Symptom

You have bought a public NAT gateway and added SNAT and DNAT rules, but your servers cannot access the Internet or provide services accessible from the Internet. Whether the network configured with a public NAT gateway can connect to the Internet depends on the route table configuration, security group configuration, and firewall configuration. If any configuration problem occurs, the network connection will fail. This section describes the fault locating process after a public NAT gateway is configured.

Fault Locating

The following fault causes are listed in descending order of occurrence probability.

If the fault persists after one possible cause is ruled out, move down the list to the other possible causes.

**Table 1** Network disconnection troubleshooting
Possible Cause	Solution
The route table is incorrectly configured.	Add the default route or a route pointing to the public NAT gateway to the route table. For details, see Checking Whether Default Route Pointing to the Public NAT Gateway Is Configured in the Route Table.
The ECS has an EIP bound.	Unbind the EIP from the ECS. For details, see Checking Whether the ECS Has an EIP Bound.
The security group rules are incorrectly configured.	Configure ECS security group rules to allow traffic to and from the ECS. For details, see Checking Whether Security Group Rules Allow Traffic to and from the ECS Port.
The firewall is incorrectly configured.	Add firewall rules to allow traffic in and out of the subnet. For details, see Checking Whether Firewall Rules Allow Traffic in and out of the Subnet.
The EIP bandwidth exceeds the threshold.	Increase the EIP bandwidth by referring to Checking Whether the EIP Bandwidth Limit Has Been Exceeded.
The service volume of the Public NAT gateway exceeds the upper limit.	Increase the public NAT gateway specifications. For details, see Checking Whether the SNAT Connection Limit for the Public NAT Gateway Has Been Exceeded.
The assign status is abnormal.	Ensure that the public NAT gateway is running. For details, see Check Whether the Public NAT Gateway Status is Normal.
The ECS port is not listened on.	Enable the ECS port again. For details, see Checking ECS Ports.

Checking Whether Default Route Pointing to the Public NAT Gateway Is Configured in the Route Table

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click Service List in the upper left corner. Under Network, select Virtual Private Cloud.
In the navigation pane on the left, choose Route Tables.
In the route table list, click the name of the route table associated with the VPC to which the public NAT gateway belongs.

Check whether default route (0.0.0.0/0) pointing to the public NAT gateway is in the route list.

If no, add the default route pointing to the public NAT gateway to the route table.

Click Add Route and configure required parameters.

**Table 2** Descriptions of route parameters
Parameter	Description
Destination	The destination CIDR block Set it to 0.0.0.0/0.
Next Hop Type	Set it to NAT gateway.
Next Hop	Set it to the ID of the public NAT gateway you purchased.
Description	(Optional) Supplementary information about the route Enter up to 255 characters. Angle brackets (< or >) are not allowed.

Click OK.

If a default route is there but does not point to the public NAT gateway, add a route pointing to the public NAT gateway to the existing route table. Alternatively, create a route table and add a default route pointing to the public NAT gateway to the new route table.

To add a route pointing to the public NAT gateway to the existing route table, perform the following steps:

Click Add Route and configure required parameters.

**Table 3** Descriptions of route parameters
Parameter	Description
Destination	The destination CIDR block
Next Hop Type	Set it to NAT gateway.
Next Hop	Set it to the ID of the public NAT gateway you purchased.
Description	(Optional) Supplementary information about the route Enter up to 255 characters. Angle brackets (< or >) are not allowed.

Click OK.

Create a route table and add a default route pointing to the public NAT gateway.

In the upper right corner of the Route Tables page, click Create Route Table and configure required parameters.

**Table 4** Descriptions of route table parameters
Parameter	Description	Example Value
Name	(Mandatory) The name of the route table Enter up to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed. Spaces are not allowed.	rtb-001
VPC	(Mandatory) The VPC that the route table belongs to	vpc-001
Description	(Optional) Supplementary information about the route table Enter up to 255 characters. Angle brackets (< or >) are not allowed.	N/A
Route Settings	Information about routes You can click Add Route to add more routes. Set Destination to 0.0.0.0/0, Next Hop Type to NAT gateway, and Next Hop to the public NAT gateway you purchased.	N/A

Click OK.
An Information dialog box is displayed, indicating that you can associate the route table with a subnet now or later.
Click Associate Subnet.
The Associated Subnets tab is displayed.
Click Associate Subnet and select the subnet to be associated.
Click OK.

Checking Whether the ECS Has an EIP Bound

If both SNAT and EIP are configured for an ECS, the EIP is preferentially used for data forwarding.

If both DNAT and EIP are configured for an ECS, the ECS will have two EIPs, one that is bound to the ECS and one that is associated with the DNAT rule. Incoming data will be forwarded by one of the two EIPs, which is determined by the client user. Outgoing data will be forwarded by the EIP bound to the ECS in priority. If the two EIPs are different, data forwarding will fail.

If the ECS has an EIP bound, perform the following steps to unbind the EIP.

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Under Computing, click Elastic Cloud Server.
In the list, locate the ECS. In the IP Address column, check whether the ECS has an EIP bound.
- If no, check the next item.
- If yes, unbind it.
  For details about how to unbind an EIP from an ECS, see Unbinding an EIP from an ECS and Releasing the EIP.

Checking Whether Security Group Rules Allow Traffic to and from the ECS Port

If the traffic to and from the ECS port is denied in the security group, add rules to the security group to allow the port traffic.

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Under Computing, click Elastic Cloud Server.
On the Elastic Cloud Server page, click the name of the ECS.
Click the Security Groups tab and view security group rules.
Check whether you have configured inbound and outbound rules to allow traffic to and from the ECS port.
- If yes, check the next item.
- If no, click Manage Rule.
  On the Summary tab page of the security group, click Inbound Rules or Outbound Rules to add an inbound rule and outbound rule that allow traffic to and from the ECS port. For details about inbound and outbound rule parameters, see Adding a Security Group Rule.

Checking Whether Firewall Rules Allow Traffic in and out of the Subnet

Check whether the VPC subnet is associated with firewall rules. If yes, check the firewall rules.

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click Service List in the upper left corner. Under Network, select Virtual Private Cloud.
In the navigation pane on the left, click Subnets.
Check whether the NAT gateway subnet is associated with a firewall.
The specific firewall name indicates that the association is successful.
Click the firewall name to view the details.
Check whether the inbound and outbound rules that allow traffic in and out of the subnet have been added.
If no, add such inbound and outbound rules, or disassociate the firewall from the subnet.

For details, see Add a Firewall Rule and Disassociating a Subnet from a Firewall.

The default firewall rules deny all incoming and outgoing packets. After the firewall is disabled, the default rules still take effect.

Checking Whether the EIP Bandwidth Limit Has Been Exceeded

If an EIP is bound to the public NAT gateway, the bandwidth is used to provide access traffic between the public network and the public NAT gateway.

If the network is disconnected, check whether the EIP bandwidth exceeds the limit.

For details about how to increase the bandwidth, see Modifying an EIP Bandwidth.

Checking Whether the SNAT Connection Limit for the Public NAT Gateway Has Been Exceeded

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click Service List in the upper left corner. Under Management & Governance, choose Cloud Eye.
In the navigation pane on the left, choose Cloud Service Monitoring > NAT Gateway.
Locate the row that contains the public NAT gateway you purchased and click View Metric in the Operation column to check detailed monitoring.
Check whether the SNAT connection limit for the public NAT gateway has been exceeded.
- If no, check the next item.
- If the number of SNAT connections exceeds the upper limit of the public NAT gateway specifications, increase the specifications.
  For details about how to increase the public NAT gateway specifications, see Modifying a Public NAT Gateway.

Check Whether the Public NAT Gateway Status is Normal

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click Service List in the upper left corner. Under Network, select NAT Gateway.
In the public NAT gateway list, locate the NAT gateway and check whether its status is Running.
- If yes, check the next item.
- If no, the possible causes are as follows:
  - Your account or resources are frozen because you violated related security requirements or laws and regulations when using the cloud platform. If you complete the rectification within the required period and meet related security and legal requirements, your account and resources can be unfrozen. If you do not complete the rectification within the required period, your resources will be deleted.

Checking ECS Ports

Ensure that ECS ports are in the LISTEN state. Table 5 lists the common TCP statuses.

Linux
Run the netstat -antp command to check whether the ECS port is in the LISTEN state.

For example, run netstat -ntulp |grep 80.
Figure 1 Checking port listening status

If no, enable the ECS port.
Windows
Perform the following operations to check port communication:
1. Run cmd.exe.
2. Run the netstat -ano | findstr "PID" command to obtain the PID used by the process.
  For example, run netstat -ano | findstr "80".
  Figure 2 Checking port listening status
  
  If no, enable the ECS port.

**Table 5** Common TCP statuses
TCP Status	Description	Scenario
LISTEN	Listens for network connection requests from a remote TCP port.	The TCP server is running.
ESTABLISHED	A connection has been set up.	A TCP connection is properly set up.
TIME-WAIT	Waits until the remote TCP server receives the acknowledgement of the connection termination request.	The TCP connection is terminated, and the session is closed in 1 minute.
CLOSE-WAIT	Waits for a connection termination request sent by a local user.	A program fault resulted in an open socket. This state is displayed after the network is disconnected, indicating that a process is in an infinite loop or waiting for certain requirements to be met. To resolve this issue, restart the affected process.
FIN-WAIT-2	Waits for the network disconnection request from a remote TCP server.	The network has been disconnected and requires 12 minutes to automatically recover.
SYN-SENT	Waits for the matched network connection request after a network connection request is sent.	The TCP connection request failed, which is generally caused by the delayed handling of high CPU usage on the server or by a DDoS attack.
FIN-WAIT-1	Waits for the remote TCP disconnection request, or the acknowledgement for a previous disconnection request.	If the network has been disconnected, this state may not automatically recover after 15 minutes. If the port remains occupied for a long period of time, restart the OS to resolve the issue.

What Can I Do If Connection Between My Servers and the Internet Fails After I Add SNAT and DNAT Rules?