The NSX software in your vCloud Director environment enables the edge gateways to provide a network address translation (NAT) service. Using this capability reduces the number of public IP addresses that an organization must use, for economy and security purposes.
The edge gateway NAT service provides the ability to assign a public address to a virtual machine or group of virtual machines in a private network. To enable your edge gateways to provide access to services running on privately addressed virtual machines in your organization virtual data center, you must configure NAT rules on the edge gateways. In the most common case, you associate a NAT service with an uplink interface on an edge gateway in your vCloud Director environment so that addresses on organization virtual data center networks are not exposed on the external network.
The NAT service configuration is separated into source NAT (SNAT) and destination NAT (DNAT) rules. When you configure a SNAT or a DNAT rule on an edge gateway in the vCloud Director environment, you always configure the rule from the perspective of your organization virtual data center. Specifically, that means you configure the rules in the following ways:
SNAT: the traffic is traveling from a virtual machine on an internal network in your organization virtual data center (the source) through the Internet to the external network (the destination). A SNAT rule translates the source IP address of the outgoing packets of an organization virtual data center network that are being sent to an external network or to another organization virtual data center network.
DNAT: the traffic is traveling from the Internet (the source) to a virtual machine inside your organization virtual data center (the destination). A DNAT rule translates the IP address, and optionally the port, of packets received by an organization virtual data center network that are coming from an external network or from another organization virtual data center network.
You can configure NAT rules to create a private IP address space inside your organization virtual data center. This configuration provides the ability to port a private IP address space from one organization virtual data center to another. Configuring NAT rules allows you to use the same private IP addresses for your virtual machines in one organization virtual data center that were used in another.
The NAT rule capability in your vCloud Director environment supports:
Creating subnets within the private IP address space
Creating multiple private IP address spaces for an edge gateway
Configuring multiple NAT rules on multiple edge gateway interfaces
You must configure both firewall and NAT rules on an edge gateway for the virtual machines on an edge gateway network to be accessible. By default, edge gateways are deployed with firewall rules configured to deny all network traffic to and from the virtual machines on the edge gateway networks. Also, NAT is disabled by default on the edge gateways so that edge gateways are unable to translate the IP addresses of the incoming and outgoing traffic unless you configure NAT on the edge gateways. Attempting to ping a virtual machine on a network after configuring a NAT rule will fail unless you add a firewall rule to allow the corresponding traffic.