NSX Cloud supports enabling NAT on NSX-managed VMs.

About this task

You can enable North-South traffic on VMs in overlay mode using AWS tags.


On the NSX-managed VM for which you want to enable NAT, apply the following AWS tag:




<EIP from, AWS>, for example,

Make sure the EIP you provide here is free to use. If you assign an EIP that was previously associated with any other instance or private IP, NAT does not work. In that case, unassign the EIP, remove the nsx:publicip tag on the VM or interface, and add it again.


After this tag is applied, the following configurations take place behind the scenes:

  1. A secondary IP is allocated on the uplink interface of CGW. This IP is associated with the EIP specified in the tag’s value.

  2. One SNAT rule and one DNAT rule is created in NSX Manager mapping the overlay private IP of this VM with the secondary IP and vice versa. For example:

    • SNAT: ->

    • DNAT: ->

  3. Two levels of NAT takes place.

    For SNAT:

    • From VM’s overlay IP to CGW’s secondary IP

    • From CGW’s secondary IP to EIP in AWS

    For DNAT:

    • From EIP to CGW’s secondary IP in AWS

    • From AWS secondary IP to the VM’s overlay IP in CGW