Network address translation (NAT) in NSX-T Data Center can be configured on tier-0 and tier-1 logical routers.

For example, the following diagram shows two tier-1 logical routers with NAT configured on Tenant2NAT. The web VM is simply configured to use 172.16.10.10 as its IP address and 172.16.10.1 as its default gateway.

NAT is enforced at the uplink of the Tenant2NAT logical router on its connection to the tier-0 logical router.

To enable NAT configuration, Tenant2NAT must have a service component on an NSX Edge cluster. Thus, Tenant2NAT is shown inside the NSX Edge. For comparison, Tenant1 can be outside of the NSX Edge because it is not using any Edge services.

Figure 1. NAT Topology

Note: In the following scenario, NAT hairpinning is not supported. The tier-0 logical router has DNAT and SNAT configured. Tier-1 Logical Router 2 has NO_SNAT and SNAT configured. VM2 will not be able to access VM1 using VM1's external address 80.80.80.10.

The following sections describe how to create NAT rules using the manager UI. You can alco make an API call (POST /api/v1/logical-routers/<logical-router-id>/nat/rules?action=create_multiple) to create multiple NAT rules at the same time. For more information, see the NSX-T Data Center API Guide.