The Managed Network Address Translation (NAT) gateway allows VMs inside a Virtual Data Center (VDC) to access the internet without requiring a public network interface.

The NAT gateway can act as a default gateway for private networks allowing VMs to initiate connections to the internet and receive a response (Source NAT or SNAT). The gateway ensures not to receive inbound connections initiated from the internet (Destination NAT or DNAT) and the VMs are “hidden”; hence protecting from being exposed to the internet threats.

Using a NAT gateway increases security, simplifies the VDC architecture, requires only one public IP address, and has a fully managed service. For example, a NAT gateway can be used to connect private VMs to public repositories, for software updates, or to NTP (Network Time Protocol) servers. You can use the Backup Service for private VMs. In this case, the VM does not need to publish any service to the Internet, but only needs to consume services from the Internet. Furthermore, the NAT gateway can be configured only to allow access to specific and trusted internet services, protecting the application from malicious public endpoints.


NAT Gateway provides the following features:

  • Supported protocols: Supports TCP, UDP, ICMP, and up to six private networks per NAT gateway.

  • Scalability: NAT Gateway is highly scalable, allowing you to accommodate increasing traffic demands as your network grows.

  • High Availability: Refers to the ability of the NAT Gateway service to handle increased traffic and provide reliable and consistent performance, even in the event of a single component failure. It is handled with multiple NAT Gateways deployed across multiple Availability Zones in a region.

  • Advanced NAT Configuration: NAT Gateway offers:

    • Multiple public IP addresses and SNAT rules per NAT gateway.

    • Multiple NAT Gateways per VDC.

    • Individual configuration of multiple NAT rules per listener.

  • Resource Limit: Default resource limit for NAT gateway is set to five per account. If more resource is required, contact IONOS Cloud Support.

Routing tables

The routing table must be modified for private VMs to send traffic to the NAT gateway. The default route must point to the NAT gateway or, if this is not possible, a dedicated route must be created for every service or target to be consumed from the Internet.


If DNS on a VM, which has the default route defined to use the SourceNAT gateway, is required, you must ensure that proper SNAT rules for UDP are in place. Failing to do so may result in the default DNS resolution not working.

Maintenance Window

The Managed NAT Gateway will be regularly maintained by IONOS and updated with the latest software versions and new features. IONOS reserves a weekly maintenance window which it can use for regular updates. It is scheduled every Monday between 02:00 - 04:00 am local time of the data center in which the Managed NAT Gateway service is deployed. During maintenance, a service interruption of up to 5 seconds may occur. Aside from that service interruption, no further service impact is anticipated, and the Managed NAT Gateway will continue to operate within its service description and configuration.

Additional update deployments may be possible and carried out outside the maintenance window, for example, in the case of urgent security patches.


Only private LANs can be connected to the Managed NAT Gateway. The Managed NAT Gateway cannot be connected to a public LAN. Furthermore, changing a LAN attribute from "private" to "public" is not possible if the LAN is connected to a Managed NAT Gateway.

Last updated