You can specify which Kubernetes namespace or PCF org can be allocated IPs from the SNAT IP pool by adding the following tags to the IP pool.

For a Kubernetes namespace:
scope: ncp/owner, tag: ns:<namespace_UUID>
For a PCF org: scope:
scope: ncp/owner, tag: org:<org_UUID>

You can get the namespace or org UUID with one of the following commands:

kubectl get ns -o yaml
cf org <org_name> --guid

Note the following:

Each tag should specify one UUID. You can create multiple tags for the same pool.
If you change the tags after some namespaces or orgs have been allocated IPs based on the old tags, those IPs will not be reclaimed until the SNAT configurations of the Kubernetes services or PCF apps change or NCP restarts..
The namespace and PCF org owner tags are optional. Without these tags, any namespace or PCF org can have IPs allocated from the SNAT IP pool.

You can configure an SNAT IP pool for a service by adding an annotation to the service. For example,

    apiVersion: v1
    kind: Service
    metadata:
      name: svc-example
      annotations:
        ncp/snat_pool: <external IP pool ID or name>
      selector:
        app: example
    ...

The IP pool specified by

ncp/snat_pool

must have the tag

scope: ncp/owner, tag: cluster:<cluster_name>

.

NCP will configure the SNAT rule for this service. The rule's source IP is the set of backend pods. The destination IP is the SNAT IP allocated from the specified external IP pool. If an error occurs when NCP configures the SNAT rule, the service will be annotated with

ncp/error.snat

:

<error>

. The possible errors are:

IP_POOL_NOT_FOUND
- The SNAT IP pool is not found in NSX Manager.
IP_POOL_EXHAUSTED
- The SNAT IP pool is exhausted.
IP_POOL_NOT_UNIQUE
- The pool specified by
ncp/snat_pool
refers to multiple pools in NSX Manager.
SNAT_POOL_ACCESS_DENY
- The pool's owner tag does not match the namespace of the service that is sending the allocation request.
SNAT_RULE_OVERLAPPED
- A new SNAT rule is created, but the SNAT service's pod also belongs to another SNAT service, that is, there are multiple SNAT rules for the same pod.
POOL_ACCESS_DENIED
- The IP pool specified by
ncp/snat_pool
does not have the tag
scope: ncp/owner, tag: cluster:<cluster_name>
, or the pool's owner tag does not match the namespace of the service that is sending the allocation request..

Note the following:

The pool specified by
ncp/snat_pool
should already exist in
NSX-T Data Center
before the service is configured.
In
NSX-T Data Center
, the priority of the SNAT rule for the service is higher than that for the project.
If a pod is configured with multiple SNAT rules, only one will work.
You can change to a different IP pool by changing the annotation and restarting NCP.

You can configure an SNAT IP pool for a namespace by adding an annotation to the namespace. For example,

    apiVersion: v1
    kind: Namespace
    metadata:
      name: ns-sample
      annotations:
        ncp/snat_pool: <external IP pool ID or name>
    ...

NCP will configure the SNAT rule for this namespace. The rule's source IP is the set of backend pods. The destination IP is the SNAT IP allocated from the specified external IP pool. If an error occurs when NCP configures the SNAT rule, the namespace will be annotated with

ncp/error.snat

:

<error>

. The possible errors are:

IP_POOL_NOT_FOUND
- The SNAT IP pool is not found in NSX Manager.
IP_POOL_EXHAUSTED
- The SNAT IP pool is exhausted.
IP_POOL_NOT_UNIQUE
- The pool specified by
ncp/snat_pool
refers to multiple pools in NSX Manager.
POOL_ACCESS_DENIED
- The IP pool specified by
ncp/snat_pool
does not have the tag
scope: ncp/owner, tag: cluster:<cluster_name>
, or the pool's owner tag does not match the namespace that is sending the allocation request..

Note the following:

You can specify only one SNAT IP pool in the annotation.
The SNAT IP pool does not need to be configured in
ncp.ini
.
The IP pool specified by
ncp/snat_pool
must have the tag
scope: ncp/owner, tag: cluster:<cluster_name>
.
The IP pool specified by
ncp/snat_pool
can also have a namespace tag
scope: ncp/owner, tag: ns:<namespace_UUID>
.
If the
ncp/snat_pool
annotation is missing, the namespace will use the SNAT IP pool for the cluster.
You can change to a different IP pool by changing the annotation and restarting NCP.

You can configure an SNAT IP address for a service by adding an annotation to the service. For example,

    apiVersion: v1
    kind: Service
    metadata:
      name: svc-example
      annotations:
        ncp/static_snat_ip: "1.2.3.4"
    ...

If the annotation

ncp/snat_pool

is also specified, the SNAT IP address must be in the specified SNAT address pool. Otherwise, it must be in the external IP pool specified in

ncp.ini

. If there are no errors, NCP will create or update the SNAT rule by using the annotated SNAT IP address for this service. The status of configuring the SNAT rule will be annotated with

ncp/snat_ip_status

in the service. The possible values are:

IP_ALLOCATED_SUCCESSFULLY
IP_ALREADY_ALLOCATED
- The IP address has already been allocated.
IP_NOT_IN_POOL
- The IP address is not in the SNAT IP Pool.
IP_POOL_EXHAUSTED
- The SNAT IP Pool is exhausted.
SNAT_PROCESS_FAILED
- An unknown error occurred.

You can configure an SNAT IP address for a namespace by adding an annotation to the namespace. For example,

    apiVersion: v1
    kind: Namespace
    metadata:
      name: svc-example
      annotations:
        ncp/static_snat_ip: "1.2.3.4"
    ...

If the annotation

ncp/snat_pool

is also specified, the SNAT IP address must be in the specified SNAT address pool. Otherwise, it must be in the external IP pool specified in

ncp.ini

. If there are no errors, NCP will create or update the SNAT rule by using the annotated SNAT IP address for this namespace. The status of configuring the SNAT rule will be annotated with

ncp/snat_ip_status

in the namespace. The possible values are:

IP_ALLOCATED_SUCCESSFULLY
IP_ALREADY_ALLOCATED
- The IP address has already been allocated.
IP_NOT_IN_POOL
- The IP address is not in the SNAT IP Pool.
IP_NOT_REALIZED
- An error occurred in NSX-T.
IP_POOL_EXHAUSTED
- The SNAT IP Pool is exhausted.
SNAT_PROCESS_FAILED
- An unknown error occurred.

By default, NCP configures SNAT IP for a PAS (Pivotal Application Service) org. You can configure an SNAT IP for an app by creating an app with a

manifest.xml

that contains the SNAT IP pool information. For example,

    applications:
      - name: frontend
        memory: 32M
        disk_quota: 32M
        buildpack: go_buildpack
        env:
          GOPACKAGENAME: example-apps/cats-and-dogs/frontend
          NCP_SNAT_POOL: <external IP pool ID or name>
    ...

NCP will configure the SNAT rule for this app. The rule's source IP is the set of instances' IPs and its destination IP is the SNAT IP allocated from an external IP pool. Note the following:

The pool specified by
NCP_SNAT_POOL
should already exist in
NSX-T Data Center
before the app is pushed.
The priority of SNAT rule for an app is higher than that for an org.
An app can be configured with only one SNAT IP.
You can change to a different IP pool by changing the configuration and restarting NCP.

With PCF version 3, you can configure SNAT in one of two ways: