Skip to main content

Configure NAT rules on the Edge Gateway

Last update:

NAT (Network Address Translation) is a technology for converting private IP addresses to external ones in IPv4, which allows a virtual machine to access the internet. NAT transformations increase security: translating private IP addresses into public ones from the router's pool hides the internal network topology from external users and makes unauthorized access to network resources more difficult.

To access the internet, you need a public IP that will "mask" one or more private IP addresses. The NAT mechanism replaces private addresses with public ones and vice versa. As a result, the entire private network can connect to the internet through a single public IP address (or a pool of addresses) provided by the ISP.

The private network uses three blocks of private IP addresses that are not used on the internet:

  • 10.0.0.010.255.255.255/8 (16 777 216 hosts);
  • 172.16.0.0172.31.255.255/12 (1 048 576 hosts);
  • 192.168.0.0192.168.255.255/16 (65 536 hosts).

NAT rule types

You can configure two types of NAT rules:

  • SNAT rules — for allowing virtual machines to access the internet;
  • DNAT rules — for accessing virtual machines from the internet via SSH, RDP, or to access a web page. The DNAT mechanism changes the destination address and port of a packet. It is used to redirect incoming packets from an external address/port to a private IP address/port inside the private network.

Configure SNAT rules

  1. Check the external IP address of the virtual data center.

  2. Configure and enable the Firewall.

  3. From the Control Panel, open the Cloud Director panel: in the top menu, click ProductsVMware-based cloudCloud Director **** section.

  4. Open the NetworkingEdge Gateways **** tab.

  5. Open the required Edge.

  6. Click Services.

  7. Open the NAT **** tab.

  8. In the NAT44 Rules block, click + SNAT Rule.

  9. In the Applied on field, select an external network.

  10. In the Original source IP/range field, specify:

    • to provide internet access for a specific VM, specify the VM IP address (for example, 10.10.1.12);
    • to provide access for all VMs in the network, specify the subnet (for example, 10.10.1.0/24).

  11. In the Translated source IP/range field, select the external address assigned to your Edge Gateway — either manually or by clicking SELECT and choosing one from the list for the external network.

  12. In the Destination IP Address field, select any or leave it empty (it is set to any by default).

  13. In the Port field, specify any or leave it empty (it is set to any by default).

  14. Optional: in the Description field, add a description for the rule.

  15. Optional: to activate the rule immediately after creation, enable the Enabled **** toggle switch.

  16. Optional: to enable logging for the rule (to register address translation), enable the Enabled logging **** toggle switch.

  17. Click Keep.

  18. Click Save changes.

Configure DNAT rules

  1. Check the external IP address of the virtual data center.
  2. Configure and enable the Firewall.
  3. From the Control Panel, open the Cloud Director panel: in the top menu, click ProductsVMware-based cloudCloud Director **** section.
  4. Open the NetworkingEdge Gateways **** tab.
  5. Open the page of the required Edge.
  6. Click Services.
  7. Open the NAT **** tab.
  8. In the NAT44 Rules block, click + DNAT Rule.
  9. In the Applied on field, select an external network.
  10. In the Original IP/range field, specify the external address assigned to your Edge Gateway (select manually or click SELECT and choose from the list for the external network).
  11. In the Translated IP/range field, specify an address from the local range (for example, if using the subnet 10.10.1.0/24, you can specify 10.10.1.12).
  12. In the Translated Port field, specify the port in the internal network to which NAT will be performed. For SSH and RDP, it is better to use a non-standard port (e.g., 5222).
  13. Leave the Source IP Address and Port fields empty.
  14. Optional: in the Description field, add a description for the rule.
  15. Optional: to activate the rule immediately after creation, enable the Enabled **** toggle switch.
  16. Optional: to enable logging for the rule (to register address translation), enable the Enabled logging **** toggle switch.
  17. Click Keep.
  18. Click Save changes.