All Products
Search

This Product

    :Configure VMs to access the Internet by using SNAT

    Document Center

    :Configure VMs to access the Internet by using SNAT

    Last Updated:Apr 23, 2024

    This topic describes how to configure virtual machines (VMs) to access the Internet by using Source Network Address Translation (SNAT).

    Prerequisites

    Tasks

    • Prepare an Internet NAT gateway

    • Enable the dedicated VMware environment to access the Internet by using SNAT

    • Add an NSX-T firewall rule

    • Advertise the default route in the VPC to CEN

    Prepare an Internet NAT gateway

    Procedure

    1. Before you enable the dedicated VMware environment to access the Internet, create an Internet NAT gateway on the virtual private cloud (VPC) associated with the dedicated VMware environment. On the Service information tab in the Alibaba Cloud VMware Service (ACVS) console, view the VPC ID.image

    2. Log on to the VPC console. On the Internet NAT Gateway page, check whether the created Internet NAT gateway is associated with the correct VPC.image

      Warning

      If the Internet NAT gateway is not associated with the correct VPC, the dedicated VMware environment cannot be configured to access the Internet.

    3. Check whether the Internet NAT gateway is associated with an elastic IP address (EIP). If not, associate the Internet NAT gateway with an EIP.image

    4. Check the SNAT entries of the Internet NAT gateway. This helps you compare the SNAT entries with those of the dedicated VMware environment after Internet access is enabled.image

    Enable the dedicated VMware environment to access the Internet by using SNAT

    Procedure

    1. Log on to the ACVS console. Choose PrivateCloud. On the Internet access tab of the dedicated VMware environment, turn on the Allow switch in the Internet access direction section. The Access settings dialog box appears.image

    2. In the Access settings dialog box, select the Internet NAT gateway that is associated with the VPC, select the EIP, and then click OK.image

    3. Complete the configuration of Internet access in the outbound direction. On the Internet access tab, the EIP used for SNAT is displayed.image

    4. Return to the Internet NAT Gateway page. On the SNAT Management tab, two SNAT entries are added. You cannot delete these two SNAT entries.image

    Add an NSX-T firewall rule

    Procedure

    1. After you enable Internet access in the ACVS console, you must configure an NSX-T gateway firewall rule. Otherwise, VMs cannot access the Internet. Log on to the NSX-T console, choose Security > Gateway Firewall > Compute Gateway, and then click ADD RULE.image

    2. Configure a firewall rule based on your business requirements. The rule created in this example is used to allow VMs to access the Internet.image

    3. Click the name of New Rule and change the name of the rule to CGW To Internet.image

    4. Click the edit icon for Sources that corresponds to the changed rule name.image

    5. Click ADD GROUP.image

    6. Enter a name for the group and click Set to add members to the group.image

    7. In the Set Members dialog box, click IP Addresses, enter the CIDR block 192.168.1.0/24, and then click APPLY.image

      Note

      The CIDR block 192.168.1.0/24 is the network addresses of the NSX-T segment created in the ACVS console.

    8. Click SAVE.image

    9. Select the created group so that all VMs bound to the CIDR block of the group can access the Internet. Click APPLY.image

    10. Click the edit icon for Applied To that corresponds to the changed rule name.image

    11. Remove All Uplinks and select Internet Interface.image

      Note

      The Applied To parameter can be set to the following values:

      1. All Uplinks: includes three uplink interfaces: Internet Interface, Intranet Interface, and Services Interface.

      2. Internet Interface: uplink interface used to access the Internet.

      3. Intranet Interface: uplink interface used to access VPCs and on-premises environments.

      4. Services Interface: used to access the Internet-facing services of Alibaba Cloud.

    12. Click PUBLISH to apply the new rule.image

    13. Complete the configuration of the NSX-T gateway firewall rule.image

    Advertise the default route in the VPC to CEN

    Procedure

    Note

    After you create an Internet NAT gateway, the default route 0.0.0.0/0 is added to the route table of the VPC. However, the default route is not advertised to Cloud Enterprise Network (CEN). You must manually advertise the default route to CEN.

    1. Log on to the VPC console and choose Route Tables. Select the route table that is used for the VPC associated with the dedicated VMware environment.路由表

    1. On the Route Entry List tab, click Custom Route and check whether Route Status in CEN for the default route is Advertised. If the state is Unadvertised, click Publish.路由表-2

    2. In the Publish Route Entry message, click OK.路由表-3

    3. Wait for a period of time until the value of Route Status in CEN changes to Advertised.路由表-4

      Warning

      You must complete all the preceding operations before VMs can access the Internet.