e6-bc31-2cf0ee28adf2
     =====Request URL end======
     ====== Got Response ======
     {
       "NatGateways": {
         "NatGateway": [
           {
             "BandwidthPackageIds": {
               "BandwidthPackageId": [
                 "bwp-11odxu2k7"
               ]
             },
             "BusinessStatus": "Normal",
             "CreationTime": "2016-05-23T03:26:23Z",
             "Description": "My first NAT Gateway",
             "ForwardTableIds": {
               "ForwardTableId": [
                 "ftb-11tc6xgmv"
               ]
             },
             "InstanceChargeType": "PostPaid",
             "Name": "MyNatGW",
             "NatGatewayId": "ngw-112za33e4",
             "RegionId": "cn-shanghai",
             "Spec": "Small",
             "Status": "Available",
             "VpcId": "vpc-11af8lxxx"
           }
         ]
       },
       "PageNumber": 1,
       "PageSize": 10,
       "RequestId": "FE4C442C-9778-449A-BF7F-7F36C3AF5611",
       "TotalCount": 1
     }
  3. 调用DescribeBandwidthPackages接口查看已创建的共享带宽包的详细信息。
    [admin@tester:xxx]$ python api.py DescribeBandwidthPackages RegionId=cn-shanghai NatGatewayId=ngw-112za33e4
     =====Request URL======
     https://ecs.aliyuncs.com/?SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A33%3A30Z&RegionId=cn-shanghai&NatGatewayId=ngw-112za33e4&AccessKeyId=jZgi0oyrQ6ihgKp9&SignatureMethod=HMAC-SHA1&Version=2014-05-26&Signature=KN0C2Q4TUZtfECBn1c2lOdBzrb8%3D&action=DescribeBandwidthPackages&SignatureNonce=1e8941ae-2097-11e6-acbb-2cf0ee28adf2
     =====Request URL end======
     ====== Got Response ======
     {
       "BandwidthPackages": {
         "BandwidthPackage": [
           {
             "Bandwidth": "150",
             "BandwidthPackageId": "bwp-11odxu2k7",
             "BusinessStatus": "Normal",
             "CreationTime": "2016-05-23T03:26:24Z",
             "Description": "",
             "InstanceChargeType": "PostPaid",
             "InternetChargeType": "PayByBandwidth",
             "IpCount": "5",
             "Name": "",
             "NatGatewayId": "ngw-112za33e4",
             "PublicIpAddresses": {
               "PublicIpAddresse": [
                 {
                   "AllocationId": "nateip-11iopy3sl",
                   "IpAddress": "139.xxx.xx.107"
                 },
                 {
                   "AllocationId": "nateip-11pt1f9ph",
                   "IpAddress": "139.xxx.xx.55"
                 },
                 {
                   "AllocationId": "nateip-111ul670c",
                   "IpAddress": "139.xxx.xx.79"
                 },
                 {
                   "AllocationId": "nateip-11ogfjj85",
                   "IpAddress": "139.xxx.xx.59"
                 },
                 {
                   "AllocationId": "nateip-11s2jempe",
                   "IpAddress": "139.xxx.xx.58"
                 }
               ]
             },
             "RegionId": "cn-shanghai",
             "Status": "Available",
             "ZoneId": "cn-shanghai-a"
           }
         ]
       },
       "PageNumber": 1,
       "PageSize": 10,
       "RequestId": "14406B86-7CA1-4907-9755-86096F476A4F",
       "TotalCount": 1
     }

步骤二 配置DNAT

  1. 调用CreateForwardEntry接口添加如下转发条目。
    公网IP 公网端口 私网IP 私网端口 协议
    IP1 Any ecs-ip1 Any Any
    IP2 Any ecs-ip2 Any Any
    IP3 80 ecs-ip3 80 TCP
    IP3 443 ecs-ip4 443 TCP
    IP4 22 ecs-ip5 22 TCP
    [admin@tester:xxx]$ python api.py CreateForwardEntry RegionId=cn-shanghai ForwardTableId=ftb-11tc6xgmv ExternalIp=139.xxx.xx.107 ExternalPort=Any InternalIp=192.168.1.1 InternalPort=Any IpProtocol=Any
    =====Request URL======
    https://ecs.aliyuncs.com/?ExternalIp=139.xxx.xx.107&SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A53%3A18Z&RegionId=cn-shanghai&ExternalPort=Any&InternalIp=192.168.1.1&Signature=iR4GSzhJQtowMJOj%2FRth3ABP4FA%3D&AccessKeyId=jZgi0oyrQ6ihgKp9&ForwardTableId=ftb-11tc6xgmv&SignatureMethod=HMAC-SHA1&Version=2014-05-26&IpProtocol=Any&action=CreateForwardEntry&SignatureNonce=e2ceae11-2099-11e6-b548-2cf0ee28adf2&InternalPort=Any
    =====Request URL end======
    ====== Got Response ======
    [admin@tester:xxx]$ python api.py CreateForwardEntry RegionId=cn-shanghai ForwardTableId=ftb-11tc6xgmv ExternalIp=139.xxx.xx.107 ExternalPort=Any InternalIp=192.168.1.1 InternalPort=Any IpProtocol=Any
    =====Request URL======
    https://ecs.aliyuncs.com/?ExternalIp=139.xxx.xx.107&SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A53%3A18Z&RegionId=cn-shanghai&ExternalPort=Any&InternalIp=192.168.1.1&Signature=iR4GSzhJQtowMJOj%2FRth3ABP4FA%3D&AccessKeyId=jZgi0oyrQ6ihgKp9&ForwardTableId=ftb-11tc6xgmv&SignatureMethod=HMAC-SHA1&Version=2014-05-26&IpProtocol=Any&action=CreateForwardEntry&SignatureNonce=e2ceae11-2099-11e6-b548-2cf0ee28adf2&InternalPort=Any
    =====Request URL end======
    ====== Got Response ======
    {
    "ForwardEntryId": "fwd-119smw5tk",
    "RequestId": "A4AEE536-A97A-40EB-9EBE-53A6948A6928"
    }
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$ python api.py CreateForwardEntry RegionId=cn-shanghai ForwardTableId=ftb-11tc6xgmv ExternalIp=139.xxx.xx.55 ExternalPort=Any InternalIp=192.168.1.2 InternalPort=Any IpProtocol=Any
    =====Request URL======
    https://ecs.aliyuncs.com/?ExternalIp=139.xxx.xx.55&SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A53%3A42Z&RegionId=cn-shanghai&ExternalPort=Any&InternalIp=192.168.1.2&Signature=mFBn%2BCd4LfHkKj53MwmWyMhzyfs%3D&AccessKeyId=jZgi0oyrQ6ihgKp9&ForwardTableId=ftb-11tc6xgmv&SignatureMethod=HMAC-SHA1&Version=2014-05-26&IpProtocol=Any&action=CreateForwardEntry&SignatureNonce=f09c1b38-2099-11e6-aa80-2cf0ee28adf2&InternalPort=Any
    =====Request URL end======
    ====== Got Response ======
    {
    "ForwardEntryId": "fwd-11dz3ly9l",
    "RequestId": "5DBC8F86-2D76-4BF4-B839-7FF31B61D516"
    }
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$ python api.py CreateForwardEntry RegionId=cn-shanghai ForwardTableId=ftb-11tc6xgmv ExternalIp=139.xxx.xx.79 ExternalPort=80 InternalIp=192.168.1.3 InternalPort=80 IpProtocol=TCP
    =====Request URL======
    https://ecs.aliyuncs.com/?ExternalIp=139.xxx.xx.79&SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A54%3A10Z&RegionId=cn-shanghai&ExternalPort=80&InternalIp=192.168.1.3&Signature=OpTui3SKbAjKXy6gKRoJb%2B9Lazg%3D&AccessKeyId=jZgi0oyrQ6ihgKp9&ForwardTableId=ftb-11tc6xgmv&SignatureMethod=HMAC-SHA1&Version=2014-05-26&IpProtocol=TCP&action=CreateForwardEntry&SignatureNonce=01c41d5c-209a-11e6-905e-2cf0ee28adf2&InternalPort=80
    =====Request URL end======
    ====== Got Response ======
    {
    "ForwardEntryId": "fwd-11r23r7p5",
    "RequestId": "67B7AAFD-E7AB-4EB8-AA5C-AA38CFFB4A95"
    }
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$ python api.py CreateForwardEntry RegionId=cn-shanghai ForwardTableId=ftb-11tc6xgmv ExternalIp=139.xxx.xx.79 ExternalPort=443 InternalIp=192.168.1.4 InternalPort=443 IpProtocol=TCP
    =====Request URL======
    https://ecs.aliyuncs.com/?ExternalIp=139.xxx.xx.79&SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A55%3A22Z&RegionId=cn-shanghai&ExternalPort=443&InternalIp=192.168.1.4&Signature=X%2BZtHbTeKYf8xU%2FvWhPAmg%2B5scc%3D&AccessKeyId=jZgi0oyrQ6ihgKp9&ForwardTableId=ftb-11tc6xgmv&SignatureMethod=HMAC-SHA1&Version=2014-05-26&IpProtocol=TCP&action=CreateForwardEntry&SignatureNonce=2c3f2573-209a-11e6-be0f-2cf0ee28adf2&InternalPort=443
    =====Request URL end======
    ====== Got Response ======
    {
    "ForwardEntryId": "fwd-11cdhpjlk",
    "RequestId": "260A9673-5522-4F66-844A-1F1AB47CD21C"
    }
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$
    [admin@tester:xxx]$ python api.py CreateForwardEntry RegionId=cn-shanghai ForwardTableId=ftb-11tc6xgmv ExternalIp=139.xxx.xx.59 ExternalPort=22 InternalIp=192.168.1.5 InternalPort=22 IpProtocol=TCP
    =====Request URL======
    https://ecs.aliyuncs.com/?ExternalIp=139.xxx.xx.59&SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A55%3A44Z&RegionId=cn-shanghai&ExternalPort=22&InternalIp=192.168.1.5&Signature=%2FZWf5%2ForHr%2BUR446eEBLC4LNYe8%3D&AccessKeyId=jZgi0oyrQ6ihgKp9&ForwardTableId=ftb-11tc6xgmv&SignatureMethod=HMAC-SHA1&Version=2014-05-26&IpProtocol=TCP&action=CreateForwardEntry&SignatureNonce=39863cf3-209a-11e6-8f6d-2cf0ee28adf2&InternalPort=22
    =====Request URL end======
    ====== Got Response ======
    {
    "ForwardEntryId": "fwd-11iv34uj7",
    "RequestId": "0884BC12-8EAD-4AAA-826E-30E5435D7C27"
    }
  2. 调用DescribeForwardTableEntries接口查看已添加的DNAT条目。
    [admin@tester:xxx]$ python api.py DescribeForwardTableEntries RegionId=cn-shanghai ForwardTableId=ftb-11tc6xgmv
     =====Request URL======
     https://ecs.aliyuncs.com/?SignatureVersion=1.0&Format=json&TimeStamp=2016-05-23T03%3A56%3A18Z&RegionId=cn-shanghai&AccessKeyId=jZgi0oyrQ6ihgKp9&ForwardTableId=ftb-11tc6xgmv&SignatureMethod=HMAC-SHA1&Version=2014-05-26&Signature=x4%2B6oNYxIRBmND8rcIbJM9EJ8ts%3D&action=DescribeForwardTableEntries&SignatureNonce=4db93223-209a-11e6-81eb-2cf0ee28adf2
     =====Request URL end======
     ====== Got Response ======
     {
       "ForwardTableEntries": {
         "ForwardTableEntry": [
           {
             "ExternalIp": "139.xxx.xx.107",
             "ExternalPort": "any",
             "ForwardEntryId": "fwd-119smw5tk",
             "ForwardTableId": "ftb-11tc6xgmv",
             "InternalIp": "192.168.1.1",
             "InternalPort": "any",
             "IpProtocol": "any",
             "Status": "Available"
           },
           {
             "ExternalIp": "139.xxx.xx.79",
             "ExternalPort": "443",
             "ForwardEntryId": "fwd-11cdhpjlk",
             "ForwardTableId": "ftb-11tc6xgmv",
             "InternalIp": "192.168.1.4",
             "InternalPort": "443",
             "IpProtocol": "tcp",
             "Status": "Available"
           },
           {
             "ExternalIp": "139.xxx.xx.55",
             "ExternalPort": "any",
             "ForwardEntryId": "fwd-11dz3ly9l",
             "ForwardTableId": "ftb-11tc6xgmv",
             "InternalIp": "192.168.1.2",
             "InternalPort": "any",
             "IpProtocol": "any",
             "Status": "Available"
           },
           {
             "ExternalIp": "139.xxx.xx.59",
             "ExternalPort": "22",
             "ForwardEntryId": "fwd-11iv34uj7",
             "ForwardTableId": "ftb-11tc6xgmv",
             "InternalIp": "192.168.1.5",
             "InternalPort": "22",
             "IpProtocol": "tcp",
             "Status": "Available"
           },
           {
             "ExternalIp": "139.xxx.xx.79",
             "ExternalPort": "80",
             "ForwardEntryId": "fwd-11r23r7p5",
             "ForwardTableId": "ftb-11tc6xgmv",
             "InternalIp": "192.168.1.3",
             "InternalPort": "80",
             "IpProtocol": "tcp",
             "Status": "Available"
           }
         ]
       },
       "PageNumber": 1,
       "PageSize": 10,
       "RequestId": "C84FDDCF-8550-4024-B89C-01E7459D7CF9",
       "TotalCount": 5
     }