NAT Service Configurations

An Edge Gateway configuration can define a NAT (Network Address Translation) service that translates source or destination IP addresses and port numbers. In the most common case, you associate a NAT service with an uplink interface on an Edge Gateway so that addresses on organization VDC networks are not exposed on the external network.

A NAT service in an EdgeGatewayServiceConfiguration can include one or more rules, each of which is expressed in a GatewayNatRule element. Each rule translates the original IP address, port, or both, and applies to a network connected to the Edge Gateway. If the network is an uplink (to an external network), the network must include an IP sub-allocation pool.

There are two kinds of rules, as expressed in the value of the RuleType element:

SNAT
Source network address translation. This kind of rule translates the packet's source address and, optionally, source IP port to the values you specify.
DNAT
Destination network address translation. This kind of rule translates the packet's destination address and, optionally, destination IP port to the values you specify.

NAT Service

The following fragment of an EdgeGatewayServiceConfiguration defines and enables a NatService that applies one destination NAT rule and one source NAT rule to the uplink interface defined in Create an Edge Gatewayan uplink interface in an Edge Gateway.. In the DNAT rule, the OriginalIp and OriginalPort apply to the destination IP address and port of the packet being inspected. In the SNAT rule, the OriginalIp and OriginalPort apply to the source IP address and port of the packet being inspected. When you create an SNAT rule, you do not need to specify values for TranslatedPort and OriginalPort, which default to any.

Note:

The system assigns an Id value to each rule you create and uses these values when logging rule actions. 

<?xml version="1.0" encoding="UTF-8"?>
<NatService>
   <IsEnabled>true</IsEnabled>
   <NatRule>
      <RuleType>DNAT</RuleType>
      <IsEnabled>true</IsEnabled>
      <GatewayNatRule>
         <Interface
            href="https://vcloud.example.com/api/admin/network/297" />
         <OriginalIp>10.147.115.155</OriginalIp>
         <OriginalPort>any</OriginalPort>
         <TranslatedIp>192.168.0.10</TranslatedIp>
         <TranslatedPort>any</TranslatedPort>
         <Protocol>any</Protocol>
         <IcmpSubType>any</IcmpSubType>
      </GatewayNatRule>
   </NatRule>
   <NatRule>
      <RuleType>SNAT</RuleType>
      <IsEnabled>true</IsEnabled>
      <GatewayNatRule>
         <Interface
            href="https://vcloud.example.com/api/admin/network/297" />
         <OriginalIp>192.168.0.10-192.168.0.255</OriginalIp>
         <TranslatedIp>10.147.115.155</TranslatedIp>
         <Protocol>any</Protocol>
      </GatewayNatRule>
   </NatRule>
</NatService>

To add this service to an Edge Gateway, include it in an EdgeGatewayServiceConfiguration. See Configure Services on an Edge Gateway.