How to manage NAT and port forwarding for your VDC

Managing the port forwarding rules for a network
Adding a port forwarding rule
Using port forwarding to allow connection to multiple VMs through the same external IP address
Static NAT



The NAT configuration of a Local with Internet Gateway network in VDC controls how your VMs, which are directly connected only to an internal network, may communicate with the public Internet network.


A new 'Local with Internet Gateway' network has no connections (inbound or outbound) set up by default.


.The simplest mechanism for controlling inbound connections from the Internet is to use port forwarding rules. Two other mechanisms available are load balancing rules (see How to manage load balancing rules for your VDC), or using a VPN (virtual private network), which creates a connection between your computer and VDC that bypasses the network firewall (see How to enable a software VPN connection to a VM).

Remember that you need to create firewall rules for all of the ports for which you are setting port forwarding rules. See How to manage firewall rules for your VDC.

Outbound network connections for your VMs are configured using egress rules – see How to allow your VM to access the public Internet network.

Port forwarding, load balancing and VPN functions are defined on a type of virtual router with firewall that is built-in to VDC. If you wish instead to deploy a dedicated virtual machine running a firewall application, then you should use a Public Direct Connect network which offers direct connection to the Internet without an additional firewall.

Managing the port forwarding rules for a network

Click Network on the left-hand menu. Then click the name of the network you wish to modify. Click View IP Addresses, and from the list click the IP address you wish to use. You should now see the Details sub-panel for the IP address. Finally, click the Configuration tab to show the Configuration sub-panel:

Click the View all button under Port Forwarding. This shows the list of port forwarding rules that are configured for this specific IP address:

The input boxes above the table provide inputs for adding a new port forwarding rule. See below for explanation.

The information for each rule comprises:

  • Private Port: start port number and end port number

  • Public Port: start port number and end port number

  • Protocol: TCP (default) or UDP

  • The VM associated with this rule: the VM name and its internal network IP address are shown

The only action for a rule is Delete port forwarding rule ; note there is no confirmation step, the deletion is immediate. You cannot edit the content of a rule, if a change is required you need to delete the current rule and create a new one.

Adding a port forwarding rule

Use the Add row at the top of the port forwarding rules list, and specify::

  • Private Port start and end

  • Public Port start and end

  • Protocol: TCP by default

Click the Add button. An Add VMs dialog will appear. Use the selection buttons to select the VM for this port forwarding rule. If you have multiple IP addresses for a VM you can select one from the drop-down.

Click Apply. The new port forwarding rule should appear in the list, and a 'Task complete' message should pop up.

Using port forwarding to allow connection to multiple VMs through the same external IP address

By using different Public Port numbers it is possible to create a set of forwarding rules so that you may use the same public IP address to connect to different VMs.

For example, you might want to enable SSH access to all of the Linux virtual machines in one network, connected through the same public IP address. These might be named: 'CentOS-VM-01', 'CentOS-VM-02','CentOS-VM-12'. You could do this by creating a set of port forwarding rules, all of which have 22 as the Private Port start/end, but with different Public Ports and associated VMs:

Private Port start/end Public Port start/end Virtual machine
22 52201 CentOS-VM-01
22 52202 CentOS-VM-02
22 52203 CentOS-VM-03
22 52212 CentOS-VM-12

On your own computer, you could set up shell aliases, or saved sessions in an SSH client program, to enable quick SSH logins to each of your VMs. For example with the ssh command line program you cxould connect to the different VMs using:

$ ssh -p 52201 root@PUBLIC_IP
$ ssh -p 52202 root@PUBLIC_IP

And so on.

Static NAT

When a network has a second (or more) public IP address, it is possible to connect a VM to the external network using 'static NAT'.

Click Network on the left-hand menu to bring up the Network panel. Click the name of a network then click View IP Addresses. Now click Acquire New IP. A dialog will ask you to confirm this. You will now see two (or more) IP addresses for the network.

If you click the number of an IP address which is not the 'Source NAT', then its Details sub-panel will appear with a button to Enable Static NAT . If you click the button then a dialog will appear with the list of VMs that are attached to this network. Use a radio button to select one. Click Apply to complete the static NAT setup.

Remember that firewalls in VDC default to 'deny all', so to make this new network connection usable you need to create firewall rules. See How to manage firewall rules for your VDC.