Autoconfigure Default NAT and Firewall Rules on a Provider Gateway in Your VMware Cloud Director

If you are using IP spaces, you can generate default SNAT, NO SNAT, and firewall rules on provider gateways in your VMware Cloud Director environment.

VMware Cloud Director autoconfigures the SNAT, NO SNAT, and firewall rules depending on the topology of the relevant IP spaces and their external and internal scopes.

Rerunning autoconfiguration deletes all previously created NAT and firewall rules and recreates them. This includes the rules that were modified by users. All existing IP uplinks are taken into account during the reautoconfiguration

Rules are applied in specific order.

Rule Type	Priority Order
NAT rules	Default NO SNAT rules are defined with a priority of 0, meaning the highest priority. The exception to this would be for an IP space where the external scope is the default route (i.e. 0.0.0.0/0). The NO SNAT rule associated with the default route has a priority of 1000. Default SNAT rules have a priority of 100, again, with the exception of the SNAT rule associated with the default route. The SNAT rule associated with the default route has a priority of 1001. User-created NAT rules have a priority of 50 by default.
Firewall rules	The order in which firewall rules are applied differs depending on your VMware Cloud Director version. VMware Cloud Director applies the rules in the following order. Firewall rules for associated default SNAT rules. Firewall rules for associated default NO SNAT rules. Existing firewall rules.

Rule Type

Priority Order

NAT rules

Default NO SNAT rules are defined with a priority of 0, meaning the highest priority. The exception to this would be for an IP space where the external scope is the default route (i.e. 0.0.0.0/0). The NO SNAT rule associated with the default route has a priority of 1000.
Default SNAT rules have a priority of 100, again, with the exception of the SNAT rule associated with the default route. The SNAT rule associated with the default route has a priority of 1001.
User-created NAT rules have a priority of 50 by default.

Firewall rules

The order in which firewall rules are applied differs depending on your VMware Cloud Director version.

VMware Cloud Director applies the rules in the following order.

Firewall rules for associated default SNAT rules.
Firewall rules for associated default NO SNAT rules.
Existing firewall rules.

Default SNAT rule: This rule indicates that all traffic can access the external scope of a specific IP space by using NAT. The autoconfigured source is any IP address or CIDR, and the autoconfigured destination is the external scope of the IP space.
Default NO SNAT Rule: A NO SNAT rule allows traffic to flow from the IP space internal scope to its external scope without NAT rules being applied.
Associated Firewall Rule: An associated firewall rule is created for each default SNAT and NO SNAT rule.

Prerequisites

Verify that you are a system administrator or that your role includes the IP Spaces Default Gateway Services: Manage right.
Verify that the provider gateway is backed by an NSX tier-0 VRF gateway configured with active-standby high availability mode.
Verify that the provider gateway is dedicated to a single tenant.
Verify that you associated at least one IP space to the provider gateway. See Add an IP Space Uplink To a Provider Gateway in Your VMware Cloud Director.
Verify that you configured the internal and external scopes for the IP spaces associated with the provider gateway.
Verify that you configured the network topology for the IP spaces for which you want to autoconfigure NAT and firewall rules. See Configure the Network Topology For an IP Space in Your VMware Cloud Director.

Procedure

From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
In the left pane, click Provider Gateways.
On the right of the provider gateway name, click Autoconfigure > NAT and Firewall.
Click Autoconfigure.