Management Plane API > Networking > Logical Routing And Services > NAT
| Name | Description | Type | Notes |
|---|---|---|---|
| _create_time | Timestamp of resource creation | EpochMsTimestamp | Readonly Sortable |
| _create_user | ID of the user who created this resource | string | Readonly |
| _last_modified_time | Timestamp of last modification | EpochMsTimestamp | Readonly Sortable |
| _last_modified_user | ID of the user who last modified this resource | string | Readonly |
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _protection | Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
string | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| _system_owned | Indicates system owned resource | boolean | Readonly |
| action | NAT rule action type Valid actions: SNAT, DNAT, NO_SNAT, NO_DNAT, REFLEXIVE, NAT64. All rules in a logical router are either stateless or stateful. Mix is not supported. SNAT and DNAT are stateful, can NOT be supported when the logical router is running at active-active HA mode; REFLEXIVE is stateless. NO_SNAT and NO_DNAT have no translated_fields, only match fields are supported. |
NatActions | Required |
| applied_tos | List of LogicalRouterPort resources as applied to Holds the list of LogicalRouterPort Ids that a NAT rule can be applied to. The LogicalRouterPort used must belong to the same LogicalRouter for which the NAT Rule is created. As of now a NAT rule can only have a single LogicalRouterPort as applied_tos. When applied_tos is not set, the NAT rule is applied to all LogicalRouterPorts beloging to the LogicalRouter. |
array of ResourceReference | Maximum items: 1 |
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| enabled | enable/disable the rule Indicator to enable/disable the rule. |
boolean | Default: "True" |
| firewall_match | The rule how the firewall is applied Indicate how firewall is applied to a traffic packet. Firewall can be bypassed, or be applied to external/internal address of NAT rule. The firewall_match will take priority over nat_pass. If the firewall_match is not provided, the nat_pass will be picked up. |
NatFirewallMatch | |
| id | Unique identifier of this resource | string | Sortable |
| internal_rule_id | Internal NAT rule uuid Internal NAT rule uuid for debug used in Controller and backend. |
string | Readonly |
| logging | Enable/disable the logging of rule Enable/disable the logging of rule. |
boolean | Default: "False" |
| logical_router_id | Logical router id The logical router id which the nat rule runs on. |
string | Readonly |
| match_destination_network | match destination network IP Address | CIDR | (null implies Any) |
string | |
| match_service | match service A NSServiceElement that specifies the matching services of source ports, destination ports, ip protocol version and number, sub protocol version and number, ICMP type and code, etc. The match_service can be one of IPProtocolNSService,L4PortSetNSService or ICMPTypeNSService. REFLEXIVE NAT does not support match_service. |
NSServiceElement (Abstract type: pass one of the following concrete types) ALGTypeNSService EtherTypeNSService ICMPTypeNSService IGMPTypeNSService IPProtocolNSService L4PortSetNSService |
|
| match_source_network | match source network IP Address | CIDR | (null implies Any) |
string | |
| nat_pass | enable/disable to bypass following firewall stage Default is true. If the nat_pass is set to true, the following firewall stage will be skipped. Please note, if action is NO_SNAT or NO_DNAT, then nat_pass must be set to true or omitted. Nat_pass was deprecated with an alternative firewall_match. Please stop using nat_pass to specify whether firewall stage is skipped. if you want to skip, please set firewall_match to BYPASS. If you do not want to skip, please set the firewall_match to MATCH_EXTERNAL_ADDRESS or MATCH_INTERNAL_ADDRESS. Please note, the firewall_match will take priority over the nat_pass. If both are provided, the nat_pass is ignored. If firewall_match is not provided while the nat_pass is specified, the nat_pass will still be picked up. In this case, if nat_pass is set to false, firewall rule will be applied on internall address of a packet, i.e. MATCH_INTERNAL_ADDRESS. |
boolean | Deprecated Default: "True" |
| resource_type | Must be set to the value NatRule | string | |
| rule_priority | NAT rule priority Ascending, valid range [0-2147483647]. If multiple rules have the same priority, evaluation sequence is undefined. |
integer | Default: "1024" |
| tags | Opaque identifiers meaningful to the API user | array of Tag | Maximum items: 30 |
| translated_network | IP Address | IP Range | CIDR The translated address for the matched IP packet. For a SNAT, it can be a single ip address, an ip range, or a CIDR block. For a DNAT and a REFLEXIVE, it can be a single ip address or a CIDR block. Translated network is not supported for NO_SNAT or NO_DNAT. |
string | |
| translated_ports | port number or port range. DNAT only The translated port(s) for the mtached IP packet. It can be a single port or a port range. Please note, port translating is supported only for DNAT. |
string |
| Name | Description | Type | Notes |
|---|---|---|---|
| _create_time | Timestamp of resource creation | EpochMsTimestamp | Readonly Sortable |
| _create_user | ID of the user who created this resource | string | Readonly |
| _last_modified_time | Timestamp of last modification | EpochMsTimestamp | Readonly Sortable |
| _last_modified_user | ID of the user who last modified this resource | string | Readonly |
| _links | References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink | Readonly |
| _protection | Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity. |
string | Readonly |
| _revision | Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int | |
| _schema | Schema for this resource | string | Readonly |
| _self | Link to this resource | SelfResourceLink | Readonly |
| _system_owned | Indicates system owned resource | boolean | Readonly |
| action | NAT rule action type Valid actions: SNAT, DNAT, NO_SNAT, NO_DNAT, REFLEXIVE, NAT64. All rules in a logical router are either stateless or stateful. Mix is not supported. SNAT and DNAT are stateful, can NOT be supported when the logical router is running at active-active HA mode; REFLEXIVE is stateless. NO_SNAT and NO_DNAT have no translated_fields, only match fields are supported. |
NatActions | Required |
| applied_tos | List of LogicalRouterPort resources as applied to Holds the list of LogicalRouterPort Ids that a NAT rule can be applied to. The LogicalRouterPort used must belong to the same LogicalRouter for which the NAT Rule is created. As of now a NAT rule can only have a single LogicalRouterPort as applied_tos. When applied_tos is not set, the NAT rule is applied to all LogicalRouterPorts beloging to the LogicalRouter. |
array of ResourceReference | Maximum items: 1 |
| description | Description of this resource | string | Maximum length: 1024 Sortable |
| display_name | Identifier to use when displaying entity in logs or GUI Defaults to ID if not set |
string | Maximum length: 255 Sortable |
| enabled | enable/disable the rule Indicator to enable/disable the rule. |
boolean | Default: "True" |
| firewall_match | The rule how the firewall is applied Indicate how firewall is applied to a traffic packet. Firewall can be bypassed, or be applied to external/internal address of NAT rule. The firewall_match will take priority over nat_pass. If the firewall_match is not provided, the nat_pass will be picked up. |
NatFirewallMatch | |
| id | Unique identifier of this resource | string | Sortable |
| internal_rule_id | Internal NAT rule uuid Internal NAT rule uuid for debug used in Controller and backend. |
string | Readonly |
| logging | Enable/disable the logging of rule Enable/disable the logging of rule. |
boolean | Default: "False" |
| logical_router_id | Logical router id The logical router id which the nat rule runs on. |
string | Readonly |
| match_destination_network | match destination network IP Address | CIDR | (null implies Any) |
string | |
| match_service | match service A NSServiceElement that specifies the matching services of source ports, destination ports, ip protocol version and number, sub protocol version and number, ICMP type and code, etc. The match_service can be one of IPProtocolNSService,L4PortSetNSService or ICMPTypeNSService. REFLEXIVE NAT does not support match_service. |
NSServiceElement (Abstract type: pass one of the following concrete types) ALGTypeNSService EtherTypeNSService ICMPTypeNSService IGMPTypeNSService IPProtocolNSService L4PortSetNSService |
|
| match_source_network | match source network IP Address | CIDR | (null implies Any) |
string | |
| nat_pass | enable/disable to bypass following firewall stage Default is true. If the nat_pass is set to true, the following firewall stage will be skipped. Please note, if action is NO_SNAT or NO_DNAT, then nat_pass must be set to true or omitted. Nat_pass was deprecated with an alternative firewall_match. Please stop using nat_pass to specify whether firewall stage is skipped. if you want to skip, please set firewall_match to BYPASS. If you do not want to skip, please set the firewall_match to MATCH_EXTERNAL_ADDRESS or MATCH_INTERNAL_ADDRESS. Please note, the firewall_match will take priority over the nat_pass. If both are provided, the nat_pass is ignored. If firewall_match is not provided while the nat_pass is specified, the nat_pass will still be picked up. In this case, if nat_pass is set to false, firewall rule will be applied on internall address of a packet, i.e. MATCH_INTERNAL_ADDRESS. |
boolean | Deprecated Default: "True" |
| resource_type | Must be set to the value NatRule | string | |
| rule_priority | NAT rule priority Ascending, valid range [0-2147483647]. If multiple rules have the same priority, evaluation sequence is undefined. |
integer | Default: "1024" |
| tags | Opaque identifiers meaningful to the API user | array of Tag | Maximum items: 30 |
| translated_network | IP Address | IP Range | CIDR The translated address for the matched IP packet. For a SNAT, it can be a single ip address, an ip range, or a CIDR block. For a DNAT and a REFLEXIVE, it can be a single ip address or a CIDR block. Translated network is not supported for NO_SNAT or NO_DNAT. |
string | |
| translated_ports | port number or port range. DNAT only The translated port(s) for the mtached IP packet. It can be a single port or a port range. Please note, port translating is supported only for DNAT. |
string |