If you are using IP spaces, you can generate default SNAT, NO SNAT, and firewall rules on provider gateways in your VMware Cloud Director environment.
VMware Cloud Director autoconfigures the SNAT, NO SNAT, and firewall rules depending on the topology of the relevant IP spaces and their external and internal scopes.
There are some differences in the way autoconfiguration works for the different
VMware Cloud Director versions.
Version | Behavior |
---|---|
VMware Cloud Director 10.5 | If you associate a new IP space uplink with a provider gateway or if you reconfigure a specific IP space after you have autoconfigured NAT and firewall rules on a provider gateway, the gateway is not updated automatically with the changes. This means you must navigate to the gateway, delete all autoconfigured NAT and firewall rules and generate them again for each new IP space update. |
VMware Cloud Director 10.5.1 and later | Rerunning autoconfiguration deletes all previously created NAT and firewall rules and recreates them. This includes the rules that were modified by users. All existing IP uplinks are taken into account during the reautoconfiguration. |
Rules are applied in specific order.
Rule Type | Priority Order |
---|---|
NAT rules |
|
Firewall rules | The order in which firewall rules are applied differs depending on your VMware Cloud Director version.
In
VMware Cloud Director 10.5.0, the rules are aplied as follows.
In
VMware Cloud Director 10.5.1, the rules are applied in the following order.
|
- Default SNAT rule
- This rule indicates that all traffic can access the external scope of a specific IP space by using NAT. The autoconfigured source is any IP address or CIDR, and the autoconfigured destination is the external scope of the IP space.
- Default NO SNAT Rule
- A NO SNAT rule allows traffic to flow from the IP space internal scope to its external scope without NAT rules being applied.
- Associated Firewall Rule
- An associated firewall rule is created for each default SNAT and NO SNAT rule.
Prerequisites
- Verify that you are a system administrator or that your role includes the IP Spaces Default Gateway Services: Manage right.
- Verify that the provider gateway is backed by an NSX tier-0 VRF gateway configured with active-standby high availability mode.
- Verify that the provider gateway is dedicated to a single tenant.
- Verify that you associated at least one IP space to the provider gateway. See Add an IP Space Uplink To a Provider Gateway in Your VMware Cloud Director.
- Verify that you configured the internal and external scopes for the IP spaces associated with the provider gateway.
- Verify that you configured the network topology for the IP spaces for which you want to autoconfigure NAT and firewall rules. See Configure the Network Topology For an IP Space in Your VMware Cloud Director.
Procedure
- From the top navigation bar, select Resources and click Cloud Resources.
- In the left pane, click Provider Gateways.
- On the right of the provider gateway name, click .
- Click Autoconfigure.