Configure Internet Access for a VDC

Assumptions

  • You purchased a Basic Internet Gateway or Advanced NSX Edge (Firewall)
  • You have already created a VM
  • You have create private subnet
  • Example Subnet containing the VM: 192.168.2.0/24
  • Example VM IP Address: 192.168.2.100
  • Example Edge Gateway Address: 119.252.74.161

Overview

In this article we will configure a VDC to allow internet access for a VM on a private subnet.

  • In order to configure internet access for the subnet (inclusive of the VM) we will be assigning 2 x NAT rules and 1 Firewall rule to the Uplink port.
  • The NAT rules will provide address and port translation between the internal subnet and the edge gateway.
  • The firewall rule will allow all bidirectional traffic originated by the internal subnet.
  • The firewall rule we are implementing is overly generous and may not be appropriate for your needs.
  • A more specific rule may better meet your particular requirements, for example you may wish to restrict the source IP to a particular host and the destination ports to 80 and 443 TCP to allow only web traffic.
  • In general, you should open only the minimal set of required ports and addresses.

Configuration

All configuration items will be applied against the uplink network. You must identify both the external IP address of the edge gateway and the internal subnet for which you wish to provide access. The internal VDC subnet you will have assigned previously to one of your VNICS.

1. Identify Edge gateway IP address

The gateway address can be found by navigating to the Network Configuration tab for your VDC in MyAccount, selecting the ‘uplink’ network and viewing the config page as below (Customers who have an Advanced NSX Edge will have tabs that the picture below):

Edge Gateway IP identification

2. NAT Rules

Add a SNAT rule to the uplink network, click on the NAT page and click the ‘Add NAT Rule’ button. You will be configuring the following rules:

Source NAT

  • Rule Type: Source NAT
  • Original IP: 192.168.2.0/24
  • Translated IP: 119.252.74.161

internet-snat-rule

Destination NAT

  • Rule Type: Destination NAT
  • Protocol: Any
  • Original IP: 119.252.74.161
  • Translated IP: 192.168.2.0/24

internet-dnat-rule

3. Firewall Rules

Add a Firewall Rule to the uplink network, click on the Firewall page and click the ‘Add Firewall Rule’ button. The firewall rule we are implementing is overly generous and may not be appropriate for your needs. A more specific rule may better meet your particular requirements, for example you may wish to restrict the source IP to a particular host and the destination ports to 80 and 443 TCP to allow only web traffic. In general, you should open only the minimal set of required ports and addresses. You will be configuring the following rule:

Rule

  • Policy: Allow
  • Description: All
  • Source IP: 192.168.2.0/24
  • Destination IP: Any
  • Protocols: Any

internet-firewall-rule

Your NAT and firewall rules to allow internet access to your internal VDC subnet 192.168.2.0/24 via edge gateway 119.252.74.161 are now complete.

You may also want to see our FAQ on enabling RDP which is a similar example.