VMware Networking Community
abhisheksha
Enthusiast
Enthusiast
‎04-10-2018 01:33 PM

NATing in NSX

Hi,

I am quite confused by the NAT concepts in NSX. One thing which I found to be extremely bizzare was how do you specify the traffic direction for your NAT rules? How do you say that I want to Source NAT for INBOUND traffic or OUTBOUND traffic and even Destination NAT for INBOUND or OUTBOUND traffic?

It would greatly help me if you would be able to clear this doubt.

Thank you!

3 Replies
cnrz
Expert
Expert
‎04-10-2018 08:48 PM

NSX Load Balancer has 2 deployment modes: One-Armed (proxy mode)  and  Inline(two-armed mode)

In one armed mode, source traffic should be source NAT'ed for the return traffic from the Load Balanced servers should pass through the NSX Edge. Destination NAT is also necessary because the packet that the client has sent is to the VIP Ip address on the Edge, not to the Pool Member, so destination NAT is also necessary

The configuration is done per pool bases, so for one armed mode configuration, the checkbox Transparent should be left Unchecked on the Edit Pool Menu. (By default it is not selected), only requirement is that the Load Balancer Edge should have an interface on the same Logical switch with an IP address on the same subnet. One other deployment mode could be the source Natted on another Load Balancer Pool segment other than  server subnets, the return traffic is routed back to the NSX Edge because the source IP is changed. For Destination NAT Part, again no configuration is necessary, the Load Balancer automatically converts the Destination IP of the VIP to Pool Member IP Address.

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.troubleshooting.doc/GUID-D26026...

One_Armed_not_select_Transparent.png

For Inline Mode, the Transparent checkbox should be selected to remove Source NAT, here the requirement is that the default gateway of the Pool Members should be the NSX Edge Load Balancer to provide the return traffic pass through this Edge Load Balancer. This way only DNAT Exist similar to one armed mode again autmatically configured by the Edge.

If requested source NAT in Inline Mode, and the transparent mode is left default as Unchecked, SNAT occurs and the Servers see the Edge IP address as before, so although not very common is also possible.

Load Balancing Mode's

For more detailed configuration steps one armed and Inline Modes could be helpful:

http://www.routetocloud.com/2014/10/nsx-load-balancing/

http://www.virtualizationblog.com/nsx-step-by-step-part-21-1-configuring-load-balancer-one-arm-mode/

http://www.virtualizationblog.com/nsx-step-by-step-part-21-2-configuring-load-balancer-in-line-mode/

https://blog.linoproject.net/vcp6-nv-study-notes-section-6-configure-and-manage-nsx-network-services...

http://blog.bertello.org/2016/02/nsx-for-newbies-part-11-load-balancing/

https://www.jeffreykusters.nl/2017/12/19/nsx-one-arm-load-balancing-epiphany/

0 Kudos
abhisheksha
Enthusiast
Enthusiast
‎04-11-2018 12:10 PM

Hi, thanks for your reply, but, I wasn't referring to load balancing at all. I was just asking about Source NAT and Destination NAT in general.

0 Kudos
rutgerblommah
Enthusiast
Enthusiast
‎04-11-2018 12:38 PM

Source NAT for outbound traffic where source IP needs to be replaced with an address that works on the outside of the edge. Destination NAT for inbound traffic where destination IP needs to be replaced with an address that works on the inside of the edge.

/Rutger

//Rutger