Latest Content

How to Create a NAT Gateway Port Forwarding Rule

Updated on 05 February, 2026

Learn how to forward ports through a Vultr NAT Gateway using portal or API.

Port forwarding rules allow external traffic to reach specific services on private instances through the NAT Gateway. Configure the external port, internal destination IP, and protocol to enable controlled access for services like SSH, web servers, or custom applications.

Follow this guide to create a NAT Gateway subscription port forwarding rule using the Vultr Customer Portal or API.

  • Vultr Customer Portal
  • Vultr API

  1. Navigate to Products, expand the Network drop-down and select VPC Networks.

  2. Select your target VPC Network with NAT Gateway connectivity.

  3. Scroll to the NAT Port Forwarding section.

  4. Click Add Forwarding Rule.

    Note
    If no port forwarding rules exist, the Add Forwarding Rule button appears in the center of the section. Once rules are created, the button moves to the top right corner with a + icon.

    A panel opens with the following configuration options:

    • Rule Name: Enter a descriptive name to identify the forwarding rule.
    • Protocol: Select the network protocol:
      • TCP: For TCP-based services.
      • UDP: For UDP-based services.
      • Both: To forward both TCP and UDP traffic on the same ports.
    • External Port: Enter the port number on the NAT Gateway's public IP that receives incoming traffic.
    • Internal IP: Enter the private IP address of the target instance within the VPC.
    • Internal Port: Enter the port number on the target instance to forward traffic to.
    • Note (optional): Add a description or note for the rule.

  5. Click Save Changes.

The port forwarding rule applies immediately. Traffic sent to the NAT Gateway's public IP on the external port now forwards to the specified internal instance.

  1. Send a GET request to the List VPCs endpoint to retrieve available VPCs.

    console 
    $ curl "https://api.vultr.com/v2/vpcs" \
    -X GET \
    -H "Authorization: Bearer ${VULTR_API_KEY}"

    The output displays all VPCs in your account. Note the id field for the target VPC.

  2. Send a GET request to the List NAT Gateway subscriptions endpoint to retrieve the gateway ID. Replace VPC_ID with the ID from the previous step.

    console 
    $ curl "https://api.vultr.com/v2/vpcs/VPC_ID/nat-gateway" \
    -X GET \
    -H "Authorization: Bearer ${VULTR_API_KEY}"

    The output displays NAT Gateway subscriptions for the VPC. Note the id field for the target gateway.

  3. Send a POST request to the Create NAT Gateway Port Forwarding Rule endpoint. Replace VPC_ID and NAT_GATEWAY_ID with your values. Specify the rule name, protocol (tcp, udp, or both), external port, internal IP address, internal port, and whether the rule is enabled.

    console 
    $ curl "https://api.vultr.com/v2/vpcs/VPC_ID/nat-gateway/NAT_GATEWAY_ID/global/port-forwarding-rules" \
    -X POST \
    -H "Authorization: Bearer ${VULTR_API_KEY}" \
    -H "Content-Type: application/json" \
    --data '{
        "name": "ssh-to-webserver",
        "protocol": "tcp",
        "external_port": 2222,
        "internal_ip": "10.0.0.10",
        "internal_port": 22,
        "enabled": true,
        "description": "SSH access to web server"
    }'

    Verify that the response contains the created port forwarding rule with its unique ID, configuration details, and timestamps. Traffic sent to the NAT Gateway's public IP on port 2222 now forwards to the internal instance at 10.0.0.10 on port 22.

Comments