What is NAT?
Network Address Translation (NAT) is a process that enables one, unique IP address to represent an entire group of computers. In network address translation, a network device, often a router or NAT firewall, assigns a computer or computers inside a private network a public address. In this way, network address translation allows the single device to act as an intermediary or agent between the local, private network and the public network that is the internet. NAT’s main purpose is to conserve the number of public IP addresses in use, for security goals.
Is it necessary to enable NAT and Firewall?
Yes. We do have options not using NAT and Firewall by simply disabling it. However, you must know when you disabling it, you network and connection won't be secure. it will exposed to public without any protection, which very vulnerable and we strongly not advise the customer to do that.
When NAT and Firewall being enabled, you can specify what in and out connection can be allowed to your VM. For example, you obviously don't want your SQL Server being published to Internet where everyone can try to access it. You can protect it by adding NAT and Firewall rule that against any connection to SQL Server unless it is from Web Server.
Another rules that can be made, to remote your VM securely. Once your new VM is created, you may wonder how to access your VM to start deploy and config your application. VM can easily remoted by any remote tools, but you must allow remote connection to your VM by adding NAT and Firewall rule.
This article will show you steps to adding NAT and Firewall rules with scenario that you want to remote access your Windows Server VM from internet.
Before proceed to using this guide, you must ensure:
- You have deployed at least 1 Virtual Machine.
- You know what connection or port you want to allow.
Adding NAT Rules
1. Login to vCloud Director using your account. Click on your DC.
2. You'll see this page, hit Edges on left pane.
3. Click DC_XXXXXX.
4. After that go to the NAT> NEW
5. Next, fill the Name box, and choose what Interface type you want to add (DNAT/SNAT). Fill in the following informations:
- External IP: Is your public IP VM.
- External port: Port you can custom as port you will use to remote the VM. Typically contain 4-5 numbers.
- Internal IP: Is your private/LAN IP VM.
- Application: Is service port for remote. For example, if it is windows it should be 3389 and if it is Linux then it will be 22 and Description as per your requirement then Keep.
6. In the Application tabs click choose a specific application and then search what application you want.
In this example, we try to add SSH service with default port 22, once you find it you can click on the circle on the left side and then save.
7. Expand Advanced settings, in firewall match choose Match External Address.
8. Nat successfully created.
9. When it is done, we can go to Security to add ip public group. Click Ip sets > new
10. In Ip address column, fill with IP External and then click add until it appears on the bottom box and save.
11. Because in this example we use port 5617 as an external port and it’s not in the available Application Port profiles, we must add new Application port. Click Application Port Profiles>new.
12. Fill the following text and Select Protocol > TCP and fill the Ports with the specified ports and then Save.
- TCP : TCP is a protocol that has connection-based characteristics.
- UDP : While UDP is not connection based.
- ICMP : Meet the communication needs between devices in a computer network. More specifically for reporting network errors. Later, ICMP has the right to determine actions to address these problems.
13. When it is done, we can go to Firewall to start adding firewall rule.
Adding Firewall Rule
1. The first step is to go to Firewall and edit rules.
2. Click on New on top and name it with the name you need.
In Applications click logo pencil and look for the application profile that we added in step 12 and save.
3. Source: Any (If you don’t want everyone have access to your VM remotely, then you can specify source by put IP address or IP range as whitelist) and Keep.
4. Select the Destination > Click external IP (External IP we added in step 10) and keep.
5. In the IP Protocol choose IPv4 and IPv6 > save.
1. Remote your VM for linux open Putty and fill IP address and port 5617 (According to the port you have created).
2. Enter the username and password that has been created.
3. Remote session Results.
After you deploy and config your application and you want to access it from Internet, you can create another rule for that. For example, if your application using HTTP protocol, then you can add NAT and Firewall rule following the guide above by only changing protocol and port HTTP 80.
You don't need to create a new port profile if the desired port is already available.