Focus Mode

How to Create a NAT Gateway Subscription Firewall Rule

Updated on 05 February, 2026

Learn how to add NAT Gateway firewall rules for ports and protocols in Vultr.

NAT Gateway firewall rules control which traffic is permitted or denied through the gateway. Rules can restrict traffic by IP protocol, port number, and source subnet to enforce least-privilege access policies. Each firewall rule requires a corresponding port forwarding rule for the same port to exist before creation.

Follow this guide to create a NAT Gateway subscription firewall rule using the Vultr Customer Portal or API.

Vultr Customer Portal
Vultr API

Navigate to Products, expand the Network drop-down and select VPC Networks.
Select your target VPC Network with NAT Gateway connectivity.
Scroll to the NAT Firewall section.
Click Add Firewall Rule.

Note
If no firewall rules exist, the Add Firewall Rule button appears in the center of the section. Once rules are created, the button moves to the top right corner with a + icon.
A panel opens with the following configuration options:
- Protocol: Select the network protocol from the dropdown:
  - TCP: For TCP-based traffic.
  - UDP: For UDP-based traffic.
- Subnet: Enter the source subnet in CIDR notation (e.g., 0.0.0.0 to allow all IPv4 addresses).
- Subnet Size: Enter the subnet mask size (use 0 with 0.0.0.0 to allow all addresses, or specify a value like 24 for restricted subnets).
- Port / Range: Enter the destination port or port range:
  - Single port: 443, 22
  - Port range: 8000:8002
- Note (optional): Add a description for the rule.
Click Save Changes.

Send a GET request to the List VPCs endpoint to retrieve available VPCs.
console
```
$ curl "https://api.vultr.com/v2/vpcs" \
    -X GET \
    -H "Authorization: Bearer ${VULTR_API_KEY}"
```
The output displays all VPCs in your account. Note the id field for the target VPC.
Send a GET request to the List NAT Gateway subscriptions endpoint to retrieve the gateway ID. Replace VPC_ID with the ID from the previous step.
console
```
$ curl "https://api.vultr.com/v2/vpcs/VPC_ID/nat-gateway" \
    -X GET \
    -H "Authorization: Bearer ${VULTR_API_KEY}"
```
The output displays NAT Gateway subscriptions for the VPC. Note the id field for the target gateway.
Verify a port forwarding rule exists for the target port. Send a GET request to the List NAT Gateway Port Forwarding Rules endpoint. Replace VPC_ID and NAT_GATEWAY_ID with your values.
console
```
$ curl "https://api.vultr.com/v2/vpcs/VPC_ID/nat-gateway/NAT_GATEWAY_ID/global/port-forwarding-rules" \
    -X GET \
    -H "Authorization: Bearer ${VULTR_API_KEY}"
```
The output displays existing port forwarding rules. Verify a rule exists for your target port. If no rule exists, create one before proceeding.

Note
Firewall rules cannot be created for ports without an associated port forwarding rule.
Send a POST request to the Create NAT Gateway Firewall Rule endpoint. Replace VPC_ID and NAT_GATEWAY_ID with your values.
console
```
$ curl "https://api.vultr.com/v2/vpcs/VPC_ID/nat-gateway/NAT_GATEWAY_ID/global/firewall-rules" \
    -X POST \
    -H "Authorization: Bearer ${VULTR_API_KEY}" \
    -H "Content-Type: application/json" \
    --data '{
        "protocol": "tcp",
        "port": "443",
        "subnet": "0.0.0.0",
        "subnet_size": 0,
        "notes": "Allow HTTPS traffic"
    }'
```
Replace the field values as follows:
- protocol: Specify tcp or udp
- port: Specify the destination port or port range.
  - Single port: "443", "22"
  - Port range: "8000:8002"
- subnet: Specify the source subnet in CIDR notation (use 0.0.0.0 to allow all IPv4 addresses)
- subnet_size: Enter the subnet mask size (use 0 with 0.0.0.0 to allow all addresses, or specify a value like 24 for restricted subnets)
- notes: Provide a description for the rule
The output displays the created firewall rule with an automatically assigned id and action field set to accept.

How to Create a NAT Gateway Subscription Firewall Rule

Comments

Products

Features

Solutions

Marketplace

Resources

Company