The Managed Network Address Translation (NAT) gateway allows VMs inside a Virtual Data Center (VDC) to access the internet without requiring a public network interface.
The NAT gateway can act as a default gateway for private networks allowing VMs to initiate connections to the internet and receive a response (Source NAT or SNAT). The gateway ensures not to receive inbound connections initiated from the internet (Destination NAT or DNAT) and the VMs are “hidden”; hence protecting from being exposed to the internet threats.
Using a NAT gateway increases security, simplifies the VDC architecture, requires only one public IP address, and has a fully managed service. For example, a NAT gateway can be used to connect private VMs to public repositories, for software updates, or to NTP (Network Time Protocol) servers. You can use the Backup Service for private VMs. In this case, the VM does not need to publish any service to the Internet, but only needs to consume services from the Internet. Furthermore, the NAT gateway can be configured only to allow access to specific and trusted internet services, protecting the application from malicious public endpoints.
NAT Gateway provides the following features:
Supported protocols: Supports TCP, UDP, ICMP, and up to six private networks per NAT gateway.
Scalability: NAT Gateway is highly scalable, allowing you to accommodate increasing traffic demands as your network grows.
High Availability: Refers to the ability of the NAT Gateway service to handle increased traffic and provide reliable and consistent performance, even in the event of a single component failure. It is handled with multiple NAT Gateways deployed across multiple Availability Zones in a region.
Advanced NAT Configuration: NAT Gateway offers:
Multiple public IP addresses and SNAT rules per NAT gateway.
Multiple NAT Gateways per VDC.
Individual configuration of multiple NAT rules per listener.
Resource Limit: Default resource limit for NAT gateway is set to five per account. If more resource is required, contact IONOS Cloud Support.
The routing table must be modified for private VMs to send traffic to the NAT gateway. The default route must point to the NAT gateway or, if this is not possible, a dedicated route must be created for every service or target to be consumed from the Internet.
Note:
If DNS on a VM, which has the default route defined to use the SourceNAT gateway, is required, you must ensure that proper SNAT rules for UDP are in place. Failing to do so may result in the default DNS resolution not working.
The Managed NAT Gateway will be regularly maintained by IONOS and updated with the latest software versions and new features. IONOS reserves a weekly maintenance window which it can use for regular updates. It is scheduled every Monday between 02:00 - 04:00 am local time of the data center in which the Managed NAT Gateway service is deployed. During maintenance, a service interruption of up to 5 seconds may occur. Aside from that service interruption, no further service impact is anticipated, and the Managed NAT Gateway will continue to operate within its service description and configuration.
Additional update deployments may be possible and carried out outside the maintenance window, for example, in the case of urgent security patches.
Only private LANs can be connected to the Managed NAT Gateway. The Managed NAT Gateway cannot be connected to a public LAN. Furthermore, changing a LAN attribute from "private" to "public" is not possible if the LAN is connected to a Managed NAT Gateway.
Prerequisites: Make sure you have the appropriate permissions. Only contract owners, administrators, or users with the Create Internet Access permission can set up a NAT gateway. Other user types have read-only access and can't provision changes.
Create a private network containing at least one VM.
Add a NAT gateway. Connect the interface (source network) of the NAT gateway to the private network containing your VM.
Set the properties of the NAT gateway by selecting the element in the Workspace and opening its properties in the Inspector pane > Settings. Enter the name of the NAT gateway and add a public IP address from the list of reserved IP addresses. Multiple addresses can be added.
To edit the private IP address of the NAT gateway, open the Gateway IPs. After the first provisioning, the current IP address is displayed. To change the IP address, delete the existing IP address by selecting the dropdown button next to the IP address and select Remove IP. Then select the Add IP and enter a new IP address.
Configure NAT Rules in the tab on the right. You must provision the NAT gateway before you can configure the NAT rules.
Click Create SNAT Rule and set the required properties.
Enter the name of the NAT rule.
Select TCP, UDP, ICMP, or ANY in Protocol.
Source: In Public IP, select one of the public IPs that was assigned to the NAT gateway. This specifies the address used for masking outgoing packets source address field.
Source: In Subnet, enter an individual IP address or a complete subnet (in CIDR notation e.g. 10.10.10.0/24) of the VM or network for which NAT rules are created.
Target: In Subnet, enter an individual IP address or a complete subnet (in CIDR notation e.g. 8.8.8.0/24) if you want to restrict Internet access to only that target.
(Optional) In Target, Port range, enter a start and end port range if you want to restrict Internet access to only that port or ports on the target. For example, if you want to limit your private VMs to only access the Google DNS server you could enter 8.8.8.8/32 as the target subnet and 53 as the start and end port range. Port ranges are only applicable to protocol TCP and UDP.
Click Create to persist your changes.
(Optional) Make further changes to your data center.
Provision your changes.
You must configure the Gateway IP as the route to your guest OS. Add a static route inside your VM using the IP address of the NAT gateway. This is not injected into the VM because there is no auto-configuration that ensures that the VM is using the NAT gateway IP as the default route.
Connect your private subnet instances to the public internet using the DCD interface.