NAT rules
NAT (Network Address Translation) is a technology that translates private IP addresses to external IP addresses in IPv4, which allows a virtual machine to access the Internet. NAT translations increase security: translating private IP addresses to public ones from the router pool hides the internal network topology from external users and makes it difficult for unauthorized access to network resources.
To access the Internet, you need a white IP, which will "mask" one or more private IP addresses. The NAT mechanism swaps gray addresses for white addresses and vice versa. This allows the entire private network to connect to the Internet through a single public IP address (or pool of addresses) provided by the ISP.
A private network uses three blocks of private (gray) IP addresses that are not used on the Internet:
10.0.0.0—10.255.255.255/8(16,777,216 hosts);172.16.0.0—172.31.255.255/12(1,048,576 hosts);192.168.0.0—192.168.255.255/16(65,536 hosts).
Types of NAT rules
You can configure two types of NAT rules:
- SNAT rules — for virtual machines to access the Internet;
- DNAT rules — to access virtual machines from the Internet via SSH, RDP, or to access a web page. The DNAT mechanism changes the destination address and port of a packet. It is used to redirect incoming packets from an external address/port to a private IP address/port within a private network.
Customize SNAT rules
-
From control panels open the Cloud Director panel: VMware-based cloud → Cloud Director.
-
Open the tab Networking → Edge Gateways.
-
Open the desired Edge.
-
Click Services.
-
Open the tab NAT.
-
In the block NAT44 Rules click + SNAT Rule.
-
In the field Applied on select an external network.
-
In the field Original source IP/range specify:
- To access the Internet for a specific VM, specify the IP address of the VM (for example,
10.10.1.12); - For access to all VMs on the network, specify the subnet (for example,
10.10.1.0/24).
- To access the Internet for a specific VM, specify the IP address of the VM (for example,
-
In the field Translated source IP/range Select the external address assigned to your Edge router — either manually or by pressing SELECT and select from the list for the external network.
-
In the field Destination IP Address select any or leave blank (the default is set to any).
-
In the field Port specify any or leave blank (the default is set to any).
-
Optional: in the field Description add a description of the rule.
-
Optional: to activate the rule immediately after creation, turn on the toggle switch Enabled.
-
Optional: to enable logging for a rule (to log address translation), turn on the toggle switch Enabled logging.
-
Click Keep.
-
Click Save changes.
Configure DNAT rules
- View the external IP address of the virtual data center.
- Configure and enable the Firewall.
- From control panels open the Cloud Director panel: VMware-based cloud → Cloud Director.
- Open the tab Networking → Edge Gateways.
- Open the page of the desired Edge.
- Click Services.
- Open the tab NAT.
- In the block NAT44 Rules click + DNAT Rule.
- In the field Applied on select an external network.
- In the field Original IP/range Specify the external address assigned to your Edge router (select manually or press SELECT and select from the list for the external network).
- In the field Translated IP/range specify an address from the local range, (for example, when using the 10.10.1.0/24 subnet, you can specify 10.10.1.12).
- In the field Translated Port specify the port on the internal network to which NAT will be performed. For SSH and RDP, it is better to use a port other than the default port (for example, 5222).
- Fields Source IP Address и Port leave them blank.
- Optional: in the field Description add a description of the rule.
- Optional: to activate the rule immediately after creation, turn on the toggle switch Enabled.
- Optional: to enable logging for a rule (to log address translation), turn on the toggle switch Enabled logging.
- Click Keep.
- Click Save changes.