Network Address Translation (NAT) maps internal IP addresses on your compute network to addresses exposed on the public Internet. To create a NAT rule, you provide the internal address and port number of a workload VM or service and a public IP address and port number that you have obtained from the system.

NAT rules on the SDDC network’s internet interface, since that's where your workload VMs' public addresses are exposed. Firewall rules, which examine packet sources and destinations, run on the Compute Gateway, and process traffic after it has been transformed by any applicable NAT rules. When you create a NAT rule, you can specify whether a VM's internal or external IP address and port number are exposed to firewall rules that affect network traffic to and from that VM.


Inbound traffic to the SDDC's public IP address is always processed by the NAT rules you create. Outbound traffic (reply packets from SDDC workload VMs) is routed along the advertised routes and is processed by NAT rules when the default route for your SDDC network goes through the SDDC's Internet interface. But if the default route goes through a Direct Connect or VPN connection (for example, if is advertised through BGP or there is a policy-based VPN with a remote network of, NAT rules run for inbound traffic but not for outbound traffic, creating an asymmetric path that leaves the VM unreachable at its public IP address. When the default route is advertised from the on-premises environment, you must configure NAT rules on the on-premises network, using the on-premises Internet connection and public IPs.


  • You must have obtained a public IP address for use by a VM in this SDDC. See Request or Release a Public IP Address.
  • The VM must be connected to a compute network segment. You can create NAT rules for VMs whether they have static or dynamic (DHCP) addresses, but bear in mind that NAT rules for VMs using DHCP address assignment can be invalidated when the VM is assigned an internal address that no longer matches the one specified in the rule.


  1. Log in to the VMware Cloud on AWS GovCloud at
  2. Select Networking & Security > NAT .
  3. Click ADD NAT RULE and give the rule a Name.
  4. Enter the NAT rule parameters.
    Option Description
    Public IP Choose from the drop-down list of public IP address that have been provisioned for this SDDC. See Request or Release a Public IP Address.
    • Select All Traffic to create a rule that applies to both inbound (DNAT) and outbound (SNAT) traffic to or from the specified Internal IP.
    • Select one of the listed services to create an inbound (DNAT) rule that applies only to traffic using that protocol and port.
      Note: Because services that use multiple destination ports cannot be subject to a NAT rule, they don’t appear on this list.
    Public Port If you specified Service as All Traffic, the default public port is Any.

    If you selected a particular Service, then the rule applies to the assigned public port for that service.

    Internal IP Enter the internal IP address of the VM.
    Internal Port

    Displays the internal port used by the selected Service. To use a custom port, Add a Custom Service, then select that Service in the NAT rule.

    If you specified Service as All Traffic, the default internal port is Any.

    If you selected a particular Service, then the rule applies to the assigned public port for that service.

    Firewall Specify how traffic subject to this NAT rule is exposed to Compute Gateway firewall rules. By default, CGW firewall rules match the combination of Internal IP and Internal Port. Select Match External Address to have firewall rules match the combination of External IP and External Port. (Distributed firewall rules never apply to external addresses or ports.)

    You can create multiple NAT rules that use the same Public IP and Internal IP with All Traffic. If you do this, each Internal IP uses the Public IP for outbound (SNAT) traffic, but only the first matching rule will be used for inbound (DNAT) traffic. The system creates (but does not display) a default outbound rule,. This rule is used for all Internal IP addresses that do not match a specific NAT rule that applies to All Traffic. The IP used for this rule is displayed I the Default Compute Gateway summary on the Networking & Security Overview page as Source NAT Public IP.

  5. (Optional) Toggle Logging to log rule actions.
  6. The new rule is enabled by default. Toggle Enable to disable it.
  7. Click SAVE to create the rule.
    The rule is created and its Status is reported as Up.