By default, resources within a virtual private cloud (VPC) can communicate with the Internet by binding a public IPv4 address. However, sometimes Internet accesses are not overseen by the operation and maintenance department, which poses security risks. For example, business departments configure public IP addresses for Elastic Compute Service (ECS) instances without informing O&M. As a traffic control component at the VPC boundary, an IPv4 gateway allows you to manage Internet access through route tables and ensures that the public traffic passes through the IPv4 gateway, thereby reducing the security risks associated with decentralized access.
Overview
VPC components
Understanding the following VPC components will help you better understand the IPv4 gateway:
Public IPv4 address: An IPv4 address that can be directly accessed through the Internet. These addresses are globally unique and can be accessed worldwide. There are two types:
Static public IP: A public IP address created and deleted together with instances such as ECS, and Classic Load Balancer (CLB). These IP addresses are strongly bound to instances and cannot be modified after creation, so they do not support flexible disassociation and management.
Elastic IP address (EIP): An independent public IP address that can be dynamically bound and unbound, supporting flexible management.
Internet NAT Gateway: A network address translation device within the VPC that provides Internet access by binding an EIP. It converts private IPv4 addresses to public ones, or to EIPs. This avoids exposing the real IP addresses and enables secure Internet communication. Resources in the VPC can actively access the Internet and provide services over the Internet through the NAT gateway.
Server Load Balancer (SLB): An application traffic distribution service within the VPC that provides Internet access by binding a public IP. It distributes traffic to backend servers to expand the throughput of application systems, eliminating single points of failure (SPOF), and improving the availability of the application system. Resources in the VPC can only provide services over the Internet and cannot actively access the Internet through SLB.
Architecture of VPC with an IPv4 gateway
The following architecture shows the inbound and outbound traffic in the VPC. As illustrated, an IPv4 gateway is a public traffic gateway at the VPC boundary that uniformly controls the Internet traffic and differs from public IP addresses, NAT gateways, and load balancing.
Why use an IPv4 gateway?
Item | Internet access without IPv4 gateway (Default) | Centralized control with IPv4 gateway |
Example | ECS instances access the Internet through static public IPs, EIPs, or an Internet NAT gateway. | Centrally control the Internet inbound and outbound traffic. |
Scenario | Some ECS instances need independent, direct Internet access. Suitable for scenarios where Internet access requirements are subject to frequent changes. | Suitable for large, multi-tiered network architecture. Enterprise-level environments with strict requirements for security and compliance. |
Complexity | Simple and quick operation without the need for route configuration. | Network planning and routing configuration are required. |
Flexibility | Each instance is independent. | Changes in network policies affect all instances in the VPC. |
Security | Security protection is achieved through configuring security group rules of instances. | The centralized control mode of the IPv4 gateway ensures the consistency of network policies and overall security. |
Limits
Feature limits
Scope:
The IPv4 gateway is a region-level resource that can only be used in the region where it is located.
Limits:
A VPC can only have one IPv4 gateway, and each IPv4 gateway can only be associated with one VPC.
An IPv4 gateway can exclusively bind to a gateway route table of the border gateway type. Each IPv4 gateway is associated with a single gateway route table.
Exception:
When an internal-facing CLB is bound to an IPv4 gateway by using an EIP or Anycast EIP, the gateway does not restrict the return traffic from the Internet.
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), and Mexico |
Middle East | UAE (Dubai) and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Use the IPv4 gateway
Working modes
The IPv4 gateway must be activated to uniformly control Internet traffic. The working modes of the IPv4 gateway dictate the ability to access the Internet and manage public traffic centrally.
Refer to the following diagram to understand the working modes and when the modes are switched:
The network traffic in the VPC will not be impacted until you activate the IPv4 gateway. However, there may be a brief network interruption during activation due to traffic path switching.
View IPv4 Internet Access Mode in the details page of a VPC and see whether the Internet traffic is centrally managed by IPv4 gateway.
Scenario
This section uses the Internet access of two ECS instances in a VPC to demonstrate how to use the IPv4 gateway.
Internet access | Target |
Two ECS instances within the VPC can access the Internet through an EIP. | Centrally control Internet traffic: All traffic actively accessing the Internet from the VPC must be controlled by the IPv4 gateway. |
 | |
To use the IPv4 gateway in a region, you must create a VPC, ECS, and EIP. Ensure that the VPC is not associated with an IPv4 gateway.
Procedure
An IPv4 gateway cannot be created under the following conditions:
EIPs in the VPC are in the cut-through mode.
The Internet NAT gateway in the VPC is incompatible with the IPv4 gateway. To resolve this, switch to Internet NAT gateway mode for compatibility.
You cannot create an IPv4 gateway for shared VPCs.
Go to the IPv4 Gateway console and select the region from the top navigation bar.
Click Create IPv4 Gateway, choose a VPC, and click Create.
Select the route table associated with the vSwitch where the ECS is located and click Activate. If there are multiple vSwitch route tables, select all that apply.
NoteDuring activation, the system adds a default route of
0.0.0.0/0pointing to the IPv4 gateway in the selected route table of vSwitch, granting Internet access. If there is already a default route with the destination CIDR block of0.0.0.0/0, the IPv4 gateway default route cannot be added.Network traffic in the VPC remains unaffected before the IPv4 gateway is activated. However, activation may cause a brief network interruption due to the switch in traffic paths.
The IPv4 gateway is activated and the route table is configured.
Now, the VPC has an activated IPv4 gateway. Proceed to test its functionality.
NoteEnsure the network ACL and security group configurations are proper to avoid impacting the ECS connectivity tests.
With a route of
0.0.0.0/0that points to the IPv4 gateway, ECS instances can access the Internet. Test network connectivity with theping aliyun.comcommand.
Additional operations
Modify public outbound routes
The public outbound routes for the IPv4 gateway are managed through the vSwitch route table. If a vSwitch includes a route entry that points to the IPv4 gateway, the corresponding route entry address can access the Internet. Such a vSwitch is a public vSwitch, while a vSwitch without such a route is known as a private vSwitch.
Delete an IPv4 gateway
Before deletion, you must unbind the gateway route table.
Select a mode when deleting an IPv4 gateway, which impacts the Internet access within the VPC. For more information, see Working modes.
In private mode, you must remove all route entries in the VPC route table pointing to the IPv4 gateway before proceeding.
WarningBe aware that choosing private mode will prevent all resources within the VPC from accessing the Internet. Proceed with caution.
In public mode, the system will automatically delete all route entries pointing to the IPv4 gateway. Choose this mode if you need to revert to the initial state where instances can access the Internet through a public IP address.
Best practices
Centralized egress control
Organizations may have public access channels that lack oversight from the O&M team. For example, when business departments configure public IPs for ECS instances at their discretion, it may create security vulnerabilities for network management.
By employing an IPv4 gateway, you can transform the network architecture into a centralized framework where you can manage public traffic through the route table. This ensures that all data flows through the IPv4 gateway and facilitates the enforcement of unified security policies and audits, thereby mitigating the risks associated with decentralized access.
Below is an example of the IPv4 architecture. For more information, see Use IPv4 gateway to centralize control over Internet access.
Use public CIDRs as private ones
Some organizations use non-RFC 1918 private CIDR blocks in local data centers or VPCs, such as 30.0.0.0/16. When establishing connections with other VPCs or data centers, access to the Internet is prioritized. This is because VPCs treat non-RFC 1918 IPs as public CIDR blocks. So, even if a route entry pointing to 30.0.0.0/16 is configured, it cannot access the target VPCs or data centers.
You can use the IPv4 gateway to centrally control the Internet access and route traffic to VPCs or data centers when accessing 30.0.0.0/16.
Below is an example of the architecture. For more information, see Use IPv4 gateway to route traffic from Internet to private network.
Route traffic to third-party security devices
Single-point architecture
Some organizations deploy third-party security devices within the VPC to scrub inbound and outbound traffic.
You can use the IPv4 gateway in conjunction with the route table to safely forward public traffic to security devices for inspection and filtering. This helps prevent malicious attacks and unauthorized access, ensuring security protection.
GWLB high availability architecture
In a single-point architecture, failures of third-party devices will affect the availability of the entire business system. You can deploy Gateway Load Balancer (GWLB) to achieve high availability and eliminate single points of failure.
In this scenario, use the IPv4 gateway in conjunction with the route table to forward public traffic to the Gateway Load Balancer endpoint (GLWBe), which connects to GWLB through PrivateLink and routes the traffic to third-party security devices for processing. After scrubbing, the traffic is transmitted to the application server or Internet client.
Below is an example of the architecture. For more information, see Use a GWLB instance to create a security check system for IPv4 traffic.
Inbound IPv4 traffic path | Outbound IPv4 traffic path |
|
|
FAQs
What are the differences between an IPv4 gateway and an Internet NAT gateway?
Component | IPv4 Gateway | Internet NAT Gateway |
Function | A component at the VPC boundary that controls public IPv4 traffic. | Network address translation device in VPCs. |
Scenario | Centralized control of Internet traffic. | Unified traffic egress of the Internet. |
Whether Internet access is provided | No. It is a traffic control component. | Internet access is available by attaching an EIP. (The NAT gateway itself does not provide Internet access capability.) |
IPv4 gateways and Internet NAT gateways serve distinct functions and can be used together.
For more information about the relationship between network components, see the location of the IPv4 gateway in the VPC.
How do I restore a VPC with an enabled IPv4 gateway to the initial state?
To restore a VPC to its initial state (for example, allowing ECS instances to access the Internet by binding a public IP), delete the IPv4 gateway in public mode.
The deletion mode impacts how the VPC accesses the Internet. For more information, see Working modes.
How is the IPv4 gateway billed?
There are no fees associated with the IPv4 gateway itself.
However, data transfer costs are incurred by the public IPs, such as EIPs or static public IPs of ECS or CLB. For more information, refer to the billing documents of the corresponding products.
How do I centrally manage IPv6 traffic?
The IPv4 gateway serves as a public IPv4 traffic control component at the VPC boundary. To centrally manage IPv6 traffic, an IPv6 gateway is required.
Additional actions
You can manage the IPv4 gateway by calling the following APIs:
CreateIpv4Gateway: Create an IPv4 gateway.
EnableVpcIpv4Gateway: Enable an IPv4 gateway.
AssociateRouteTableWithGateway: Associate the route table with an IPv4 gateway.
DissociateRouteTableFromGateway: Dissociate the route table from an IPv4 gateway.
DeleteIpv4Gateway: Delete an IPv4 gateway.