Customized SNAT and DNAT on Edge Use Case
Aviatrix Secure Edge supports customized SNAT and DNAT for the use case where the CSP network CIDR overlaps with the on-prem network CIDR.
The following NAT scenarios are supported:
-
Single IP and Customized SNAT on Edge Gateway - For network traffic initiated from the Edge location towards the CSP.
-
DNAT on Edge Gateway - For network traffic initiated from Edge location towards Transit Gateway or CSP.
Customized SNAT on Edge Gateway is not supported when VLAN segmentation is also configured in the same network domain. |
This diagram shows overlapping CSP and on-prem network CIDRs.
In this example, to resolve the overlapping CIDR issue, you would perform these steps:
-
Create a mapping of the Real CIDR to Virtual CIDR for both the cloud instances and on-prem hosts or workloads. For example:
Network Real CIDR Virtual CIDR Cloud workload
10.3.0.86/32
10.203.0.86/32
On-prem workload
10.3.0.85/32
10.103.0.85/32
-
Configure DNAT on Edge Gateway for traffic initiated from on-prem to cloud.
In Aviatrix CoPilot:
-
Go to Cloud Fabric > Edge > Edge Gateways tab.
-
Select the Edge Gateway for which you want to enable DNAT.
-
In the Edge Gateway Settings tab, expand the Network Address Translation (NAT) section.
-
Click Destination NAT toggle switch to On.
-
In Destination NAT, from the Instance dropdown menu, select the Edge Gateway.
-
Click + Rule and provide the following information.
Setting Description Instance
From the downdown list, select the Edge Gateway instance.
Src CIDR
Enter 10.3.0.85/32.
Dst CIDR
Enter 10.203.0.86/32 (the virtual IP of the cloud instance).
Connection
From the downdown list, select the connection which reflects the connection to the Transit Gateway.
Mark
(Optional) Enter a unique value. Value should be between 65535 - 99999.
DNAT IP
Enter 10.3.0.86 (cloud instance).
-
-
Configure a Manual BGP Advertised CIDR List to advertise the DNAT virtual IP from the Edge Gateway to on-prem via BGP.
-
In the Edge Gateway Settings tab, expand the Border Gateway Protocol (BGP) section.
-
In Manual BGP Advertised CIDR List, enter the following information.
Setting Description Advertised CIDRs (Per Gateway)
Leave this blank.
Connection
From the dropdown menu, select the connection to the on-prem BGP peer.
Advertised CIDRs (Per Connection)
Enter 10.203.0.86/32 (the virtual IP of the cloud instance)
-
-
Configure SNAT on Edge Gateway for traffic initiated from cloud to on-prem
-
In the Edge Gateway’s Settings tab, expand the Network Address Translation (NAT) section.
-
Click the Source NAT switch to On, then click Customized SNAT.
-
From the Instance dropdown menu, select the Edge Gateway.
-
Click + Rule and provide the following information.
Setting Description Connection
Select the output connection where the rule will apply.
Mark
Enter the value that was defined in the DNAT settings.
Specifies a TCP session where rule applies.
SNAT IP
Enter 10.103.0.85 (virtual IP of the on-prem host).
-