diff --git a/dist/images/install.sh b/dist/images/install.sh
index ac21ae47631..50573c3ec5f 100755
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -246,6 +246,10 @@ spec:
                   type: string
                 vpc:
                   type: string
+                selector:
+                  type: array
+                  items:
+                    type: string
       subresources:
         status: {}
   conversion:
diff --git a/docs/vpc.md b/docs/vpc.md
index 8e6fcc1499c..c288ab23e41 100644
--- a/docs/vpc.md
+++ b/docs/vpc.md
@@ -163,6 +163,9 @@ spec:
   snatRules:
     - eip: 192.168.0.112
       internalCIDR: 10.0.1.0/24
+  selector:                        # NodeSelector for vpc-nat-gw pod, the item of array should be string type with key:value format
+    - "kubernetes.io/hostname: kube-ovn-worker"
+    - "kubernetes.io/os: linux"
 ```
 
 3. Add static route to VPC
diff --git a/pkg/apis/kubeovn/v1/types.go b/pkg/apis/kubeovn/v1/types.go
index 85dc76a40ed..00c52932977 100644
--- a/pkg/apis/kubeovn/v1/types.go
+++ b/pkg/apis/kubeovn/v1/types.go
@@ -425,6 +425,7 @@ type VpcNatSpec struct {
 	Vpc             string            `json:"vpc"`
 	Subnet          string            `json:"subnet"`
 	LanIp           string            `json:"lanIp"`
+	Selector        []string          `json:"selector"`
 	Eips            []*Eip            `json:"eips,omitempty"`
 	FloatingIpRules []*FloutingIpRule `json:"floatingIpRules,omitempty"`
 	DnatRules       []*DnatRule       `json:"dnatRules,omitempty"`
diff --git a/pkg/apis/kubeovn/v1/zz_generated.deepcopy.go b/pkg/apis/kubeovn/v1/zz_generated.deepcopy.go
index 27c2dc3eaa9..da40c244dba 100644
--- a/pkg/apis/kubeovn/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/kubeovn/v1/zz_generated.deepcopy.go
@@ -977,6 +977,11 @@ func (in *VpcNatGatewayList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VpcNatSpec) DeepCopyInto(out *VpcNatSpec) {
 	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Eips != nil {
 		in, out := &in.Eips, &out.Eips
 		*out = make([]*Eip, len(*in))
diff --git a/pkg/controller/vpc_nat_gateway.go b/pkg/controller/vpc_nat_gateway.go
index e17d1b220c5..7f4960f9e54 100644
--- a/pkg/controller/vpc_nat_gateway.go
+++ b/pkg/controller/vpc_nat_gateway.go
@@ -715,6 +715,16 @@ func (c *Controller) genNatGwDeployment(gw *kubeovnv1.VpcNatGateway) (dp *v1.Dep
 		util.IpAddressAnnotation:         gw.Spec.LanIp,
 	}
 
+	selectors := make(map[string]string)
+	for _, v := range gw.Spec.Selector {
+		parts := strings.Split(strings.TrimSpace(v), ":")
+		if len(parts) != 2 {
+			continue
+		}
+		selectors[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
+	}
+	klog.V(3).Infof("prepare for vpc nat gateway pod, node selector: %v", selectors)
+
 	dp = &v1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -743,6 +753,7 @@ func (c *Controller) genNatGwDeployment(gw *kubeovnv1.VpcNatGateway) (dp *v1.Dep
 							},
 						},
 					},
+					NodeSelector: selectors,
 				},
 			},
 			Strategy: v1.DeploymentStrategy{
diff --git a/yamls/crd.yaml b/yamls/crd.yaml
index 42d54541168..e8d23fbc4d5 100644
--- a/yamls/crd.yaml
+++ b/yamls/crd.yaml
@@ -560,6 +560,10 @@ spec:
                   type: string
                 vpc:
                   type: string
+                selector:
+                  type: array
+                  items:
+                    type: string
       subresources:
         status: {}
   conversion: