vCNS Edge Network Address Translation
April 15, 2014VMware vCloud Networking and Security (vCNS) can provide Network Address Translation (NAT) services from the vCNS Edge appliance.
There are two types of NAT that the edge appliance can provide.
- Destination NAT (DNAT) is used to provide access to a private IP Address from a (usually) public IP Address for incoming traffic.
- Source NAT (SNAT) is used to translate a private IP Address into a (usually) public IP Address for outgoing traffic. This type of NAT can also be called “masquerading”. (It’s a subtle difference that we won’t go into in this post.)
Please take note that when you see SNAT or DNAT this is not referring to Static NAT vs. Dynamic NAT or PAT. This caught me a bit off guard the first time I saw it but once you realize the distinction this process is very easy to understand.
Destination NAT
Just to give a quick overview of DNAT let’s look at an example. In the below diagram we have an machine (10.10.10.2) that is attempting to communicate with a web server behind the vCNS Edge appliance. The request from 10.10.10.2 is sent to the outside IP Address of the vCNS Edge appliance. When the request reaches the “Edge”, vCNS translates that request and forwards it to the internal server running the web server. It does this by looking at the DNAT rules which are listed to the left of the appliance. We see that requests for 10.10.10.1 (uplink on edge appliance) on port 443 (https) are to be sent to the 10.10.110.10 server.
From this example we can see that the server that originally made the request doesn’t know that there are multiple servers behind the NAT Device. If you notice there is a second NAT entry for port 25 on the same outside interface. That NAT goes to a completely different server on the inside of the Edge appliance. Sometimes this is called “Port Forwarding.”
Source NAT
As the name implies, this type of translation is initiated from the vCNS protected network. Here we want to have multiple servers to have access to the outside network. This is usually done to limit the number of Public IP Addresses that are in use by an organization, but it doesn’t have to be. The example diagram below illustrates that all three servers on the inside of the Edge appliance can make requests to their gateway (vCNS Edge) and the Edge appliance will translate that IP into a public address that is routable on the new network.
You may be asking “What happens when this traffic is returned? How does the appliance know where to send that return traffic to?”
The Edge appliance keeps track of all of the requests made and adds the source, destination and port information to a table. When return traffic comes back, it can match the response to the table and know how to send the traffic back. See the following post for more information: NAT vs. PAT
vCNS Edge Network Address Translation Configurations
Before you can configure NAT on the vCNS Edge appliance, you must first deploy vCNS Manager as well as deploy vCNS Edge. I’ve written about this process before and you can review the posts if you haven’t done this already.
Log into your vShield Manager and click on the Datacenter. Click the “Network Virtualization” Tab where you’ll find the Edge appliance you’ve already deployed. Go to Actions and click “Manage”. From here, we can get tot he NAT tab where the magic happens.
Click the “+” sign to add a new NAT Rule.
Setup DNAT
Select the uplink interface for the rule to be applied on. Enter the uplink IP Address that will be used. This is the IP address that other machines will use to connect to the NAT’d (hidden) device. Also, you’ll need to enter the Protocol and port information. In my example, I’m testing with a web server on Port 80. Lastly, enter the IP Address of the machine that will be presented to the other machines. E.g. the web server IP Address.
Setup SNAT
Before I configure SNAT my virtual machine had no access to the network on the uplink side of the Edge device. You can see this since I cannot ping the 10.10.10.4 IP address which is on my uplink side of my edge device.
SNAT is a requires a bit less information. Remember that we’re just going to show the network that needs access to the outside world and the IP Address on the uplink that is used to do this.
Once we’ve set the SNAT Configuration (and published the changes) we can see that I can now ping the device on the uplink side of my Edge Device. Voila!
When you’re all done it should look similar to this in your NAT tab.
Summary
VMware vCloud Networking and Security can provide Network Address Translation to your virtualized infrastructure. This is just another example of the edge services that VMware is now able to handle, and it wouldn’t be an edge if it didn’t provide NAT… well, until maybe IPv6 is the norm.