NAT

NAT is a network address translation mechanism that allows you to replace the private address of a service with a public IP when accessing the Internet.

Packets sent from services go through a traffic routing device. If the destination address is local, the packet is forwarded within the network to the local address. If the address is external, the router replaces the service’s private IP with the gateway’s public IP and sends the packet “outside”.

With NAT, you don’t have to issue unique public IPs to each service. Services within the private network that do not have their own public IP will access the Internet through the gateway IP address.

Floating IPs are used as external IPs for NAT. If a floating IP has not yet been assigned to the network, then when you enable NAT, you can select one of the existing floating IPs on your account or create a new one. 

If at some point you no longer need to use NAT, the IP can be disconnected from the network and used for other services on the account or deleted.

Enabling or disabling NAT

You can enable or disable NAT manually:

• When creating a new private network

• In the settings of an existing network

If no floating IP address is assigned to the private network yet, it will be assigned when you enable NAT. 

You can choose one of the existing floating IPs on your account or create a new one. A floating IP costs $2.5 per month.

NAT will be enabled automatically when the “Outgoing Only” routing rule is enabled to any service in the private network.

When disabling NAT:

• All services in the private network with the “Outgoing Only” traffic routing rule enabled will lose access to the Internet and will be available only within the private network. 

• The floating IP will be disconnected from the private network, but will remain on your account. When you re-enable NAT, you will be able to select the same IP if necessary. If a floating IP is no longer needed, it can be linked to another service or deleted. 

Traffic routing rules

The following traffic routing rules can be enabled for services: 

• Incoming and outgoing

Incoming and outgoing traffic to/from the external network is allowed. The service has its own public IP for accessing the Internet.

If you disable the "Incoming and outgoing" rule, the service will lose its public IP address. When re-enabled, a new IP will be issued.

• Outgoing only

Outgoing traffic to the external network is allowed, incoming traffic from the Internet is blocked. The service does not have its own public IP, it works behind NAT and can access the Internet with the gateway public IP.

When you enable the "Outgoing Only" rule for one of the services in a private network, NAT will be automatically enabled and a public IP issued for the gateway.

When NAT is disabled, all services with the "Outgoing Only" rule will lose access to the Internet and the rule will change to "Private network only".

• Private network only

Only traffic within the private network is allowed, all external traffic is blocked. The service does not have its own public IP.

Setting up rules

You can configure traffic routing rules:

• In the private network settings

Click on the traffic rule icon and select a new rule.

• In the service’s network settings

Cloud servers:

1. Go to Cloud servers and click on the server.

2. In the Network tab, click Configure next to Traffic routing rules (NAT).

3. Select a new routing rule and save changes.

Databases:

1. Go to Databases and click on the database.
2. In the Network tab, enable or disable the Allow access by public IP address option. 

When enabled, the Incoming and outgoing traffic rule is applied. When disabled, the Private network only rule.

Service cost

NAT is provided for free, however, it requires a floating IP address, which is used as the public address for the private network. The cost of a floating IP is $2.5 per month.

A floating IP is charged as long as it exists on your Hostman account, even if NAT is already disabled. To stop the charges, delete the floating IP from the Networks → Floating IP section.