If you are using IP spaces, you can generate default SNAT, NO SNAT, and firewall rules on provider gateways in your VMware Cloud Director environment.

VMware Cloud Director autoconfigures the SNAT, NO SNAT, and firewall rules depending on the topology of the relevant IP spaces and their external and internal scopes.

There are some differences in the way autoconfiguration works for the different VMware Cloud Director versions.
Version Behavior
VMware Cloud Director 10.5 If you associate a new IP space uplink with a provider gateway or if you reconfigure a specific IP space after you have autoconfigured NAT and firewall rules on a provider gateway, the gateway is not updated automatically with the changes. This means you must navigate to the gateway, delete all autoconfigured NAT and firewall rules and generate them again for each new IP space update.
VMware Cloud Director 10.5.1 and later Rerunning autoconfiguration deletes all previously created NAT and firewall rules and recreates them. This includes the rules that were modified by users. All existing IP uplinks are taken into account during the reautoconfiguration.
Rules are applied in specific order.
Rule Type Priority Order
NAT rules
  • Default NO SNAT rules are defined with a priority of 0, meaning the highest priority. The exception to this would be for an IP space where the external scope is the default route (i.e. 0.0.0.0/0). The NO SNAT rule associated with the default route has a priority of 1000.
  • Default SNAT rules have a priority of 100, again, with the exception of the SNAT rule associated with the default route. The SNAT rule associated with the default route has a priority of 1001.
  • User-created NAT rules have a priority of 50 by default.
Firewall rules

The order in which firewall rules are applied differs depending on your VMware Cloud Director version.

In VMware Cloud Director 10.5.0, the rules are aplied as follows.
  1. Firewall rules for associated default NO SNAT rules.
  2. Firewall rules for associated default SNAT rules.
  3. Existing firewall rules.
In VMware Cloud Director 10.5.1, the rules are applied in the following order.
  1. Firewall rules for associated default SNAT rules.
  2. Firewall rules for associated default NO SNAT rules.
  3. Existing firewall rules.
Default SNAT rule
This rule indicates that all traffic can access the external scope of a specific IP space by using NAT. The autoconfigured source is any IP address or CIDR, and the autoconfigured destination is the external scope of the IP space.
Default NO SNAT Rule
A NO SNAT rule allows traffic to flow from the IP space internal scope to its external scope without NAT rules being applied.
Associated Firewall Rule
An associated firewall rule is created for each default SNAT and NO SNAT rule.

Prerequisites

  • Verify that you are a system administrator or that your role includes the IP Spaces Default Gateway Services: Manage right.
  • Verify that the provider gateway is backed by an NSX tier-0 VRF gateway configured with active-standby high availability mode.
  • Verify that the provider gateway is dedicated to a single tenant.
  • Verify that you associated at least one IP space to the provider gateway. See Add an IP Space Uplink To a Provider Gateway in Your VMware Cloud Director.
  • Verify that you configured the internal and external scopes for the IP spaces associated with the provider gateway.
  • Verify that you configured the network topology for the IP spaces for which you want to autoconfigure NAT and firewall rules. See Configure the Network Topology For an IP Space in Your VMware Cloud Director.

Procedure

  1. From the top navigation bar, select Resources and click Cloud Resources.
  2. In the left pane, click Provider Gateways.
  3. On the right of the provider gateway name, click Autoconfigure > NAT and Firewall.
  4. Click Autoconfigure.