# IONOS Private Cloud: Using BYOIP in NSX
NSX offers three primary objects. These allow you to use your own public IP addresses (BYOIP) within our NSX IONOS Private Cloud environment. To do this, proceed as follows:
## Open NSX Manager
1. Log in to your [IONOS CLOUD account](https://dcd.ionos.com).
2. In the [**Data Center Designer (DCD)**](https://docs.ionos.com/cloud/support/general-information/glossary-of-terms#data-center-designer-dcd), go to **Menu** > **Private Cloud** > **Login**.
3. Log in to the [Cloud Panel](https://cloudpanel.ionos.de/login) with your credentials.
4. Click on **Menu > Servers & Cloud** in the title bar.
5. **Optional:** If you have multiple server contracts, select the desired contract.
6. Make a note of the user name and password displayed in the **Private Cloud > Access > NSX Manager** area.
7. Establish a VPN connection to your private cloud.
8. To open the NSX Manager, click on **NSX Manager** in the Cloud Panel in the **Private Cloud > Access > vSphere > Admin Client** area.
9. Click on **Advanced...**.
10. Click on **Accept risk and continue**.
11. Enter the user name and password.
12. Click on **LOGIN**.
## Configure NSX Segments
NSX segments are a fundamental tool for network virtualisation in your private cloud environment.
NSX segments are virtual layer 2 domains. They enable the creation of isolated, logical networks. These segments can be linked to specific IP address ranges, enabling seamless integration into your existing IP addressing scheme. This also includes BYOIP (Bring Your Own IP) ranges.
{% hint style="warning" %}
**Important Considerations:** The subnet of the segment must be more specific than the BYOIP range. For example, a `/24` BYOIP subnet can be subdivided into more specific subnets such as `/25` or `/26`. In this example, the largest possible segment subnet is `/25`.
{% endhint %}
### How to Create a Segment in NSX
1. Click on **Networking** in the menu bar at the top.
2. Click **Segments** in the navigation bar on the left. The Segments area opens.
3. Click on **ADD SEGMENT**.
4. Enter a name for the segment in the **Name** column in the **Segment** name field.
5. In the **Connected Gateway** column in the **None** list, select the corresponding NSX-T Tier 1 gateway.
6. In the **Subnets** column, define the subnet within the permitted range (example: `/25` or smaller if your BYOIP is `/24`).
7. Click **SAVE** to create a segment.
## Configure Local Endpoints for VPN
Local endpoints enable VPN connectivity through the BYOIP area. To configure a local endpoint, proceed as follows:
1. Click on **Networking** in the menu bar at the top.
2. Select **VPN** in the navigation bar on the left. The VPN area opens.
3. Click on the **Local Endpoints** tab.
4. Click on **ADD LOCAL ENDPOINT**.
5. Enter the desired name in the **Name** column in the **Enter Name** field.
6. Select the desired VPN service in the **VPN Service** column.
7. In the **IP Address** column, enter the public IP address from your BYOIP area in the **Enter IP Address** field.
8. Click **SAVE** to save the local endpoint.
9. Use this local endpoint in your VPNs.
## Configure SNAT or DNAT with BYOIP
Network Address Translation (NAT) enables external access to resources in your NSX environment. You can create Source NAT (SNAT) or Destination NAT (DNAT) rules to utilise your BYOIP range.
### Types of NAT Rules
There are two main types of NAT rules that you can configure to utilise your Bring-Your-Own-IP (BYOIP) range:
**Source NAT (SNAT)**: SNAT is normally used when traffic from your internal network accesses external resources. The source IP address of the internal packets is replaced by a public IP address from your BYOIP pool. This allows external parties to communicate with your internal resources without directly revealing their private IP addresses.
**Destination NAT (DNAT)**: DNAT, on the other hand, is used to translate a public IP address into a private IP address. This is usually required to allow external access to services hosted in your NSX environment. When external traffic for a public IP address arrives in your BYOIP area, DNAT translates the destination IP. This changes it to the private IP address of the internal server hosting the service.
### Configure SNAT/DNAT
To configure SNAT/DNAT, proceed as follows:
1. Click on **Networking** in the menu bar at the top.
2. Click on **NAT** in the navigation bar on the left. The **NAT** area opens.
3. Select the corresponding Tier 1 gateway in the **Gateway** field.
4. Click on **ADD NAT-RULE**.
5. Enter the desired name in the **Name** column in the **Enter Name** field.
6. In the **Action** column, select either SNAT or DNAT.
7. In the **Source IP** column, enter the public IP address from your BYOIP area in the **Enter Source IP** field.
8. In the **Destination IP | Port** column, enter the internal IP address (for DNAT) or the internal network (for SNAT).
9. Click on **SAVE**.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/private-cloud/ionos-private-cloud/administration/using-byoip-in-nsx.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.