The NSX Data Center for vSphere software in your VMware Cloud Director environment enables the edge gateways to provide a network address translation (NAT) service. Using this capability reduces the number of public IP addresses that an organization must use, for economy and security purposes.

The edge gateway NAT service provides the ability to assign a public address to a virtual machine or group of virtual machines in a private network. To enable your edge gateways to provide access to services running on privately addressed virtual machines in your organization virtual data center, you must configure NAT rules on the edge gateways. In the most common case, you associate a NAT service with an uplink interface on an edge gateway in your VMware Cloud Director environment so that addresses on organization virtual data center networks are not exposed on the external network.

The NAT service configuration is separated into source NAT (SNAT) and destination NAT (DNAT) rules. When you configure a SNAT or a DNAT rule on an edge gateway in the VMware Cloud Director environment, you always configure the rule from the perspective of your organization virtual data center. Specifically, that means you configure the rules in the following ways:

  • SNAT: the traffic is traveling from a virtual machine on an internal network in your organization virtual data center (the source) through the Internet to the external network (the destination). A SNAT rule translates the source IP address of the outgoing packets of an organization virtual data center network that are being sent to an external network or to another organization virtual data center network.
  • DNAT: the traffic is traveling from the Internet (the source) to a virtual machine inside your organization virtual data center (the destination). A DNAT rule translates the IP address, and optionally the port, of packets received by an organization virtual data center network that are coming from an external network or from another organization virtual data center network.

You can configure NAT rules to create a private IP address space inside your organization virtual data center. This configuration provides the ability to port a private IP address space from one organization virtual data center to another. Configuring NAT rules allows you to use the same private IP addresses for your virtual machines in one organization virtual data center that were used in another.

The NAT rule capability in your VMware Cloud Director environment supports:

  • Creating subnets within the private IP address space
  • Creating multiple private IP address spaces for an edge gateway
  • Configuring multiple NAT rules on multiple edge gateway interfaces
Important: You must configure both firewall and NAT rules on an edge gateway for the virtual machines on an edge gateway network to be accessible. By default, edge gateways are deployed with firewall rules configured to deny all network traffic to and from the virtual machines on the edge gateway networks. Also, NAT is deactivated by default on the edge gateways so that edge gateways are unable to translate the IP addresses of the incoming and outgoing traffic unless you configure NAT on the edge gateways. Attempting to ping a virtual machine on a network after configuring a NAT rule will fail unless you add a firewall rule to allow the corresponding traffic.

Add an SNAT or a DNAT Rule To an NSX Data Center for vSphere Edge Gateway in the VMware Cloud Director Tenant Portal

You can create a source NAT (SNAT) rule to change the source IP address from a public to private IP address or the reverse. You can create a destination NAT (DNAT) rule to change the destination IP address from a public to private IP address or the reverse.

When creating NAT rules, you can specify the original and translated IP addresses by using the following formats:

  • IP address; for example, 192.0.2.0
  • IP address range; for example, 192.0.2.0-192.0.2.24
  • IP address/subnet mask; for example, 192.0.2.0/24
  • any

When you configure a SNAT or a DNAT rule on an edge gateway in the VMware Cloud Director environment, you always configure the rule from the perspective of your organization virtual data center. A SNAT rule translates the source IP address of packets sent from an organization virtual data center network out to an external network or to another organization virtual data center network. A DNAT rule translates the IP address, and optionally the port, of packets received by an organization virtual data center network that are coming from an external network or from another organization virtual data center network.

Prerequisites

The public IP addresses must have been added to the NSX Data Center for vSphere edge gateway interface on which you want to add the rule. For DNAT rules, the original (public) IP address must have been added to the edge gateway interface and for SNAT rules, the translated (public) IP address must have been added to the interface.

Procedure

  1. Open Edge Gateway Services.
    1. From the primary left navigation panel, select Networking and from the page top navigation bar, select Edge Gateways.
    2. Select the edge gateway that you want to edit, and click Services.
  2. Click the NAT to view the NAT Rules screen.
  3. Depending on which type of NAT rule you are creating, click DNAT Rule or SNAT Rule.
  4. Configure a Destination NAT rule (outside coming inside).
    Option Description
    Applied On Select the interface on which to apply the rule.
    Original IP/Range

    Type the required IP address or select the allocated IP address from the list.

    This address must be the public IP address of the edge gateway for which you are configuring the DNAT rule. In the packet being inspected, this IP address or range would be those that appear as the destination IP address of the packet. These packet destination addresses are the ones translated by this DNAT rule.

    Protocol Select the protocol to which the rule applies. To apply this rule on all protocols, select Any.
    Original Port (Optional) Select the port or port range that the incoming traffic uses on the edge gateway to connect to the internal network on which the virtual machines are connected. This selection is not available when the Protocol is set to ICMP or Any.
    ICMP Type When you select ICMP (an error reporting and a diagnostic utility used between devices to communicate error information) for Protocol, select the ICMP Type from the drop-down menu.

    ICMP messages are identified by the type field. By default, the ICMP type is set to any.

    Translated IP/Range Type the IP address or a range of IP addresses to which destination addresses on inbound packets will be translated.

    These addresses are the IP addresses of the one or more virtual machines for which you are configuring DNAT so that they can receive traffic from the external network.

    Translated Port (Optional) Select the port or port range that inbound traffic is connecting to on the virtual machines on the internal network. These ports are the ones into which the DNAT rule is translating for the packets inbound to the virtual machines.
    Source IP address If you want the rule to apply only for traffic from a specific domain, enter an IP address for this domain or an IP address range in CIDR format. If you leave this text box blank, the DNAT rule applies to all IP addresses that are in the local subnet.
    Source Port (Optional) Enter a port number for the source.
    Description (Optional) Enter a meaningful description for the DNAT rule.
    Enabled Toggle on to activate this rule.
    Enable logging Toggle on to have the address translation performed by this rule logged.
  5. Configure a Source NAT rule (inside going outside).
    Option Description
    Applied On Select the interface on which to apply the rule.
    Original Source IP/Range Type the original IP address or range of IP addresses to apply to this rule, or selet the allocated IP address from the list.

    These addresses are the IP addresses of one or more virtual machines for which you are configuring the SNAT rule so that they can send traffic to the external network.

    Translated Source IP/Range Type the required IP address.

    This address is always the public IP address of the gateway for which you are configuring the SNAT rule. Specifies the IP address to which source addresses (the virtual machines) on outbound packets are translated to when they send traffic to the external network.

    Destination IP Address (Optional) If you want the rule to apply only for traffic to a specific domain, enter an IP address for this domain or an IP address range in CIDR format. If you leave this text box blank, the SNAT rule applies to all destinations outside of the local subnet.
    Destination Port (Optional) Enter a port number for the destination.
    Description (Optional) Enter a meaningful description for the SNAT rule.
    Enabled Toggle on to activate this rule.
    Enable logging Toggle on to have the address translation performed by this rule logged.
  6. Click Keep to add the rule to the on-screen table.
  7. Repeat the steps to configure additional rules.
  8. Click Save changes to save the rules to the system.

What to do next

Add corresponding edge gateway firewall rules for the SNAT or DNAT rules you just configured. See Add an NSX Data Center for vSphere Edge Gateway Firewall Rule in the VMware Cloud Director Tenant Portal.