Cloud Lab-59: vCloud Director Organizations- “SNAT Use Case – Allow External Access to a vApps”

To allow our VMs to access the outside world we are going to have to add a NAT rules for each internal Org VDC network. This will translate internal private IP addresses to a public address/addresses. For outbound access there’s no particular reason, why you can’t use the same external IP address for all your internal networks. Depending on your configuration you may want to use a public IP for each internal network or even for individual VMs on that network. 

LAB-59 TASKS 

In this Lab, we will perform following tasks

  1. SNAT Use Case Scenario
  2. Architecture diagram for DNAT Use Case Scenario
  3. Create SNAT Rule For “SkyNet Org Network”
  4. Firewall Rule for SNAT on “SkyNet Org Network” 

1-SDNAT Use Case Scenario

Source NAT (SNAT) rules, which control traffic leaving the Edge Gateway’s external interface(s).In this Use Case, I am going to allow my Internal Network vApps to Access from the outside world. I will be using a single IP for all networks.below is the Architecture diagram which i am going to accomplish.

2-Architecture diagram for SNAT Use Case Scenario

cloudlab59-vCloudOrganization-SNATUsecase1

3-Create SNAT Rule For “SkyNet Org Network”

To create a NAT Rule -> Go to You VSE and Right Click on “SkyNet-Prod-Edge2”-> Choose “Edge Gateway Service”

cloudlab58-vCloudOrganization-DNATUsecase10

In NAT Tab -> Choose “Add SNAT”

cloudlab59-vCloudOrganization-SNATUsecase2

Choose Your “External Network” in my case it would be “External-Public2”. Choose your Organization Network IP Range in my case it would be “192.168.33.0/24” which will translated/Masquerade into “10.0.150.248” External IP. Click “OK”

NOTE: Make Sure External IP are choose from VSE Sub Allocation Pool)

cloudlab59-vCloudOrganization-SNATUsecase3

Verify your SNAT Rules -> Click “OK”

cloudlab59-vCloudOrganization-SNATUsecase4

4-Firewall Rule for SNAT Rule on “SkyNet Org Network”

By default Organization Edge Firewall block all traffic which in/out from it. In order to gain external access from Organization Internal Network we have to allow it through our organization firewall.

Let’s create a firewall rule. In Source choose Whole Network (192.168.33.0/24) or specific IPs from where you want to allow from. In destination there are some option available.in my case I go for the first option.

  • If you want to allow all external traffic then choose “External” keyword as destination.
  • If you want to allow only certain external network ID then enter it on destination e.g. 10.0.150.0/24
  • If you want to allow access toward a certain external IP. For example towards DNS Server then put the DNS Server IP address in destination.
  • Similarly if you want allow any type of traffic then use “any” keyword in your destination.

Click “OK” and make sure “Enable” check box is checked.

cloudlab59-vCloudOrganization-SNATUsecase5

Verify your added rule -> Click “OK”

cloudlab59-vCloudOrganization-SNATUsecase6

Now Test the vApp Connectivity. it should work 

NOTE: There is no need to add any type of firewall rule at vApp Network. Because there is one default rule available which allow all outbound traffic which initiated from vApp Network.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s