Network Address Translation (NAT) maps internal IP addresses on your compute network to addresses exposed on the public Internet. To create a NAT rule, you provide the internal address and port number of a workload VM or service and a public IP address and port number that you have obtained from the system.

NAT rules have to run on the SDDC's internet interface, since that's where your workload VMs' public addresses are exposed. Firewall rules, which examine packet sources and destinations, run on the Compute Gateway, and process traffic after it has been transformed by any applicable NAT rules. When you create a NAT rule, you can specify whether a VM's internal or external IP address and port number are exposed to firewall rules that affect network traffic to and from that VM.

Important:

Inbound traffic to the SDDC's public IP address is always processed by the NAT rules you create. Outbound traffic (reply packets from SDDC workload VMs) is routed along the advertised routes and is processed by NAT rules when the default route for your SDDC network goes through the SDDC's Internet interface. But if the default route goes through a Direct Connect or VPN connection (for example, if 0.0.0.0/0 is advertised through BGP or there is a policy-based VPN with a remote network of 0.0.0.0/0), NAT rules run for inbound traffic but not for outbound traffic, creating an asymmetric path that leaves the VM unreachable at its public IP address. When the default route is advertised from the on-premises environment, you must configure NAT rules on the on-premises network, using the on-premises Internet connection and public IPs.

Prerequisites

  • The VM must be connected to a compute network segment. You can create NAT rules for VMs whether they have static or dynamic (DHCP) addresses, but bear in mind that NAT rules for VMs using DHCP address assignment can be invalidated when the VM is assigned an internal address that no longer matches the one specified in the rule.
  • You must request a public IP address for the VM. See Request or Release a Public IP Address.

Procedure

  1. Log in to the VMC Console at https://vmc.vmware.com.
  2. Select Networking & Security > NAT .
  3. Click ADD NAT RULE and give the rule a Name.
  4. Enter the NAT rule parameters.
    Option Description
    Public IP Provisioned public IP address for the VM is populated.
    Service Select one of the following.
    • Select All Traffic to create a rule that applies to all traffic.
    • Select one of the listed services to create a rule that applies only to traffic using that protocol and port.
    Public Port If you specified Service as All Traffic, the default public port is Any.

    If you selected a particular Service, then the rule applies to the assigned public port for that service.

    Internal IP Enter the internal IP address of the VM.
    Internal Port If you specified Service as All Traffic, the default internal port is Any.

    If you selected a particular Service, then the rule applies to the assigned public port for that service.

    Firewall Specify how traffic subject to this NAT rule is exposed to firewall rules. By default, firewall rules match the combination of Internal IP and Internal Port. Select Match External Address to have firewall rules match the combination of External IP and External Port.
  5. (Optional) Toggle Logging to log rule actions.
  6. The new rule is enabled by default. Toggle Enable to disable it.
  7. Click SAVE to create the rule.
    The rule is created and its Status is reported as Up.