Cloud Lab-59: vCloud Director Organizations- “SNAT Use Case – Allow External Access to a vApps”

To allow our VMs to access the outside world we are going to have to add a NAT rules for each internal Org VDC network. This will translate internal private IP addresses to a public address/addresses. For outbound access there’s no particular reason, why you can’t use the same external IP address for all your internal networks. Depending on your configuration you may want to use a public IP for each internal network or even for individual VMs on that network. 


In this Lab, we will perform following tasks

  1. SNAT Use Case Scenario
  2. Architecture diagram for DNAT Use Case Scenario
  3. Create SNAT Rule For “SkyNet Org Network”
  4. Firewall Rule for SNAT on “SkyNet Org Network” 

1-SDNAT Use Case Scenario

Source NAT (SNAT) rules, which control traffic leaving the Edge Gateway’s external interface(s).In this Use Case, I am going to allow my Internal Network vApps to Access from the outside world. I will be using a single IP for all networks.below is the Architecture diagram which i am going to accomplish.

2-Architecture diagram for SNAT Use Case Scenario


3-Create SNAT Rule For “SkyNet Org Network”

To create a NAT Rule -> Go to You VSE and Right Click on “SkyNet-Prod-Edge2”-> Choose “Edge Gateway Service”


In NAT Tab -> Choose “Add SNAT”


Choose Your “External Network” in my case it would be “External-Public2”. Choose your Organization Network IP Range in my case it would be “” which will translated/Masquerade into “” External IP. Click “OK”

NOTE: Make Sure External IP are choose from VSE Sub Allocation Pool)


Verify your SNAT Rules -> Click “OK”


4-Firewall Rule for SNAT Rule on “SkyNet Org Network”

By default Organization Edge Firewall block all traffic which in/out from it. In order to gain external access from Organization Internal Network we have to allow it through our organization firewall.

Let’s create a firewall rule. In Source choose Whole Network ( or specific IPs from where you want to allow from. In destination there are some option my case I go for the first option.

  • If you want to allow all external traffic then choose “External” keyword as destination.
  • If you want to allow only certain external network ID then enter it on destination e.g.
  • If you want to allow access toward a certain external IP. For example towards DNS Server then put the DNS Server IP address in destination.
  • Similarly if you want allow any type of traffic then use “any” keyword in your destination.

Click “OK” and make sure “Enable” check box is checked.


Verify your added rule -> Click “OK”


Now Test the vApp Connectivity. it should work 

NOTE: There is no need to add any type of firewall rule at vApp Network. Because there is one default rule available which allow all outbound traffic which initiated from vApp Network.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s