The edge gateway provides a network address translation (NAT) service to assign a public address to a virtual machine or group of virtual machines in a private network.

Using this technology limits the number of public IP addresses that an organization or company must use, for economy and security purposes. You must configure NAT rules to provide access to services running on privately addressed virtual machines.

The NAT service configuration is separated into source NAT (SNAT) and destination NAT (DNAT) rules.

When you configure an SNAT or a DNAT rule, you always configure the rule from the perspective of vCloud Air. Specifically, that means you configure the rules in the following ways:

SNAT: the traffic is traveling from a virtual machine on an internal network in vCloud Air (the source) through the Internet to the external network (the destination).

DNAT: the traffic is traveling from the Internet (the source) to a virtual machine inside vCloud Air (the destination).

You can configure NAT rules to create a private IP address space inside vCloud Air to port your private IP address space from your enterprise into the cloud. Configuring NAT rules in vCloud Air allows you to use the same private IP addresses for your virtual machines in vCloud Air that were used on premises in your local data center.

NAT rules in vCloud Air include the following support:

Creating subnets within the private IP address space

Creating multiple private IP address spaces for an edge gateway

Configuring multiple NAT rules on multiple edge gateway interfaces


By default, edge gateways are deployed with firewall rules configured to deny all network traffic to and from the virtual machines on the edge gateway networks. Also, NAT is disabled by default so that edge gateways are unable to translate the IP addresses of the incoming and outgoing traffic. You must configure both firewall and NAT rules on an edge gateway for the virtual machines on an edge gateway network to be accessible. Attempting to ping a virtual machine on a network after configuring a NAT rule will fail without adding a firewall rule to allow the corresponding traffic.