NAT rules
NAT (Network Address Translation) is a technology that converts private IP addresses to external IP addresses in IPv4 so that the virtual machine can access the Internet. NAT transformations increase security: translating private IP addresses to public ones from the router pool hides the internal network topology from external users and makes it difficult for unauthorized access to network resources.
You need a white IP to access the Internet, which will "mask" one or more private IP addresses. The NAT mechanism swaps gray addresses for white addresses and vice versa. This allows the entire private network to connect to the Internet through a single public IP address (or pool of addresses) provided by the ISP.
A private network uses three blocks of private (gray) IP addresses that are not used on the Internet:
10.0.0.0.0—10.255.255.255.255/8(16,777,216 hosts);172.16.0.0—172.31.255.255.255/12(1,048,576 hosts);192.168.0.0to192.168.255.255.255/16(65,536 hosts).
Types of NAT rules
You can configure two types of NAT rules:
- SNAT rules — for virtual machines to access the Internet;
- DNAT rules — To access virtual machines from the Internet via SSH, RDP, or to access a web page. The DNAT mechanism changes the destination address and port of the packet. Used to redirect incoming packets from an external address/port to a private IP address/port within a private network.
Customize SNAT rules
-
From Control Panel, open the Cloud Director panel: Cloud powered by VMware → Cloud Director.
-
Open the Networking → Edge Gateways tab.
-
Open the desired Edge.
-
Press Services.
-
Open the NAT tab.
-
In the NAT44 Rules block, press + SNAT Rule.
-
In the Applied on field, select the external network.
-
In the Original source IP/range field, specify:
- To access the Internet for a specific VM, specify the IP address of the VM (for example,
10.10.1.12); - specify a subnet (for example,
10.10.1.0/24) for access to all VMs on the network.
- To access the Internet for a specific VM, specify the IP address of the VM (for example,
-
In the Translated source IP/range field, select the external address assigned to your Edge router — manually or click SELECT and select from the list for the external network.
-
In the Destination IP Address field, select any or leave blank (the default is any).
-
In the Port field specify any or leave blank (the default is any).
-
Optional: in the Description field, add a description of the rule.
-
Optional: to activate the rule immediately after creation, enable the Enabled toggle switch.
-
Optional: to enable logging for a rule (to log address translation), enable the Enabled logging toggle switch.
-
Press Keep.
-
Click Save changes.
Configure DNAT rules
- View virtual-data-center external IP address.
- Configure and enable Firewall.
- From Control Panel, open the Cloud Director panel: Cloud powered by VMware → Cloud Director.
- Open the Networking → Edge Gateways tab.
- Open the page of the desired Edge.
- Press Services.
- Open the NAT tab.
- In the NAT44 Rules block, press + DNAT Rule.
- In the Applied on field, select the external network.
- In the Original IP/range field, specify the external address assigned to your Edge router (select manually or click SELECT and select from the list for the external network).
- In the Translated IP/range field, specify an address from the local range, (for example, if using the 10.10.1.1.0/24 subnet, you can specify 10.10.1.12).
- In the Translated Port field, specify the port on the internal network to which NAT will be performed. For SSH and RDP, it is better to use a port other than the default port (e.g. 5222).
- Leave the Source IP Address and Port fields blank.
- Optional: in the Description field, add a description of the rule.
- Optional: to activate the rule immediately after creation, enable the Enabled toggle switch.
- Optional: to enable logging for a rule (to log address translation), enable the Enabled logging toggle switch.
- Press Keep.
- Click Save changes.