In vCloud Director, you have more granular control over the NAT configuration in the Edge Gateway. Specifically you can configure Source NAT (SNAT) rules, which control traffic leaving the Edge Gateway’s external interface(s), and Destination NAT (DNAT) rules, which control traffic arriving at the Edge Gateway’s external interface(s).
In today’s post , lets see how we configure DNAT in vCloud Director. due to the length of this post, i divided it into three parts. lets see what we will cover in “part 1”
LAB-58 TASKS (Part 1)
In this Lab, we will perform following tasks
- DNAT Use Case Scenario
- Architecture diagram for DNAT Use Case Scenario
- Information required for DNAT Configuration
- Create DNAT Rule For “vApp5-Web1”
1-DNAT Use Case Scenario
DNAT rules are applied on the “external interface” and you are use it for the NAT translation. In this Use Case, I am going to add a rule that forwards traffic destined for “TCP port 22 (SSH)” of “vApp5-Web1” and “TCP Port 1010 (SSH)” of “vApp5-Web2” on the “public IP at port 22″ into the “private IP” address of the Redhat Linux Server which are installed on my vApps. if you dont understand, what i am saying. please look into the Scenario diagram which is pretty self explanatory.
2-Architecture diagram for DNAT Use Case Scenario
3-Information required for DNAT Configuration
- External Client IP Information
- vApp5-Web1 IPs Information (Both Internal and External)
- External IP Address of VSE (Skynet-Prod-Edge2)
- Sub Allocation Pool IP Range of “SkyNet-Prod-Edge2”
NOTE: “SkyNet-Prod-Edge2″ is VSE firewall which is connected to External Network and my vApps are behind it as you can see in architecture diagram
1-External Client IP Information
Here is my “Client/Mgmt PC” machine which is connected to my “external Network” of vCloud director. His IP address is “10.0.150.150/24” as shown below and my external Network ID would be 10.0.150.0/24.
2-vApp5-Web1 IPs Information (Both Internal and External)
Our Goal is to access “vApp5-Web1” Machine from External Network. This VM is behind our vShield Edge Firewall. Note the vApp5-Web1 (IP Address).
In My Case it is
192.168.11.100 (Internal) & 192.168.33.4 (External)
As you can see below. In our “vApp Network” Firewall is enabled (by default).
3-External IP Address of VSE (Skynet-Prod-Edge2)
My “vApp5” VM’s are in Organization VDC “SkyNet-Prod-OrgvDC”. it is connected to Network “SkyNet-Prod-Org-Routed2” which is routed and behind vShied Edge Firewall “Skynet-Prod-Edge2”.
To get the vShield External IP Address. Right Click on VSE Firewall ”SkyNet-Prod-Edge2” -> Choose “External IP Allocations”
As you see below. VSE External IP address is “10.0.150.243” and it’s connected to vSphere Distributed Switch Port Group “External-Public2”
4-Sub Allocation Pool IP Range of SkyNet-Prod-Edge2
you will need to know your VSE “Sub Allocation Pool” IP range. Because VSE will use IP address from this IP Pool for your NAT Services.
You can find this by Right Click on VSE Firewall ”SkyNet-Prod-Edge2” -> Choose “Properties”
As you can see his Sub Allocation Pool IP range. Which is “10.0.150.245- 10.0.150.250”
Now we have all the information let create a “NAT (DNAT) Rule” to access our Linux VM from our Mgmt Server (Client) using “SSH”.
4-Create DNAT Rule For “vApp5-Web1”
To create a NAT Rule -> Go to You VSE and Right Click on “SkyNet-Prod-Edge2”-> Choose “Edge Gateway Service”
In NAT Tab -> Choose “Add DNAT”
Choose Your External Network in “Applied On”, in my case it would be “External-Public2”. Choose an “External IP Address” from the “Sub Allocation IP Range” of VSE. I choose IP “10.0.150.249”. Which will be translated/Masquerade onto “vApp5-Web1” VM External IP address “192.168.33.4”-> Click “OK”
Verify your Added Rules -> Click “OK”
By default Firewall Action is “deny” on your Organization “vDC Routed Network . We have to add a firewall rule to allow the “SSH traffic” for “vApp5-Web1” VM. which, i will cover in my next post.