When new application servers are deployed, the servers need external connectivity for manageability.
In the absence of a router in the server networks, the NSX Advanced Load Balancer SE can be used for routing the traffic of server networks by using the IP routing feature of Service Engines. Also, you need NAT functionality in the SE to use a NAT gateway for the entire private network of servers.
This feature is not supported for IPv6.
NAT will function in the post-routing phase of the packet path in the SE. It is recommended to go through the SE default gateway (IP routing on Service Engine) feature. For more information, see Default Gateway (IP Routing on NSX Advanced Load Balancer SE).
Enabling IP routing on Service Engine and using the SE as the gateway is a necessary prerequisite to use the outbound NAT feature. Hence all necessary requirements for enabling IP routing on the Service engine is also applicable to the outbound NAT feature.
Outbound NAT is supported for TCP/UDP, and ICMP flows.
NAT is VRF-aware and must be programmed per SE group using a network service of Routing Service type. For more information, see Network Service.
NAT/IP routing is supported on two-armed, no-access configurations of Linux server clouds and VMware clouds.
NSX Advanced Load Balancer supports NAT for VMware cloud deployments in write access mode. For this feature to work on VMware write access clouds, at least one virtual service must be configured with the following configurations:
One arm (in the two-arm mode deployment) must be placed in the back end network. For this network, the SE acts as the default gateway.
The other arm is placed in the desired front end network.
The SE group of the network service must be in legacy HA (active/standby).
The Routing Service should have enabled the routing set.
NAT functions are done by Service Engine IP stack, so the routing_by_linux_ipstack attribute of Routing Service should be set to False.
Only DPDK-based SEs are allowed.
On VMware write access mode, if a virtual service has already been created. This virtual service creates the required Service Engines.
NAT IP of a NAT Rule cannot be the same as any interface IP present in the VRF. Such NAT IP will be ignored.
NAT IP is configured on an interface as a secondary IP. Hence different Service Engine groups can not share a NAT IP in a given VRF.
The diagrammatic representation of NAT service traffic initiated from inside to outside is as follows:
The flow details mentioned in the diagrammatic representation of NAT service traffic is from 1 to 8. The details of the flow are as follows:
The server ARP's for DG and gets MAC-A. The server sends IP packet to MAC-A. [S:IP-SX, D:IP-Ext]
Service Engine creates a NAT entry since this is a new flow, does NAT of src-IP and sport and sends packet to router (MAC-R). [S:SE-NIP, D:IP-Ext]
Router uses internet routing to forward to Ext. [S:SE-NIP, D:IP-Ext]
Ext receives the packet sent by SX. [S:SE-NIP, D:IP-Ext]
Packet received by destination. [S:IP-Ext, D:SE-NIP]
Router ARP's for SE-NIP and SE-Active responds to ARP. [S:IP-Ext, D:SE-NIP]
SE looks up NAT flow table and based on the match, it changes the dst-IP:port to real server IP port. [S:IP-Ext, D:IP-SX]
SE does IP routing and sends packet to MAC-SX. [S:IP-Ext, D:IP-SX]
The router acts as a front end floating IP for the SE group. SE backend network is not routable on the front end.
In the floating IP, the back end network is not routable on the front end.
NAT requires the following configurations at various points in the network:
On the NSX Advanced Load Balancer Controller, you can Enable IP Routing in the Service Engine group (only Legacy HA) in Advanced tab configuration.
On the front end router, configure static routes to the back end server networks with the next-hop as floating IP in the front end network.
On the back end router, configure the SE’s floating IP in the back end server network as the default gateway.
Configuring NAT Policy
You can configure NAT policy as follows:
Step 1: Assume 10.100.0.78 is the destination-IP on which the server is trying to reach, 10.100.0.26 is the NAT IP. This IP is owned by Service Engine. Note that the NAT IP has to be configured as a static route on the front end router with next-hop as front-end floating-interface-ip (10.100.0.2) of the SE.
configure natpolicy nat-policy-default-group-global rules index 1 enable name rule1 match source_ip match_criteria is_in addrs 192.168.100.21 ranges begin 192.168.100.2 end 192.168.100.10 save prefixes 192.168.100.1/24 save destination_ip match_criteria is_in addrs 10.100.0.78 save services destination_port match_criteria is_in ports 80 ports 443 save source_port match_criteria is_not_in ports 800 save save save action type nat_policy_action_type_dynamic_ip_port nat_info nat_ip 10.100.0.26 save save save save
Assume that the Service Engine Group name is set to DefaultGroup with SE-interfaces present in VRF global.
Step 2: Create a NetworkService that has a NAT policy.
configure networkservice nat-policy-default-group-global vrf_ref global se_group_ref Default-Group service_type routing_service routing_service enable_routing nat_policy_ref nat-policy-default-group-global save save
Step 3: Configure ServiceEngineGroup in Legacy-HA and EnableRouting with floating interface IP, as mentioned. For more information, see Default Gateway (IP Routing on NSX Advanced Load Balancer SE).
Outbound NAT Use Case
The following are the available debugging commands to get the information of the NAT flows/stats:
NAT Flows -
Show NAT flow information
NAT Policy Stats -
show NAT policy stats
NAT Stat -
Show NAT statistics
[admin:localhost.localdomain]: > show serviceengine Active_Standby-se-xyjud nat
The stats are available using CLI.
The following match criteria options are supported:
Match source IP address
Match source IP address range
Match source IP address group
Match source IP prefix
Match source port(s). Port range is not supported.
Match destination IP address
Match destination IP address range
Match destination IP address group
Match destination IP prefix
Match destination port(s)
For every option, is not option is available. This option can be used to exclude packets having certain parameters from matching the rule.
If two or more of the same parameters are used as match criteria, then OR operation is used for matching.
match source_ip match_criteria is_in addrs 192.168.100.21 ranges begin 192.168.100.2 end 192.168.100.10
This will match if the source IP is 192.168.100.21 or if the source IP falls in the range of 192.168.100.2 - 192.168.100.10.
If two different parameters are used in the match criteria, then AND operation is used for matching.
match source_ip match_criteria is_in addrs 192.168.100.21 ranges begin 192.168.100.2 end 192.168.100.10 destination_port match_criteria is_in ports 80
This will match if the source IP is 192.168.100.21 or if the source IP falls in the range of 192.168.100.2 - 192.168.100.10 and if the destination port is 80.
If there are multiple rules configured, the rules are evaluated in the ascending order as indexed. The evaluation stops on the first match. No subsequent rules are checked if a packet already matches a rule.
NAT IP - can be NSX Advanced Load Balancer VIP, floating interface IP, or IP address in the subnet of SE interface. NAT IP cannot be SE interface IP.
NAT IP range.