IPv4 gateway - Virtual Private Cloud - Alibaba Cloud Documentation Center

By default, resources in a virtual private cloud (VPC) that have an assigned public IP address can access the internet. To mitigate security risks from unmanaged Internet access, use an IPv4 gateway and configure route tables to centralize all Internet-bound traffic. This reduces the security risks associated with decentralized access.

Why use an IPv4 gateway

Component	Direct Internet access (Default)	Centralized control by IPv4 gateway
Example	An ECS instance accesses the internet by using a static public IP address, Elastic IP Address (EIP), or an Internet NAT Gateway.	Internet access traffic is centrally managed.
Scenarios	A small number of ECS instances that require independent and direct Internet access. Designed for environments with changing Internet access demands.	Large network architectures with multiple tiers. Designed for enterprise environments with strict network security and compliance requirements.
Complexity	Simple and fast, with no route configuration required.	Requires network planning and route configuration.
Flexibility	Each instance is managed independently without affecting others.	Changes to a route table affect all resources within the associated vSwitches.
Security	Security primarily relies on the security group rules configured for each individual instance.	Ensures network policy consistency and security.

Compare an IPv4 gateway and a NAT gateway

An IPv4 gateway and an Internet NAT Gateway can be used together. For more information about these network components, see Internet access.

Component	IPv4 gateway	Internet NAT gateway
Function	A component on the VPC boundary that controls public IPv4 traffic.	A network address translation device within the VPC.
Scenarios	Centrally control Internet access traffic	Provide a unified egress for Internet-bound traffic.
Provides Internet access	No. Only controls Internet traffic.	Yes, by associating EIPs (The Internet access is provided by EIPs, not by the Internet NAT Gateway itself.)

After you create an IPv4 gateway, vSwitches are classified into two types:

Public vSwitch: A vSwitch is considered a public vSwitch if it has a route entry with a Destination CIDR Block of 0.0.0.0/0 and a Next Hop that points to the IPv4 gateway. Resources in this vSwitch can access the Internet if they have a public IP address.
Private vSwitch: A vSwitch is considered a private vSwitch if it does not have a route entry to the IPv4 gateway. Resources in this vSwitch cannot directly access the internet, even if assigned a public IP address.

When using an IPv4 gateway with an Internet NAT Gateway, deploy the Internet NAT Gateway in a public vSwitch. ECS instances in a private vSwitch that require Internet access must have a route configured to point to the Internet NAT Gateway. This directs their Internet-bound traffic to the Internet NAT Gateway, which then uses its public IP to access the internet. Note the following:

Make sure that the EipBindMode of the Internet NAT gateway is set to NAT for compatibility with the IPv4 gateway.
- An Internet NAT gateway created in the console is in NAT mode by default. To call the CreateNatGateway operation, you must set EipBindMode to NAT. After creation, call ModifyNatGatewayAttribute to change the EipBindMode.
- IPv4 gateway cannot be created if an existing Internet NAT Gateway has EipBindMode set to MULTI_BINDED.
- If an IPv4 gateway already exists, you cannot attach EIPs by calling the CreateNatGateway operation to create an Internet NAT gateway with EipBindMode set to MULTI_BINDED.
To prevent resources in a private vSwitch from losing Internet access after activating the IPv4 gateway, make sure you configure routes before activation.

How it works

Control Internet access using an IPv4 gateway

After an IPv4 gateway is created and activated for a VPC, it centrally manages all Internet traffic. Configure a route for the vSwitch, pointing to the IPv4 gateway. This allows resources in the vSwitch to access the Internet. Go to the VPC details page to confirm the IPv4 Internet Access Mode is on.

Before an IPv4 gateway is activated, Internet traffic in the VPC is not affected. A brief network interruption may occur during activation as traffic paths are switched.

Delete IPv4 gateway

To delete an IPv4 gateway, you must disassociate the gateway route table. In the Actions column of the target IPv4 gateway, click Delete or call the DeleteIpv4Gateway operation. The deletion mode impacts how resources access the Internet.

Public mode: Automatically delete all routes that point to the IPv4 gateway. The VPC reverts to its initial state, where instances with a public IP regain internet access.
Private mode: Manually delete all routes that point to the IPv4 gateway first before deleting the IPv4 gateway. After deletion, all resources in the VPC lose internet access. To restore it, create a new IPv4 gateway and delete it in public mode.
Important
After you delete an IPv4 gateway in private mode, all resources in the VPC lose Internet access, regardless of whether they have a public IP address. Proceed with caution.

Centrally control Internet access

In some cases, business teams may assign public IPs to ECS instances, bypassing the central supervision. This hinders effective centralized management of Internet access by the operations team. Using the IPv4 gateway to centralize control of Internet traffic helps to reduce the security risks posed by decentralized access.

Console

On the VPC console - IPv4 Gateway page, select the region where the VPC is deployed and click Create IPv4 Gateway.
Create IPv4 Gateway: Select the VPC that requires centralized access.
Activate IPv4 Gateway: Select the route table associated with the public vSwitch. The system automatically adds a 0.0.0.0/0 route that points to the IPv4 gateway. This enables resources with a public IP in the public vSwitch to access the Internet. If a route with a destination CIDR block of 0.0.0.0/0 already exists in the route table, click Activate Later. Manually change the route next hop to the IPv4 gateway before you activate it. After activation, the IPv4 gateway controls internet access for the VPC.
- When an ECS instance uses a public IP associated with an Internet NAT gateway to access the Internet, you must deploy the ECS instance and the Internet NAT gateway in different vSwitches. In the route table for the NAT Gateway's vSwitch, configure a 0.0.0.0/0 route that points to the IPv4 gateway. In the route table for the vSwitch of the ECS instance, configure a route that points to the NAT Gateway.
- If an ECS instance uses a static public IP or an associated EIP to access the Internet, add a 0.0.0.0/0 route that points to the IPv4 gateway.

API

Call CreateIpv4Gateway to create an IPv4 gateway.
Call EnableVpcIpv4Gateway to activate the IPv4 gateway. Set RouteTableList to the route table associated with the public vSwitch. If this parameter is not specified, you must call CreateRouteEntry to add a 0.0.0.0/0 route that points to the IPv4 gateway.

Terraform

If you activate an IPv4 gateway using Terraform, the system does not automatically add a 0.0.0.0/0 route pointing to the IPv4 gateway. You must configure the route manually.

Resource: alicloud_vpc, alicloud_vswitch, alicloud_vpc_ipv4_gateway, alicloud_route_table, alicloud_route_table_attachment, alicloud_vpc_route_entry, alicloud_instance, alicloud_security_group, alicloud_security_group_rule, alicloud_eip_address, alicloud_eip_association, alicloud_nat_gateway, alicloud_snat_entry

Data Sources: alicloud_zones

# Specify the region where you want to create the IPv4 gateway. provider "alicloud" { region = "cn-hangzhou" } # Automatically obtain the list of zones where vSwitches can be created based on the data source. data "alicloud_zones" "available_zones" { available_resource_creation = "VSwitch" # Query the zones where resources can be created in the VPC. } # Create a VPC. resource "alicloud_vpc" "example_vpc" { vpc_name = "example_vpc_name" cidr_block = "10.0.0.0/16" # Specify the CIDR block. } # Define the vSwitch configurations. locals { vswitches = { vsw1 = { name = "example_vsw1_name" cidr_block = "10.0.0.0/24" zone_index = 0 } vsw2 = { name = "example_vsw2_name" cidr_block = "10.0.1.0/24" zone_index = 1 } vsw3 = { name = "example_vsw3_name" cidr_block = "10.0.2.0/24" zone_index = 0 } vsw4 = { name = "example_vsw4_name" cidr_block = "10.0.3.0/24" zone_index = 0 } } # Define the route table configurations. route_tables = { rt1 = { name = "example_rt1_name" vswitch_key = "vsw1" } rt2 = { name = "example_rt2_name" vswitch_key = "vsw2" } rt3 = { name = "example_rt3_name" vswitch_key = "vsw3" } rt4 = { name = "example_rt4_name" vswitch_key = "vsw4" } } # Define the instance configurations. instances = { instance1 = { name = "example_instance1_name" vswitch_key = "vsw1" } instance2 = { name = "example_instance2_name" vswitch_key = "vsw3" } instance3 = { name = "example_instance3_name" vswitch_key = "vsw4" } } # Define the EIP configurations. eips = { eip1 = { name = "example_eip1_name" } eip2 = { name = "example_eip2_name" } } # Define the SNAT entry configurations. snat_entries = { snat1 = { instance_key = "instance2" } snat2 = { instance_key = "instance3" } } } # Create multiple vSwitches. resource "alicloud_vswitch" "example_vsw" { for_each = local.vswitches vswitch_name = each.value.name cidr_block = each.value.cidr_block vpc_id = alicloud_vpc.example_vpc.id zone_id = data.alicloud_zones.available_zones.zones[each.value.zone_index].id } # Create multiple custom route tables. resource "alicloud_route_table" "example_route_table" { for_each = local.route_tables route_table_name = each.value.name vpc_id = alicloud_vpc.example_vpc.id } # Associate the route tables with the vSwitches. resource "alicloud_route_table_attachment" "example_route_table_attachment" { for_each = local.route_tables vswitch_id = alicloud_vswitch.example_vsw[each.value.vswitch_key].id route_table_id = alicloud_route_table.example_route_table[each.key].id } # Specify the instance type. variable "instance_type" { default = "ecs.e-c1m1.large" } # Specify the image ID. variable "image_id" { default = "aliyun_3_x64_20G_alibase_20221102.vhd" } # Create a security group. resource "alicloud_security_group" "example_security_group" { security_group_name = "example_security_group_name" vpc_id = alicloud_vpc.example_vpc.id } # Create a security group rule. Modify the protocol and port number as needed. resource "alicloud_security_group_rule" "allow_internet" { type = "ingress" ip_protocol = "icmp" nic_type = "intranet" policy = "accept" port_range = "-1/-1" priority = 1 security_group_id = alicloud_security_group.example_security_group.id cidr_ip = "0.0.0.0/0" } # Create multiple servers. resource "alicloud_instance" "example_instance" { for_each = local.instances instance_name = each.value.name vswitch_id = alicloud_vswitch.example_vsw[each.value.vswitch_key].id instance_type = var.instance_type image_id = var.image_id system_disk_category = "cloud_essd" security_groups = [alicloud_security_group.example_security_group.id] instance_charge_type = "PostPaid" # Specify the billing method as pay-as-you-go. spot_strategy = "SpotWithPriceLimit" # Set the instance as a spot instance for which you can specify a maximum price. } # Create multiple EIPs. resource "alicloud_eip_address" "example_eip" { for_each = local.eips address_name = each.value.name isp = "BGP" netmode = "public" bandwidth = "1" payment_type = "PayAsYouGo" } # Associate the ECS instance with an EIP. resource "alicloud_eip_association" "example_eip_ecs_association" { allocation_id = alicloud_eip_address.example_eip["eip1"].id instance_type = "EcsInstance" instance_id = alicloud_instance.example_instance["instance1"].id } # Create an Internet NAT gateway. resource "alicloud_nat_gateway" "example_natgw" { nat_gateway_name = "example_natgw_name" vpc_id = alicloud_vpc.example_vpc.id vswitch_id = alicloud_vswitch.example_vsw["vsw2"].id nat_type = "Enhanced" eip_bind_mode = "NAT" # Specify the EIP association mode. The value must be NAT. payment_type = "PayAsYouGo" } # Associate the EIP with the Internet NAT gateway. resource "alicloud_eip_association" "example_eip_natgw_association" { allocation_id = alicloud_eip_address.example_eip["eip2"].id instance_type = "NAT" instance_id = alicloud_nat_gateway.example_natgw.id } # Add a route that points to the NAT gateway. resource "alicloud_route_entry" "example_rt3_route" { route_table_id = alicloud_route_table.example_route_table["rt3"].id destination_cidrblock = "0.0.0.0/0" nexthop_type = "NatGateway" nexthop_id = alicloud_nat_gateway.example_natgw.id } # Add a route that points to the NAT gateway. resource "alicloud_route_entry" "example_rt4_route" { route_table_id = alicloud_route_table.example_route_table["rt4"].id destination_cidrblock = "0.0.0.0/0" nexthop_type = "NatGateway" nexthop_id = alicloud_nat_gateway.example_natgw.id } # Create an SNAT entry. resource "alicloud_snat_entry" "example_snat_entry" { for_each = local.snat_entries snat_table_id = alicloud_nat_gateway.example_natgw.snat_table_ids source_cidr = alicloud_instance.example_instance[each.value.instance_key].primary_ip_address snat_ip = alicloud_eip_address.example_eip["eip2"].ip_address } # Create an IPv4 gateway. resource "alicloud_vpc_ipv4_gateway" "example_ipv4gw" { ipv4_gateway_name = "example_ipv4gw_name" vpc_id = alicloud_vpc.example_vpc.id enabled = true } # Add a route that points to the IPv4 gateway. resource "alicloud_route_entry" "example_rt1_route" { route_table_id = alicloud_route_table.example_route_table["rt1"].id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Ipv4Gateway" nexthop_id = alicloud_vpc_ipv4_gateway.example_ipv4gw.id } # Add a route that points to the IPv4 gateway. resource "alicloud_route_entry" "example_rt2_route" { route_table_id = alicloud_route_table.example_route_table["rt2"].id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Ipv4Gateway" nexthop_id = alicloud_vpc_ipv4_gateway.example_ipv4gw.id }

Use public CIDRs for private communication

By default, a VPC uses private CIDR blocks defined in RFC 1918, such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. When a VPC connects to an on-premises data center or another VPC that uses a non-standard private CIDR, for example, 30.0.0.0/16, traffic from resources with Internet access targeting this non-standard network will be routed through the Internet, rather than following a private route.

After you create and activate an IPv4 gateway, it centrally controls Internet access and forwards all traffic according to the route table. You must configure a 0.0.0.0/0 route that points to the gateway in the vSwitch to let resources access the Internet. Based on the longest prefix rule, traffic directed to ECS02 matches the more specific 30.0.0.0/16 route and is directed to the peer VPC.

Console

Go to the VPC console - IPv4 Gateway page. Select the region where the VPC is deployed and click Create IPv4 Gateway.
Create IPv4 Gateway: Select the VPC that requires access the non-standard private CIDR block.
Activate IPv4 Gateway: Select the route table associated with the vSwitch that needs to access the non-standard private CIDR block. The system automatically adds a 0.0.0.0/0 route that points to the IPv4 gateway. This lets resources in the vSwitch access the non-standard private CIDR block.
- Make sure that the associated route table does not have a route whose destination CIDR is 0.0.0.0/0. If such a route exists, click Activate Later, delete the route, and activate the IPv4 gateway.
- After activation, the IPv4 gateway centrally controls Internet-bound traffic, and all traffic is forwarded according the route table.

API

Call CreateIpv4Gateway to create an IPv4 gateway.
Call EnableVpcIpv4Gateway to activate the IPv4 gateway. Set RouteTableList to the route table associated with the public vSwitch. If this parameter is not specified, call CreateRouteEntry to add a 0.0.0.0/0 route that points to the IPv4 gateway.

Terraform

If you activate an IPv4 gateway using Terraform, the system does not automatically add a 0.0.0.0/0 route that points to the IPv4 gateway. You must configure the route manually.

Resource: alicloud_vpc, alicloud_vswitch, alicloud_vpc_ipv4_gateway, alicloud_route_table, alicloud_route_table_attachment, alicloud_vpc_route_entry, alicloud_instance, alicloud_security_group, alicloud_security_group_rule, alicloud_eip_address, alicloud_eip_association, alicloud_vpc_peer_connection

Data Sources: alicloud_zones

In this example, the VPCs in the peering connection belong to the same account. When creating a cross-account peering connection, you must also create an alicloud_vpc_peer_connection_accepter to ensure that the peer account accepts the request.

# Specify the region where you want to create the IPv4 gateway. provider "alicloud" { region = "cn-hangzhou" } # Automatically obtain the list of zones where vSwitches can be created based on the data source. data "alicloud_zones" "available_zones" { available_resource_creation = "VSwitch" # Query the zones where resources can be created in the VPC. } # Specify the instance type. variable "instance_type" { default = "ecs.e-c1m1.large" } # Specify the image ID. variable "image_id" { default = "aliyun_3_x64_20G_alibase_20221102.vhd" } # Create a VPC. resource "alicloud_vpc" "example_vpc1" { vpc_name = "example_vpc1_name" cidr_block = "10.0.0.0/16" # Specify the CIDR block. } # Create a VPC. resource "alicloud_vpc" "example_vpc2" { vpc_name = "example_vpc2_name" cidr_block = "30.0.0.0/16" # Specify the CIDR block. } # Create a vSwitch. resource "alicloud_vswitch" "example_vsw1" { vswitch_name = "example_vsw1_name" cidr_block = "10.0.1.0/24" vpc_id = alicloud_vpc.example_vpc1.id zone_id = data.alicloud_zones.available_zones.zones.0.id } # Create a vSwitch. resource "alicloud_vswitch" "example_vsw2" { vswitch_name = "example_vsw2_name" cidr_block = "30.0.1.0/24" vpc_id = alicloud_vpc.example_vpc2.id zone_id = data.alicloud_zones.available_zones.zones.1.id } # Create a security group. resource "alicloud_security_group" "example_security_group1" { security_group_name = "example_security_group1_name" vpc_id = alicloud_vpc.example_vpc1.id } # Create a security group rule. Modify the protocol and port number as needed. resource "alicloud_security_group_rule" "allow_internet1" { type = "ingress" ip_protocol = "icmp" nic_type = "intranet" policy = "accept" port_range = "-1/-1" priority = 1 security_group_id = alicloud_security_group.example_security_group1.id cidr_ip = "0.0.0.0/0" } # Create a security group. resource "alicloud_security_group" "example_security_group2" { security_group_name = "example_security_group2_name" vpc_id = alicloud_vpc.example_vpc2.id } # Create a security group rule. Modify the protocol and port number as needed. resource "alicloud_security_group_rule" "allow_internet2" { type = "ingress" ip_protocol = "icmp" nic_type = "intranet" policy = "accept" port_range = "-1/-1" priority = 1 security_group_id = alicloud_security_group.example_security_group2.id cidr_ip = "0.0.0.0/0" } # Create an ECS instance. resource "alicloud_instance" "example_instance1" { instance_name = "example_instance1_name" vswitch_id = alicloud_vswitch.example_vsw1.id instance_type = var.instance_type image_id = var.image_id system_disk_category = "cloud_essd" security_groups = [alicloud_security_group.example_security_group1.id] instance_charge_type = "PostPaid" spot_strategy = "SpotWithPriceLimit" } # Create an EIP. resource "alicloud_eip_address" "example_eip" { address_name = "example_eip_name" isp = "BGP" netmode = "public" bandwidth = "1" payment_type = "PayAsYouGo" } # Associate the ECS instance with an EIP. resource "alicloud_eip_association" "example_eip_ecs_association" { allocation_id = alicloud_eip_address.example_eip.id instance_type = "EcsInstance" instance_id = alicloud_instance.example_instance1.id } # Create an ECS instance. resource "alicloud_instance" "example_instance2" { instance_name = "example_instance2_name" vswitch_id = alicloud_vswitch.example_vsw2.id instance_type = var.instance_type image_id = var.image_id system_disk_category = "cloud_essd" security_groups = [alicloud_security_group.example_security_group2.id] instance_charge_type = "PostPaid" spot_strategy = "SpotWithPriceLimit" } # Create a custom route table. resource "alicloud_route_table" "example_route_table1" { route_table_name = "example_route_table1_name" vpc_id = alicloud_vpc.example_vpc1.id } # Associate the route table with the vSwitch. resource "alicloud_route_table_attachment" "example_route_table_attachment1" { vswitch_id = alicloud_vswitch.example_vsw1.id route_table_id = alicloud_route_table.example_route_table1.id } # Create a custom route table. resource "alicloud_route_table" "example_route_table2" { route_table_name = "example_route_table2_name" vpc_id = alicloud_vpc.example_vpc2.id } # Associate the route table with the vSwitch. resource "alicloud_route_table_attachment" "example_route_table_attachment2" { vswitch_id = alicloud_vswitch.example_vsw2.id route_table_id = alicloud_route_table.example_route_table2.id } # Create a VPC peering connection. resource "alicloud_vpc_peer_connection" "example_vpc_peer" { peer_connection_name = "example_vpc_peer_name" vpc_id = alicloud_vpc.example_vpc1.id accepting_ali_uid = "1234****" # The ID of the account to which the peer VPC belongs. In this example, a same-account VPC peering connection is created. If you create a cross-account peering connection, you must create an alicloud_vpc_peer_connection_accepter to make sure that the peer account accepts the VPC peering connection request. accepting_region_id = "cn-hangzhou" accepting_vpc_id = alicloud_vpc.example_vpc2.id } # Configure a route for the peering connection. resource "alicloud_route_entry" "example_peer_route1" { route_table_id = alicloud_route_table.example_route_table1.id destination_cidrblock = "30.0.0.0/16" nexthop_type = "VpcPeer" nexthop_id = alicloud_vpc_peer_connection.example_vpc_peer.id } # Configure a route for the peering connection. resource "alicloud_route_entry" "example_peer_route2" { route_table_id = alicloud_route_table.example_route_table2.id destination_cidrblock = "10.0.0.0/16" nexthop_type = "VpcPeer" nexthop_id = alicloud_vpc_peer_connection.example_vpc_peer.id } # Create an IPv4 gateway. resource "alicloud_vpc_ipv4_gateway" "example_ipv4gw" { ipv4_gateway_name = "example_ipv4gw_name" vpc_id = alicloud_vpc.example_vpc1.id enabled = true } # Add a route that points to the IPv4 gateway. resource "alicloud_route_entry" "example_igw_route" { route_table_id = alicloud_route_table.example_route_table1.id destination_cidrblock = "0.0.0.0/0" nexthop_type = "Ipv4Gateway" nexthop_id = alicloud_vpc_ipv4_gateway.example_ipv4gw.id }

Redirect traffic to a third-party security device

An IPv4 gateway centrally controls outbound Internet traffic. For inbound Internet traffic, you can use a gateway route table attached to the IPv4 gateway to redirect traffic to a security device for inspection and filtering. This helps prevent malicious attacks and unauthorized access. You can also use a custom route table to redirect outbound traffic to the same security device for comprehensive security protection.

An IPv4 gateway centrally controls over outbound internet traffic only. To monitor inbound Internet traffic, use a gateway route table attached the IPv4 gateway. This redirects inbound Internet traffic to a security device for inspection, preventing malicious attacks and unauthorized access. By combining this with a custom route table, outbound traffic can also be redirected to the security devices for comprehensive security.

An IPv4 gateway can be associated only to a gateway route table, which is a type of route table for border gateways. Each VPC supports only one IPv4 gateway and one gateway route table. The two are bound in a one-to-one manner.

Single-point architecture

GWLB high availability architecture

In a single-point architecture, the failure of a security device disrupts the availability of your business system. Use a Gateway Load Balancer (GWLB) to deploy security devices in a highly available manner and eliminate single points of failure.

Inbound IPv4 Internet traffic

Outbound IPv4 Internet traffic

1. IPv4 traffic enters the business VPC through the IPv4 gateway.

2. The traffic is sent to the GWLB endpoint (GWLBe), directed by the gateway round table.

3. The GWLBe forwards the traffic to the GWLB, which forwards the traffic to the security device.

4. After the security device completes the check, the traffic is returned to the GWLB and then to the GWLBe through PrivateLink.

5. The traffic is sent to the business server based on the configured route table.

1. The traffic is sent to the GWLBe based on the configured route table.

2. The GWLBe forwards the traffic to the GWLB, which forwards the traffic to the security device.

3. After the security device completes the check, the traffic is returned to the GWLB and then to the GWLBe through PrivateLink.

4. The traffic is sent to the IPv4 gateway based on the configured route table.

5. The IPv4 gateway routes the traffic to the Internet.

Console

Attach a gateway route table

On the details page of the IPv4 gateway, click Bind. Alternatively, on the Associated Border Gateway tab of the details page of the target gateway route table, click Associate Border Gateway and select the target IPv4 gateway.

Detach a gateway route table

On the details page of the target IPv4 gateway, or on the Associated Border Gateway tab of the gateway route table, click Disassociate.

API

Call AssociateRouteTableWithGateway to attach a gateway route table.
Call DissociateRouteTableFromGateway to detach a gateway route table.

Terraform

Resource: alicloud_vpc_gateway_route_table_attachment

# Specify the region where the IPv4 gateway is deployed. provider "alicloud" { region = "cn-hangzhou" } # Specify the ID of the IPv4 gateway. variable "ipv4_gateway_id" { default = "ipv4gw-hp3v******" # Replace the value with the actual ID of the IPv4 gateway. } # Specify the ID of the gateway route table. variable "route_table_id" { default = "vtb-hp3w******" # Replace the value with the actual ID of the gateway route table. } # Attach the gateway route table. resource "alicloud_vpc_gateway_route_table_attachment" "example_attachment" { ipv4_gateway_id = var.ipv4_gateway_id route_table_id = var.route_table_id }

More information

Limits

A VPC can create only one IPv4 gateway, and an IPv4 gateway can be associated with only one VPC.
You cannot create an IPv4 gateway if there are resources in cut-through mode in the VPC.
For example, if the EIP association mode of an Internet NAT gateway is set to the multi-EIP-to-ENI mode, the Internet NAT gateway is incompatible with an IPv4 gateway. You must call the ModifyNatGatewayAttribute operation to change the EipBindMode to NAT mode to ensure compatibility.
In a shared VPC scenario, the resource owner can create, modify, or delete an IPv4 gateway, but the resource user does not have the permissions to perform these operations.
When you attach an EIP or an Anycast EIP to a private-facing Classic Load Balancer (CLB) instance, the returned traffic from the Internet is not managed by the IPv4 gateway.

Billing

There is no additional charge for IPv4 gateways.

Data transfer fees are charged for public IPs, such as EIPs or static public IPs of ECS or CLB instances. For more information, see the billing documentation for the related products.

Supported regions

Area	Regions
Asia Pacific - China	China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region)
Asia Pacific - Others	Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), and Mexico
Middle East	UAE (Dubai) and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner.

Quotas

Quota name	Description	Default limit	Increase quota
None	The number of IPv4 gateways supported by a VPC.	1	Cannot be increased.
None	The number of gateway route tables supported by an IPv4 gateway.	1	Cannot be increased.