To change the source IP address from a private to a public IP address, you create a source NAT (SNAT) rule. To change the destination IP address from a public to a private IP address, you create a destination NAT (DNAT) rule.

When you configure a SNAT or a DNAT rule on an edge gateway in the VMware Cloud Director environment, you always configure the rule from the perspective of your organization VDC.

An SNAT rule translates the source IP address of packets sent from an organization VDC network out to an external network or to another organization VDC network.

A NO SNAT rule prevents the translation of the internal IP address of packets sent from an organization VDC out to an external network or to another organization VDC network.

A DNAT rule translates the IP address and, optionally, the port of packets received by an organization VDC network that are coming from an external network or from another organization VDC network.

A NO DNAT rule prevents the translation of the external IP address of packets received by an organization VDC from an external network or from another organization VDC network.

VMware Cloud Director supports automatic route redistribution when you use NAT services on an NSX edge gateway.

Important: If you are using Tanzu Kubernetes clusters, make note of the system SNAT rule created on the edge gateway to avoid creating a conflicting rule.

Prerequisites

Verify that the public IP addresses are added to the edge gateway interface on which you want to add the rule.

Procedure

  1. From the primary left navigation panel, select Resources, and from the page top navigation bar, select Cloud Resources.
  2. From the secondary left panel, select Edge Gateways.
  3. Click the edge gateway and, under Services, click NAT.
  4. To add a rule, click New.
  5. Configure an SNAT or NO SNAT rule (inside going outside).
    Option Description
    Name Enter a meaningful name for the rule.
    Description (Optional) Enter a description for the rule.
    Interface type From the drop-down menu, select SNAT or NO SNAT.
    External IP Depending on the type of rule that you are creating, choose one of the options.
    • If you are creating a SNAT rule, select or enter the public IP address of the edge gateway for which you are configuring the SNAT rule.
    • If you are creating a NO SNAT rule, leave the text box empty.
    Internal IP Enter the IP address or a list of IP addresses of the virtual machines for which you are configuring SNAT, so that they can send traffic to the external network.
    Destination IP (Optional) If you want the rule to apply only for traffic to a specific domain, enter an IP address for this domain or an IP address list. If you leave this text box blank, the SNAT rule applies to all destinations outside of the local subnet.
    Advanced Settings (Optional) Click the Advanced Settings tab for some additional settings.
    State
    To enable the rule upon creation, toggle on the State option.
    Logging
    To have the address translation performed by this rule logged, toggle on the Logging option.
    Priority
    If an address has multiple NAT rules, you can assign these rules different priorities to determine the order in which they are applied. A lower value means a higher priority for this rule.
    Firewall Match
    You can set a firewall match rule to determine how firewall is applied during NAT. From the drop-down menu, select one of the following options.
    • To apply firewall rules to the internal address of a NAT rule, select Match Internal Address.
    • To apply firewall rules to the external address of a NAT rule, select Match External Address.
    • To skip applying firewall rules, select Bypass.
    Applied To
    Apply this NAT rule only to the selected organization VDC network or to the selected external network selection. You can select either an organization VDC network for which distributed routing is deactivated or an external network uplink.
  6. Configure a DNAT or NO DNAT rule (outside going inside).
    Option Description
    Name Enter a meaningful name for the rule.
    Description (Optional) Enter a description for the rule.
    Interface type From the drop-down menu, select DNAT or NO DNAT.
    External IP Enter the public IP address of the edge gateway for which you are configuring the DNAT rule.

    The IP addresses that you enter must belong to the IP addresses that are suballocated to the edge gateway.
    External Port (Optional) Enter a port into which the DNAT rule is translating for the packets inbound to the virtual machines.
    Internal IP Depending on the type of rule that you are creating, choose one of the options.
    • If you are creating a DNAT rule, select or enter the IP address or IP addresses list of the virtual machines for which you are configuring DNAT, so that they can receive traffic from the external network.
    • If you are creating a NO DNAT rule, leave the text box empty.
    Application (Optional) Select a specific application port profile to which to apply the rule.
    The application port profile includes a port and a protocol that the incoming traffic uses on the edge gateway to connect to the internal network.
    Note: You cannot select application port profiles which contain a range of ports.
    Advanced Settings (Optional) Click the Advanced Settings tab for some additional settings.
    State
    To enable the rule upon creation, toggle on the State option.
    Logging
    To have the address translation performed by this rule logged, toggle on the Logging option.
    Priority
    If an address has multiple NAT rules, you can assign these rules different priorities to determine the order in which they are applied. A lower value means a higher priority for this rule.
    Firewall Match
    You can set a firewall match rule to determine how firewall is applied during NAT. From the drop-down menu, select one of the following options.
    • To apply firewall rules to the internal address of a NAT rule, select Match Internal Address.
    • To apply firewall rules to the external address of a NAT rule, select Match External Address.
    • To skip applying firewall rules, select Bypass.
    Applied To
    By default, NAT rules are applied to all networks that are connected to the edge gateway. You can select a specific network to which to apply this NAT rule. You can select either an organization VDC network for which distributed routing is deactivated or an external network uplink.
  7. Click Save.
  8. To configure additional rules, repeat these steps.