About Gateway NAT Settings

The Gateway Network Address Translation (NAT) feature enables Aviatrix Transit Gateway, Spoke Gateway, and Aviatrix Secure Edge Gateway to perform Source NAT (SNAT) and Destination (DNAT) functions.

You create NAT rules after a gateway is created in CoPilot by going to CoPilot > Cloud Fabric > Gateways, then go to the specific gateway’s Settings tab.

NAT rules are not synchronized from the primary gateway to the HA gateway instances. You must configure NAT rules on the primary and HA gateway instances separately.

Source NAT

Source NAT enables instances on private subnets in AWS, Azure, GCP, or OCI to access the Internet. When Source NAT is enabled, all route tables for private subnets in the VPC or VNet are programmed with a route entry that points the gateway as the target for route entry 0.0.0.0/0.

You can choose to Source NAT a single IP address or a range of IP addresses.

You can configure up to 2000 SNAT rules per gateway.

Single IP

Single IP applies only to Spoke Gateways. When Single IP is selected, the Spoke Gateway’s primary IP address is used as the source IP address for Source NAT function. This is the default mode when you enable Source NAT for a Spoke Gateway.

Customized SNAT

Customized SNAT enables you to set up rules that enable the gateway to translate the source IP address, of the packets it forwards to other networks, to a virtual address range.

Multiple IP support is not available in CoPilot. To edit Multiple IPs, use Aviatrix Controller.

Destination NAT

Destination NAT (DNAT) rules enable the gateway to translate the destination IP address, of the packets that it receives from other networks, to a virtual address range.

You can configure up to 2000 DNAT rules per gateway.

Enabling Gateway SNAT Settings

In Aviatrix CoPilot:

  1. Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways tab.

  2. In the table, click the name of the gateway for which you want to enable SNAT and DNAT.

  3. Click the gateway’s Settings tab.

  4. In the Settings tab, expand the Network Address Translation (NAT) section.

  5. Use the toggle switch to turn Source NAT On.

  6. (Spoke Gateway only) Select one of the following:

    • Single IP: Uses the Spoke Gateway’s primary IP address as the source IP address for Source NAT function.

    • Customized SNAT: Enables you to set up rules that enable the gateway to translate the source IP address to a virtual address range.

    If you select Customized SNAT, continue to next step.

  7. From the Instance dropdown menu, select either the primary or the high availability (HA) gateway (if configured) to set up Source NAT for that gateway.

    NAT rules are not synchronized from the primary gateway to the HA gateway instances. You must configure NAT rules on the primary and HA gateway instances separately.

  8. To add a translation rule, click + Rule.

  9. Set up Source NAT Rule.

    You can configure the following parameters to set up SNAT rules to meet your requirement.

    Parameter Description

    Src CIDR

    The source IP address range where the rule applies. When left blank, this field is not used.

    Src PORT

    The source port where the rule applies. When left blank, this field is not used.

    Dst CIDR

    The destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into cloud platform routing table.

    Dst PORT

    The destination port where the rule applies. When left blank, this field is not used.

    Protocol

    The destination port protocol where the rule applies. When left blank, this field is not used.

    Connection

    The output connection where the rule applies. When left blank, this field is not used.

    Mark

    The tag or mark of a TCP session where the rule applies. When left blank, this field is not used.

    SNAT IPs

    The changed source IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.100.1.5 - 100.100.1.10

    SNAT Port

    The changed source port when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect.

    Apply Route Entry

    This is an option to program the route entry "DST CIDR pointing to Aviatrix Gateway" into cloud platform routing table.

    Exclude Route Table

    This field specifies which VPC private route table will not be programmed with the default route entry. You can combine this with Apply Route Entry enabled.

  10. Repeat the steps above to add additional rules.

  11. Click Save.

Enabling Gateway DNAT Settings

In Aviatrix CoPilot:

  1. Go to Cloud Fabric > Gateways > Transit Gateways or Spoke Gateways tab.

  2. In the table, select the gateway for which you want to enable SNAT and DNAT.

  3. Click the gateway’s Settings tab.

  4. In the Settings tab, expand the Network Address Translation (NAT) section.

  5. Use the toggle switch to turn Destination NAT On.

  6. From the Instance dropdown menu, select either the primary or the high availability (HA) gateway to set up Source NAT for that gateway.

    NAT rules are not synchronized from the primary gateway to the HA gateway instances. You must configure NAT rules on the primary and HA gateway instances separately.

  7. To add a translation rule, click + Rule.

  8. Set up Destination NAT Rule.

    You can configure the following parameters to set up DNAT rules to meet your requirement.

    Parameter Description

    Src CIDR

    The source IP address range where the rule applies. When left blank, this field is not used.

    Src PORT

    The source port that the rule applies. When left blank, this field is not used.

    Dst CIDR

    The destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into the cloud platform routing table.

    Dst PORT

    The destination port where the rule applies. When left blank, this field is not used.

    Protocol

    The destination port protocol where the rule applies. When left blank, this field is not used.

    Connection

    The output connection where the rule applies. When left blank, this field is not used.

    Mark

    The tag or mark of a TCP session when all conditions are mee. When left blank, this field is not used.

    DNAT IPs

    The translated destination IP address when all the specified conditions are met. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.101.2.5 - 100.101.2.10

    DNAT Port

    The translated destination port when all the specified conditions meet. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect.

    Apply Route Entry

    This is an option to program the route entry "DST CIDR pointing to Aviatrix Gateway" into the cloud platform routing table.

    Exclude Route Table

    This field specifies which VPC private route table will not be programmed with the default route entry. You can combine this with Apply Route Entry enabled.

  9. Repeat the steps above to add additional rules.

  10. Click Save.