Have attached a small diagram

I don't fully understand you question, but there should be no problem in routing public IP addresses. After all, an IP address is just an IP address.

To begin with, can you successfully ping between the router and the NSX Edge?

Hi Paul, the DNAT rules are working if I pull an IP from the current sub-allocated pool.

If I rephrase the question into, what if I wanted to an additional sub-allocated pool that I can use for DNAT, and this new pool is not in the same subnet as the first sub-allocated pool ?

In my example:

External Network -1.1.1.0/30

External IP of NSX Edge is 1.1.1.1 (I can sub-allocated this IP within the edges setting, and then use this IP for DNAT or SNAT)

Default gateway of the NSX edge is 1.1.1.2 (let's say a Cisco router)

Let's say I have a webserver behind the NSX edge and I have a DNAT rule setup for port 80 (1.1.1.1:80 -> 192.168.1.10:80 for example), everything up to here is working successfully.

Now I want to add a second websever 192.168.1.11 and I need another external IP. Because the current external /30 is already used for the DNAT rule above.

I then get a new subnet from the ISP 1.1.1.4/30, traditionally you will route this subnet to the external interface of a firewall and you could use the entire subnet for NAT (1.1.1.4 - 1.1.1.7). But since NSX/vCloud requires the subnet to be specified in the "Sub-Allocate IP Pool" of the Edge Gateway Properties, it will need to grab these IP's from somewhere.

1. I can't create a new External Network within cloud resources as the default gateway needs to stay as the original 1.1.1.2

2. Within System - Manage & Monitor - External Networks. I enter into the properties of my existing External Pool /30, and add a new Network Specification for the new subnet 1.1.1.4/30, however out of this subnet I need to specify a default gateway which needs to be specified as a secondary on the Cisco router interface that is providing the default gateway of 1.1.1.2.

So each time I add a network specification, I lose 1 IP out of the subnet for the default gateway plus I need additional setup on the Cisco router.

Hi Bayu, thanks for your reply

I can add secondary IP's that is fine.

However if I already have 1.1.1.1/30 as an interface IP (with default gateway 1.1.1.2) and I create a new interface IP with multiple secondary IP's with subnet 1.1.1.4/30 (primary IP 1.1.1.5, secondary 1.1.1.6) once a packet from the internet arrives to this new interface ip 1.1.1.5, the return packet will try to go out the same interface, which means I need to specific a default gateway out of 1.1.1.4/30 subnet. If I change the default gateway I will lose return packets destined for 1.1.1.0/30

See my longer reply above

Hi David,

Will subnet bigger than /30 such as /24 works for your scenario?

You can also create the external IP as /24 for example 1.1.1.0/24

Then you can decide and design how many vCD Organization you would like to have and how many external IP per vCD Org.

For example with /24 you have 254 IP address, you would like to have 10 Public IP per vCD Org, you want to reserve .1-10 & .251-254 for system/non-tenant and Edge starts from .11 until .250

You can use external network without sub-allocating IP pools but everything will be based on first come first serve.

The other option you can pre-allocate the IP pools for example Org01 will use .11-20, Org02 will use .21-30, and so on so you will have up to 24 Sub-Allocated IP pools for up to 24 Organizations.

If you need more than 24 Orgs then you will need to create another range for example 2.2.2.0/24 or have a bigger subnet such as /23 or /22

This was one of the original designs I had, however one issue with this is that say I have allocated 1.1.1.0/24 to use for all external access and the subnet has a limited amount of ip's remaining. Then one of the existing customers wants a large subnet routed to them say /26 or /27, I won't be able to allocate those IP's to them since the 1.1.1.0/24 is full, so that means I will need to re-ip the whole customer with a new external network. So it doesn't really scale well.

Let say you have that scenario with one subnet 1.1.1.0/24, it has limited amount IP and one customer need a new subnet 2.2.2.0/24.

If the new customer needs only the new subnet you can create new VLAN/interface in the physical router for the subnet 2.2.2.0/24 and connect that to the customer Edge.

However, if you want the customer to have 1.1.1.0/24 and 2.2.2.0/24 that would be tricky if you are running on static routing.

Edge can use multiple external network but you can only choose one as the default

Adding multiple subnets to an external network in VMware vCloud Director results in packet loss (211...

What I can think of is the customer would need either use separate Edge and choose which vApp for which Edge or use Dynamic Routing on the Edge and potentially use ECMP

NSX supports Dynamic Routing and this feature is now exposed to vCD 8.2.0 Advanced Routing Configuration Using the vCloud Director Tenant Portal