NAT for non-tunnel-bound Traffic¶
If you set up egress filtering, you must enable SNAT so private instances can access the internet through the AVX gateway. With SNAT enabled, traffic going through the gateway will leave with the private IP of the gateway as its source. This is fine for common use cases; however, it can present a problem if you want the source unchanged for traffic destined for your data center or another VPC, for example. In this guide, we will show you how to set up the SNAT to only change the source IP for traffic headed out of the gateway on the eth0 interface and not the tunnel interface(s).
Steps to Enable SNAT for non-Tunnel Traffic¶
Select the Customized SNAT radio button
Click the + Add New button
Enter the values in the fields as follows:
Field Value Src CIDR <<enter the CIDR for this VPC>> Src Port <<Leave blank>> Dst CIDR <<Leave blank>> Dst Port <<Leave blank>> Protocol all Interface eth0 Mark <<Leave blank>> SNAT IPs <<enter the private IP of the gateway>> SNAT Port <<Leave blank>>
To find the Private IP address of the gateway, scroll to the top and click the three lines next to Gateway Detail.
Click Enable SNAT
This enables NAT only for traffic that is leaving the gateway via eth0. For traffic going to the data center or to other spokes, the traffic will be leaving via a tunnel interface rather than eth0.