Configure Internet Access for NSX Enabled VDC
Assumptions- You purchased a Basic Internet Gateway or Advanced NSX Edge (Firewall)
- You have already created a VM
- You have create private subnet
- Example Subnet containing the VM: 192.168.2.0/24
- Example VM IP Address: 192.168.2.100
- Example Edge Gateway Address: 119.252.74.161
Overview
In this article we will configure a VDC to allow internet access for a VM on a private subnet.
- In order to configure internet access for the subnet (inclusive of the VM) we will be assigning 2 x NAT rules and 1 Firewall rule to the Uplink port.
- The NAT rules will provide address and port translation between the internal subnet and the edge gateway.
- The firewall rule will allow all bidirectional traffic originated by the internal subnet.
- The firewall rule we are implementing is overly generous and may not be appropriate for your needs.
- A more specific rule may better meet your particular requirements, for example you may wish to restrict the source IP to a particular host and the destination ports to 80 and 443 TCP to allow only web traffic.
- In general, you should open only the minimal set of required ports and addresses.
Configuration
All configuration items will be applied against the uplink network. You must identify both the external IP address of the edge gateway and the internal subnet for which you wish to provide access. The internal VDC subnet you will have assigned previously to one of your VNICS.
1. Identify Edge gateway IP address
The gateway address can be found by navigating to the Network Configuration tab for your VDC in MyAccount, selecting the ?uplink? network and viewing the config page as below (Customers who have an Advanced NSX Edge will have tabs that the picture below):
2. NAT Rules
Add a SNAT rule to the uplink network, click on the NAT page and click the ?Add NAT Rule? button. You will be configuring the following rules:
Source NAT
- Rule Type: Source NAT
- Original IP: 192.168.2.0/24
- Translated IP: 119.252.74.161
Destination NAT
- Rule Type: Destination NAT
- Protocol: Any
- Original IP: 119.252.74.161
- Translated IP: 192.168.2.2
3. Firewall Rules
Add a Firewall Rule to the uplink network, click on the Firewall page and click the ?Add Firewall Rule? button. The firewall rule we are implementing is overly generous and may not be appropriate for your needs. A more specific rule may better meet your particular requirements, for example you may wish to restrict the source IP to a particular host and the destination ports to 80 and 443 TCP to allow only web traffic. In general, you should open only the minimal set of required ports and addresses. You will be configuring the following rule:
Rule
- Policy: Allow
- Description: All
- Source IP: 192.168.2.0/24
- Destination IP: Any
- Protocols: Any
Your NAT and firewall rules to allow internet access to your internal VDC subnet 192.168.2.0/24 via edge gateway 119.252.74.161 are now complete.
You may also want to see our FAQ on enabling RDP which is a similar example.