This section explains the NAT feature on Avi Load Balancer Service Engine.

When new application servers are deployed, the servers need external connectivity for manageability.

In the absence of a router in the server networks, the Avi Load Balancer SE can be used for routing the traffic of server networks by using the IP routing feature of Service Engines. Also, you need NAT functionality in the SE to use a NAT gateway for the entire private network of servers.

Note:

This feature is not supported for IPv6.

NAT will function in the post-routing phase of the packet path in the SE. It is recommended to check the SE default gateway (IP routing on Service Engine) feature. For more information, see Default Gateway (IP Routing on NSX Advanced Load Balancer SE).

Enabling IP routing on Service Engine and using the SE as the gateway is a necessary prerequisite to use the outbound NAT feature. Hence all necessary requirements for enabling IP routing on the Service engine is also applicable to the outbound NAT feature.

Note:

Outbound NAT is supported for TCP/ UDP, and ICMP flows.

NAT Guidelines

NAT is VRF-aware and must be programmed per SE group using a network service of Routing Service type. For more information, see Network Service Configuration.

NAT/ IP routing is supported on two-armed, no-access configurations of Linux server clouds and VMware clouds.

Avi Load Balancer supports NAT for VMware Cloud deployments in write access mode. For this feature to work on VMware write access clouds, at least one virtual service must be configured with the following configurations:

  • One arm (in the two-arm mode deployment) must be placed in the back end network. For this network, the SE acts as the default gateway.

  • The other arm is placed in the desired front end network.

  • The SE group of the network service must be in legacy HA (active/ standby).

  • The routing service must have enabled the routing set.

  • NAT functionality is done by Service Engine IP stack, so the routing_by_linux_ipstack attribute of Routing Service must be set to False.

  • Only DPDK-based SEs are allowed.

  • On VMware write access mode, the virtual service must be created. This virtual service creates the required Service Engines.

  • NAT IP of a NAT Rule cannot be the same as any interface IP present in the VRF. Such NAT IP will be ignored.

  • NAT IP is configured on an interface as a secondary IP. Hence different Service Engine groups can not share a NAT IP in a given VRF.

NAT Service

The diagrammatic representation of NAT service traffic initiated from inside to outside is as follows:



The flow details mentioned in the diagrammatic representation of NAT service traffic is from 1 to 8. The details of the flow are as follows:

Flow Count

Description

1

The server ARP's for DG and gets MAC-A. The server sends IP packet to MAC-A. [S:IP-SX, D:IP-Ext]

2

Service Engine creates a NAT entry since this is a new flow, does NAT of src-IP and sport and sends packet to router (MAC-R). [S:SE-NIP, D:IP-Ext]

3

Router uses internet routing to forward to Ext. [S:SE-NIP, D:IP-Ext]

4

Ext receives the packet sent by SX. [S:SE-NIP, D:IP-Ext]

5

Packet received by destination. [S:IP-Ext, D:SE-NIP]

6

Router ARP's for SE-NIP and SE-Active responds to ARP. [S:IP-Ext, D:SE-NIP]

7

SE looks up NAT flow table and based on the match, it changes the dst-IP:port to real server IP port. [S:IP-Ext, D:IP-SX]

8

SE does IP routing and sends packet to MAC-SX. [S:IP-Ext, D:IP-SX]
Note:

  • The router acts as a front end floating IP for the SE group. SE backend network is not routable on the front end.

  • In the floating IP, the back end network is not routable on the front end.

NAT requires the following configurations at various points in the network:

  • On the Avi Load Balancer Controller, you can Enable IP Routing in the Service Engine group (only Legacy HA) in Advanced tab configuration.

  • On the front end router, configure static routes to the back end server networks with the next-hop as floating IP in the front end network.

  • On the back end router, configure the SE’s floating IP in the back end server network as the default gateway.

Configuring NAT Policy using UI

The following are the steps to configure NAT policy:

  1. Navigate to Template > Policies > NAT Policy. Click CREATE.



  2. Specify the name of the NAT policy.

  3. Check Enable Rule box.

  4. Specify the Destination and Source IP address in the Match tab.

  5. Under the Action tab, select the Type.

    Dynamic IP and Port:

    This option helps Source IP NAT with Port-Address Translation for packets originating from the Internal Network. This applies to TCP, UDP, and ICMP protocol packets.

    Dynamic IP and Preserve Port

    This option (supported from Avi Load Balancer Controller version 22.1.6) helps in preserving the source-port of packet coming from Internal Network. So, this action does only Source NAT of the IP without doing the Port-Address Translation.



    Note:

    The Dynamic IP and Preserve Port Action Type is applicable only for matching rules, specifically for UDP traffic.

  6. Click Save after specifying the necessary details.

Configuring NAT Policy using CLI

You can configure NAT policy as follows:

  1. Assume 10.100.0.78 is the destination-IP on which the server is trying to reach, 10.100.0.26 is the NAT IP. This IP is owned by Service Engine. Note that the NAT IP has to be configured as a static route on the front end router with next-hop as front-end floating-interface-ip (10.100.0.2) of the SE.

    configure natpolicy nat-policy-default-group-global
    rules index 1
        enable
        name rule1
        match
              source_ip match_criteria is_in
                    addrs 192.168.100.21
                    ranges begin 192.168.100.2 end 192.168.100.10
                    save
                    prefixes 192.168.100.1/24
                    save
              destination_ip match_criteria is_in
                    addrs 10.100.0.78
                    save
              services
                    destination_port match_criteria is_in
                         ports 80
                         ports 443
                    save
                    source_port match_criteria is_not_in
                         ports 800
                    save
              save
      save
      action
         type nat_policy_action_type_dynamic_ip_port
          nat_info
              nat_ip 10.100.0.26
              save
        save
    save
save

    Assume that the Service Engine Group name is set to DefaultGroup with SE-interfaces present in VRF global.

  2. Create a NetworkService that has a NAT policy.

    configure networkservice nat-policy-default-group-global
      vrf_ref global
      se_group_ref Default-Group
      service_type routing_service
       routing_service
            enable_routing
            nat_policy_ref nat-policy-default-group-global
       save
save

  3. Configure ServiceEngineGroup in Legacy-HA and EnableRouting with floating interface IP, as mentioned. For more information, see Default Gateway (IP Routing on NSX Advanced Load Balancer SE).

Note:

  • If explicit destination_port or source_portmatch_criteria are not specified by default, then all the ports in the range 1-65535 are allowed.

  • For explicit match-criterion configuration, in the case of both destination_port and source_port match criteria, a maximum of eight port configurations are allowed.

Outbound NAT Use Case

The following are the available debugging commands to get the information of the NAT flows/ statistics:

[admin:localhost.localdomain]: > show serviceengine Active_Standby-se-xyjud nat
nat-flows             Show NAT flow information
natpolicystats        show NAT policy stats
natstat               Show NAT statistics
Note:

The statistics are available using CLI.

Default Gateway in OpenStack with Outbound NAT

Starting with Avi Load Balancer version 30.2.1, default gateway functionality for outbound NAT is supported in no-orchestrator OpenStack clouds. You can add a NAT rule under the corresponding NAT policy with any of the following prefix in the name to enable the feature:

  • natwithpreservedport

  • nat_with_preserved_port

  • nat-with-preserved-port

  • nat_with_preserved_port_rule0

  • nat_with-preserved-port_rule1

For instance, for Avi Load Balancer NAT policy, you can use the following CLI to add NAT rule:

+----------------------+------------------------------------------------+
| Field                | Value                                          |
+----------------------+------------------------------------------------+
| uuid                 | natpolicy-b23ee19e-9d27-45cc-af42-f97ab45784d4 |
| name                 | outbound-nat-dg                                |
| rules[1]             |                                                |
|   name               | natwithpreservedport_sample1                   |
|   index              | 1                                              |
|   enable             | True                                           |
|   match              |                                                |
|     source_ip        |                                                |
|       match_criteria | IS_IN                                          |
|       prefixes[1]    | 192.168.30.0/24                                |
|     destination_ip   |                                                |
|       match_criteria | IS_IN                                          |
|       prefixes[1]    | 0.0.0.0/0                                      |
|   action             |                                                |
|     type             | NAT_POLICY_ACTION_TYPE_DYNAMIC_IP_PORT         |
|     nat_info[1]      |                                                |
|       nat_ip         | 192.168.10.125                                 |
| tenant_ref           | admin                                          |
+----------------------+------------------------------------------------+

Match Criteria

The following match criteria options are supported:

  • Match source IP address

  • Match source IP address range

  • Match source IP address group

  • Match source IP prefix

  • Match source ports. Port range is not supported.

  • Match destination IP address

  • Match destination IP address range

  • Match destination IP address group

  • Match destination IP prefix

  • Match destination ports

For every option, is not option is available. This option can be used to exclude packets having certain parameters from matching the rule.

Match Operations

  1. If two or more of the same parameters are used as match criteria, then OR operation is used for matching.

    Example:

    match
 source_ip match_criteria is_in
 addrs 192.168.100.21
 ranges begin 192.168.100.2 end 192.168.100.10

    This will match if the source IP is 192.168.100.21 or if the source IP falls in the range of 192.168.100.2 - 192.168.100.10.

  2. If two different parameters are used in the match criteria, then AND operation is used for matching.

    Example:

    match
 source_ip match_criteria is_in
 addrs 192.168.100.21
 ranges begin 192.168.100.2 end 192.168.100.10
 destination_port match_criteria is_in
 ports 80

    This will match if the source IP is 192.168.100.21 or if the source IP falls in the range of 192.168.100.2 - 192.168.100.10 and if the destination port is 80.

  3. If there are multiple rules configured, the rules are evaluated in the ascending order as indexed. The evaluation stops on the first match. No subsequent rules are checked if a packet already matches a rule.

Action Options

  • NAT IP can be Avi Load Balancer VIP, floating interface IP, or IP address in the subnet of SE interface. NAT IP cannot be SE interface IP.

  • NAT IP range.