What is NAT?
Network Address Translation (NAT) is a process that enables one, unique IP address to represent an entire group of computers. In network address translation, a network device, often a router or NAT firewall, assigns a computer or computers inside a private network a public address. In this way, network address translation allows the single device to act as an intermediary or agent between the local, private network and the public network that is the internet. NAT’s main purpose is to conserve the number of public IP addresses in use, for security goals.
Is it necessary to enable NAT and Firewall?
Yes. We do have options not using NAT and Firewall by simply disabling it. However, you must know when you disabling it, you network and connection won't be secure. it will exposed to public without any protection, which very vulnerable and we strongly not advise the customer to do that.
When NAT and Firewall being enabled, you can specify what in and out connection can be allowed to your VM. For example, you obviously don't want your SQL Server being published to Internet where everyone can try to access it. You can protect it by adding NAT and Firewall rule that against any connection to SQL Server unless it is from Web Server.
Another rules that can be made, to remote your VM securely. Once your new VM is created, you may wonder how to access your VM to start deploy and config your application. VM can easily remoted by any remote tools, but you must allow remote connection to your VM by adding NAT and Firewall rule.
This article will show you steps to adding NAT and Firewall rules with scenario that you want to remote access your Windows Server VM from internet.
Before proceed to using this guide, you must ensure:
- You have deployed at least 1 Virtual Machine.
- You know what connection or port you want to allow.
Adding NAT Rules
1. Login to vCloud Director using your account. Click on your DC.
2. You'll se this page, hit Edges on left pane.
2. Click DC_XXXXXX.
3. Click Services.
4. After that go to the NAT > +DNAT Rule.
5. Next, fill Applied On with CBT01-XXXXX if your VDC is on Cibitung and JKT01-XXXX if your VDC is on Jakarta.
6. After that select Select > IP Address as given then Keep.
7. Select Protocol > TCP.
- TCP : TCP is a protocol that has connection-based characteristics.
- UDP : While UDP is not connection based.
- ICMP : Meet the communication needs between devices in a computer network. More specifically for reporting network errors. Later, ICMP has the right to determine actions to address these problems.
- Any : If you don't want everyone have access to your VM remotely, then you can specify source by put IP address or IP range as whitelist.
8. Fill in the following information:
- Original Port: Port you can custom as port you will use to remote the VM. Typically contain 4-5 numbers.
- Translated IP Range : Is your private/LAN IP VM,
- Translated Port : Is service port for remote. For example, if it is windows it should be 3389 and if it is Linux then it will be 22 and Description as per your requirement then Keep.
9. After creating NAT then click Save Changes.
10. When it is done, we can go to Firewall to start adding firewall rule.
Adding Firewall Rule
1. The first step is to go to Firewall.
2. Double click on New Rule and rename it with the name you need.
Type : User
Source: Any (If you don’t want everyone have access to your VM remotely, then you can specify source by put IP address or IP range as whitelist.
3. Select the Destination > Click IP.
4. Fill in the IP Public that has been provided then Keep.
5. Select the Services > Klik +.
6. Next, fill in the Protocol with TCP
Source port: any
Destination Port: 9876 (this is the Original Port in NAT section or your custom port) as needed and Keep.
7. Then click Save Changes.
1. Remote your VM for Windows Open Remote Dekstop Connection and fill IP address dan port 9876 (According to the port you have created).
2. Enter the password that has been created.
3. Remote Desktop Connection Results.
After you deploy and config your application and you want to access it from Internet, you can create another rule for that. For example, if your application using HTTP protocol, then you can add NAT and Firewall rule following the guide above by only changing protocol and port HTTP 80.