Network Address Translation (NAT) controls how IP addresses in packet headers appear on either side of a gateway. Rules that run on the Compute Gateway map Internet traffic as it enters and leaves the gateway. Rules that run on other Tier-1 gateways map traffic between the gateway and other SDDC network interfaces.

NAT rules run on the Compute Gateway and on any additional Tier-1 gateways that you create. See Add a Tier-1 Gateway for information about creating additional Tier-1 gateways in your SDDC.

NAT rules that run on the SDDC's Internet interface (the Compute Gateway) map internal source or destination IP addresses on packets from compute network segments to addresses that are usable on the public Internet. To create a NAT rule, you provide the internal address of a workload VM or service and an external IP address of your choice. NAT rules that run on the Internet interface require a public IP address. See Request or Release a Public IP Address.

Firewall rules, which examine packet source and destination addresses, run on these gateways and process traffic after it has been transformed by any applicable NAT rules. When you create a NAT rule, you can specify whether a VM's internal or external IP address and port number are exposed to firewall rules that affect network traffic to and from that VM.

Important:

Inbound traffic to the SDDC's public IP address is always processed by the NAT rules you create. Outbound traffic (reply packets from SDDC workload VMs) is routed along the advertised routes and is processed by NAT rules when the default route for your SDDC network goes through the SDDC's Internet interface. But if the default route goes through a Direct Connect, VPN, or VTGW connection or has been added as a static route to a VPC, NAT rules run for inbound traffic but not for outbound traffic, creating an asymmetric path that leaves the VM unreachable at its public IP address. This asymmetry can arise when, for example, if 0.0.0.0/0 is advertised through BGP or there is a policy-based VPN with a remote network of 0.0.0.0/0. When the default route is advertised from the on-premises environment, you must configure NAT rules on the on-premises network, using the on-premises Internet connection and public IPs.

Prerequisites

  • To create a NAT rule on the Compute Gateway (Internet interface), you must have obtained a public IP address for use by a VM in this SDDC. See Request or Release a Public IP Address.
  • The VM must be connected to a routed compute network segment. You can create NAT rules for VMs whether they have static or dynamic (DHCP) addresses, but bear in mind that NAT rules for VMs using DHCP address assignment can be invalidated when the VM is assigned an internal address that no longer matches the one specified in the rule.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER.
    You can also use the VMC Console Networking & Security tab for this workflow. The Networking & Security tab combines NSX-T Networking tab features like VPN, NAT, and DHCP with Security tab features like firewalls.
  4. Click NAT > Internet to add NAT rules that run on the default Compute Gateway.
    1. Click ADD NAT RULE and give the rule a Name.
    2. Configure Internet NAT rule options:
      Option Description
      Public IP Choose from the drop-down list of public IP address that have been provisioned for this SDDC. See Request or Release a Public IP Address.
      Service
      • Select All Traffic to create a rule that applies to both inbound (DNAT) and outbound (SNAT) traffic to or from the specified Internal IP.
      • Select one of the listed services to create an inbound (DNAT) rule that applies only to traffic using that protocol and port. Any services created using Add a Custom Service are also listed here.
        Note: Because services that use multiple destination ports cannot be subject to a NAT rule, they don’t appear on this list.
      Public Port If you specified Service as All Traffic, the default public port is Any.

      If you selected a particular Service, then the rule applies to the assigned public port for that service.

      Internal IP Enter the internal IP address of the VM. This address must be on a routed SDDC network segment.
      Internal Port

      Displays the internal port used by the selected Service. To use a custom port, Add a Custom Service, then select that Service in the NAT rule.

      If you specified Service as All Traffic, the default internal port is Any.

      If you selected a particular Service, then the rule applies to the assigned public port for that service.

      Firewall Specify how traffic subject to this NAT rule is exposed to gateway firewall rules. By default, these firewall rules match the combination of Internal IP and Internal Port. Select Match External Address to have firewall rules match the combination of External IP and External Port. (Distributed firewall rules never apply to external addresses or ports.)

      You can create multiple NAT rules that use the same Public IP and Internal IP with All Traffic. If you do this, each Internal IP uses the Public IP for outbound (SNAT) traffic, but only the first matching rule will be used for inbound (DNAT) traffic. The system creates (but does not display) a default outbound rule. This rule is used for all Internal IP addresses that do not match a specific NAT rule that applies to All Traffic. The IP used for this rule is displayed I the Default Compute Gateway summary on the Networking & Security Overview page as Source NAT Public IP.

    3. Choose a Priority for the rule.
      A lower value means a higher precedence for this rule.
    4. (Optional) Toggle Logging to log rule actions.
    5. The new rule is enabled by default. Toggle Enable to disable it.
    6. Click SAVE to create the rule.
  5. (Optional) If you have created additional an Tier-1 gateway, click NAT > Tier-1 Gateway to add NAT rules that run on that gateway.
    1. Choose a Gateway where you want the rule to run.
    2. Click ADD NAT RULE and give the rule a Name.
    3. Configure Tier-1 Gateway NAT rule options:
      Option Description:
      Action One of:
      SNAT
      Source NAT. Changes the source address in the packet header. See Configure Source NAT on a Tier-1 Router.
      DNAT
      Destination NAT. Changes the destination address in the packet header. See Configure Destination NAT on a Tier-1 Router.

      Specify a Translated Port if you need to.

      Reflexive
      Stateless NAT configuration to avoid asymmetrical routes. See Reflexive NAT
      No SNAT
      Disable source NAT.
      No DNAT
      Disable destination NAT.
      Match For SNAT, enter a source address to use. For DNAT, enter a destination address to use.
      Translated Enter an IPv4 address or CIDR block to use for the translated SNAT or DNAT address.
      Apply To Choose specific interfaces or labels to define the traffic that you want the rule to affect.
      Firewall Specify how traffic subject to this NAT rule is exposed to gateway firewall rules. By default, these firewall rules match the combination of Internal IP and Internal Port. Select Match External Address to have firewall rules match the combination of External IP and External Port. (Distributed firewall rules never apply to external addresses or ports.)
    4. Choose a Priority for the rule.
      A lower value means a higher precedence for this rule.
    5. (Optional) Toggle Logging to log rule actions.
    6. The new rule is enabled by default. Toggle Enable to disable it.
    7. Click SAVE to create the rule.