The Managed Network Address Translation (NAT) gateway allows VMs inside a Virtual Data Center (VDC) to access the internet without requiring a public network interface.

The NAT gateway can act as a default gateway for private networks allowing VMs to initiate connections to the internet and receive a response (Source NAT or SNAT). The gateway ensures not to receive inbound connections initiated from the internet (Destination NAT or DNAT) and the VMs are “hidden”; hence protecting from being exposed to the internet threats.

Using a NAT gateway increases security, simplifies the VDC architecture, requires only one public IP address, and has a fully managed service. For example, a NAT gateway can be used to connect private VMs to public repositories, for software updates, or to NTP (Network Time Protocol) servers. You can use the Backup Service for private VMs. In this case, the VM does not need to publish any service to the Internet, but only needs to consume services from the Internet. Furthermore, the NAT gateway can be configured only to allow access to specific and trusted internet services, protecting the application from malicious public endpoints.

Features

NAT Gateway provides the following features:

• Supported protocols: Supports TCP, UDP, ICMP, and up to six private networks per NAT gateway.

• Scalability: NAT Gateway is highly scalable, allowing you to accommodate increasing traffic demands as your network grows.

• High Availability: Refers to the ability of the NAT Gateway service to handle increased traffic and provide reliable and consistent performance, even in the event of a single component failure. It is handled with multiple NAT Gateways deployed across multiple Availability Zones in a region.

• Advanced NAT Configuration: NAT Gateway offers:

  • Multiple public IP addresses and SNAT rules per NAT gateway.

  • Multiple NAT Gateways per VDC.

  • Individual configuration of multiple NAT rules per listener.

• Resource Limit: Default resource limit for NAT gateway is set to five per account. If more resource is required, contact IONOS Cloud Support.

Routing tables

The routing table must be modified for private VMs to send traffic to the NAT gateway. The default route must point to the NAT gateway or, if this is not possible, a dedicated route must be created for every service or target to be consumed from the Internet.

Maintenance Window

The Managed NAT Gateway will be regularly maintained by IONOS and updated with the latest software versions and new features. IONOS reserves a weekly maintenance window which it can use for regular updates. It is scheduled every Monday between 02:00 - 04:00 am local time of the data center in which the Managed NAT Gateway service is deployed. During maintenance, a service interruption of up to 5 seconds may occur. Aside from that service interruption, no further service impact is anticipated, and the Managed NAT Gateway will continue to operate within its service description and configuration.

Additional update deployments may be possible and carried out outside the maintenance window, for example, in the case of urgent security patches.

Limitations

Only private LANs can be connected to the Managed NAT Gateway. The Managed NAT Gateway cannot be connected to a public LAN. Furthermore, changing a LAN attribute from "private" to "public" is not possible if the LAN is connected to a Managed NAT Gateway.

With IONOS Managed NAT Gateway, you can enable internet access to virtual machines without exposing them to the internet by a public interface. It acts as an intermediary device that translates IP addresses between the private network and the public internet.

Product Overview

Quick Links

Developer Tools

Procedure

2. Select the data center where you want to configure a NAT gateway.

3. Create a private network containing at least one VM.

4. Add a NAT Gateway. Connect the interface (source network) of the NAT gateway to the private network containing your VM.

5. Set the properties of the NAT gateway by selecting the element in the Workspace and opening its properties in the Inspector pane > Settings tab. Enter the name of the NAT gateway and add a public IP address from the list of reserved IP addresses. Multiple addresses can be added.

6. To edit the private IP address of the NAT gateway, open the Gateway IPs tab. After the first provisioning, the current IP address is displayed. To change the IP address: a. Select Remove IP from the drop-down list next to the current IP address to delete it. b. Next, select Add IP and enter a new IP address.

7. Configure NAT Rules in the tab on the right. You must provision the NAT gateway before you can configure the NAT rules.

Select Create SNAT Rule and set the required properties.

• Enter the name of the NAT rule.

• Select TCP, UDP, ICMP, or ANY in Protocol.

• Source: In Public IP, select one of the public IP addresses assigned to the NAT gateway. This address specifies the masking of the outgoing packets' source address field.

• Source: In Subnet, enter an individual IP address or a complete subnet (in a CIDR notation. Example: 10.10.10.0/24) of the VM or network for which NAT rules are created.

• Target: In Subnet, enter an individual IP address or a complete subnet (in a CIDR notation. Example: 8.8.8.0/24) if you want to restrict Internet access to only that target.

• (Optional) In Target, Port range, enter a start and end port range if you want to restrict Internet access to only that port or ports on the target. For example, if you want to limit your private VMs to only access the Google DNS server you could enter 8.8.8.8/32 as the target subnet and 53 as the start and end port range. Port ranges are only applicable to protocol TCP and UDP.

• Click Create to save your changes.

• (Optional) Make further changes to your data center.

8. Provision your changes.