VMware Cloud on AWS GovCloud (US) 服務

SaaS services
Español 繁體中文

Create or Modify NAT Rules

Network Address Translation (NAT) maps internal IP addresses on your compute network to addresses exposed on the public Internet. To create a NAT rule, you provide the internal address and port number of a workload VM or service and a public IP address and port number that you have obtained from the system.
  • You must have obtained a public IP address for use by a VM in this SDDC. See Request or Release a Public IP Address.
  • The VM must be connected to a compute network segment. You can create NAT rules for VMs whether they have static or dynamic (DHCP) addresses, but bear in mind that NAT rules for VMs using DHCP address assignment can be invalidated when the VM is assigned an internal address that no longer matches the one specified in the rule.
NAT rules on the SDDC network’s internet interface, since that's where your workload VMs' public addresses are exposed. Firewall rules, which examine packet sources and destinations, run on the
計算閘道
, and process traffic after it has been transformed by any applicable NAT rules. When you create a NAT rule, you can specify whether a VM's internal or external IP address and port number are exposed to firewall rules that affect network traffic to and from that VM.
Inbound traffic to the SDDC's public IP address is always processed by the NAT rules you create. Outbound traffic (reply packets from SDDC workload VMs) is routed along the advertised routes and is processed by NAT rules when the default route for your SDDC network goes through the SDDC's Internet interface. But if the default route goes through a Direct Connect or VPN connection (for example, if 0.0.0.0/0 is advertised through BGP or there is a policy-based VPN with a remote network of 0.0.0.0/0), NAT rules run for inbound traffic but not for outbound traffic, creating an asymmetric path that leaves the VM unreachable at its public IP address. When the default route is advertised from the on-premises environment, you must configure NAT rules on the on-premises network, using the on-premises Internet connection and public IPs.
  1. Log in to the
    VMware Cloud on AWS GovCloud
     at https://www.vmc-us-gov.vmware.com/.
  2. Select
    Networking & Security
    NAT
    .
  3. Click
    ADD NAT RULE
     and give the rule a
    Name
    .
  4. Enter the NAT rule parameters.
    Option
    Description
    Public IP
    Choose from the drop-down list of public IP address that have been provisioned for this SDDC. See Request or Release a Public IP Address.
    Service
    • Select
      All Traffic
      to create a rule that applies to both inbound (DNAT) and outbound (SNAT) traffic to or from the specified
      Internal IP
      .
    • Select one of the listed services to create an inbound (DNAT) rule that applies only to traffic using that protocol and port.
      Because services that use multiple destination ports cannot be subject to a NAT rule, they don’t appear on this list.
    Public Port
    If you specified
    Service
     as
    All Traffic
    , the default public port is
    Any
    .
    If you selected a particular
    Service
    , then the rule applies to the assigned public port for that service.
    Internal IP
    Enter the internal IP address of the VM.
    Internal Port
    Displays the internal port used by the selected
    Service
    . To use a custom port, Add a Custom Service, then select that
    Service
     in the NAT rule.
    If you specified
    Service
     as
    All Traffic
    , the default internal port is
    Any
    .
    If you selected a particular
    Service
    , then the rule applies to the assigned public port for that service.
    Firewall
    Specify how traffic subject to this NAT rule is exposed to Compute Gateway firewall rules. By default, CGW firewall rules match the combination of
    Internal IP
     and
    Internal Port
    . Select
    Match External Address
     to have firewall rules match the combination of
    External IP
     and
    External Port
    . (Distributed firewall rules never apply to external addresses or ports.)
    You can create multiple NAT rules that use the same
    Public IP
     and
    Internal IP
     with
    All Traffic
    . If you do this, each
    Internal IP
     uses the
    Public IP
     for outbound (SNAT) traffic, but only the first matching rule will be used for inbound (DNAT) traffic. The system creates (but does not display) a default outbound rule,. This rule is used for all
    Internal IP
     addresses that do not match a specific NAT rule that applies to
    All Traffic
    . The IP used for this rule is displayed I the
    Default Compute Gateway
     summary on the
    Networking & Security
    Overview
     page as
    Source NAT Public IP
    .
  5. Toggle
    Logging
     to log rule actions.
  6. The new rule is enabled by default. Toggle
    Enable
     to disable it.
  7. Click
    SAVE
     to create the rule.
    The rule is created and its
    Status
     is reported as
    Up
    .

Content feedback and comments