Enabling NAT Functions
You can enable and disable NAT function after a gateway is launched. NAT function enables instances on private subnets in AWS, GCP, or OCI to access the Internet. When NAT is enabled, all route tables for private subnets in the VPC/VNet are programmed with a route entry that points the gateway as the target for route entry 0.0.0.0/0.
Source NAT
Three modes of Source NAT are supported:
1. Single IP
When Single IP is selected, the gateway’s primary IP address is used as source address for Source NAT function. This is the simplest and default mode when you enable NAT at gateway launch time.
2. Multiple IPs
When Multiple IPs is selected, the gateway translates the source address to the pool of the multiple IPs in a round-robin fashion. The multiple IPs are the secondary IP addresses of the gateway that you need to set up first (see Edit Secondary IPs (for AWS)).
3. Customized SNAT
When Customized SNAT is selected, the gateway can translate source IP address ranges to different SNAT address and ports, as shown below.
When Sync to Instances is selected, NAT rules are automatically duplicated to the HA peer gateway. By default, this function is disabled on Customized SNAT, users need to configure NAT rules manually on HA peer gateway even when NAT rules are the same.
| Field | Value |
|---|---|
SRC CIDR |
This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used. |
SRC PORT |
This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used. |
DST CIDR |
This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into Cloud platform routing table. |
DST PORT |
This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used. |
PROTOCOL |
This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used. |
INTERFACE |
This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used. |
CONNECTION |
This is a qualifier condition that specifies output connection where the rule applies. When left blank, this field is not used. |
MARK |
This is a qualifier condition that specifies a tag or mark of a TCP session where the rule applies. When left blank, this field is not used. |
SNAT IPS |
This is a rule field that specifies the changed source IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.100.1.5 - 100.100.1.10 |
SNAT PORT |
This is a rule field that specifies the changed source port when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule fields must be specified for this rule to take effect. |
APPLY ROUTE ENTRY |
This is an option to program the route entry "DST CIDR pointing to Aviatrix Gateway" into Cloud platform routing table. |
EXCLUDE ROUTE TABLE |
This field specifies which VPC private route table will not be programmed with the default route entry. Users can combine this with APPLY ROUTE ENTRY enabled. |
To configure Source NAT, see Configure SNAT.
Destination NAT
Destination NAT (DNAT) allow you to change the destination to a virtual address range.
There are multiple optional parameters you can configure to meet your requirement.
When Sync to Instances is an enabled, NAT rules are automatically duplicated to HA peer gateways. By default, this function is enabled on DNAT.
| Field | Value |
|---|---|
SRC CIDR |
This is a qualifier condition that specifies a source IP address range where the rule applies. When left blank, this field is not used. |
SRC PORT |
This is a qualifier condition that specifies a source port that the rule applies. When left blank, this field is not used. |
DST CIDR |
This is a qualifier condition that specifies a destination IP address range where the rule applies. When left blank, this field is not used and a default route 0.0.0.0/0 pointing to Aviatrix Gateway will be programmed into Cloud platform routing table. |
DST PORT |
This is a qualifier condition that specifies a destination port where the rule applies. When left blank, this field is not used. |
PROTOCOL |
This is a qualifier condition that specifies a destination port protocol where the rule applies. When left blank, this field is not used. |
INTERFACE |
This is a qualifier condition that specifies output interface where the rule applies. When left blank, this field is not used. |
CONNECTION |
This is a qualifier condition that specifies output connection where the rule applies. When left blank, this field is not used. |
MARK |
This is a rule field that specifies a tag or mark of a TCP session when all qualifier conditions meet. When left blank, this field is not used. |
DNAT IPS |
This is a rule field that specifies the translated destination IP address when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect. Multiple translated source IP addresses are supported, they are specified as a range, for example, 100.101.2.5 - 100.101.2.10 |
DNAT PORT |
This is a rule field that specifies the translated destination port when all specified qualifier conditions meet. When left blank, this field is not used. One of the rule field must be specified for this rule to take effect. |
APPLY ROUTE ENTRY |
This is an option to program the route entry "DST CIDR pointing to Aviatrix Gateway" into Cloud platform routing table. |
EXCLUDE ROUTE TABLE |
This field specifies which VPC private route table will not be programmed with the default route entry. Users can combine this with APPLY ROUTE ENTRY enabled. |
To configure Destination NAT, see Configure DNAT.