Oracle Cloud VMware Solution – Networking Quick Actions Part-5: Connectivity to Internet Using NAT Gateway

In Part-3 of my series on OCVS Networking Quick Actions, I discussed connecting your Oracle Cloud VMware Solution environment to the Oracle Services Network, to access services and resources hosted in the OSN. In this post we will look at the process of providing internet access to your workloads in the SDDC.

A NAT Gateway is used to provide outbound internet connectivity to resources in private subnets in your Virtual Cloud Network in OCI. You can learn more about OCI Networking and Gateways in my previous post about OCI Networking Fundamentals.

Assumption

Before we dive into the solution and start taking a look at the step-by-step configuration, it is important to consider the following:

  • My configuration is based on the fact that we did not provide a workload CIDR at OCVS provisioning time.
  • This post is talking about establishing outbound connectivity to the internet only.
  • We are assuming that there is already connectivity from the SDDC to On-prem, VCN and OSN.
  • We will talk about publishing applications to the internet and allowing inbound traffic, in a future post.

Execute the Quick Action Workflow

At this stage, we are ready to go ahead and run the Quick Start Workflow to “Configure connectivity to the Internet through NAT Gateway”.

Step-1 – Provide Basic Information

Once you select the option to configure internet connectivity, the workflow will require you to enter the IP Address range of your NSX Overlay network.

  • SDDC Workload CIDR – IP Address Range for the NSX Overlay Networks. I am using 192.168.192.0/20 for my environment.

In the next step, the workflow will provide you with all the components and configuration that will be part of setting up the required connectivity. This is point where we will make sure all the correct information is being used.

  • NAT Gateway – The workflow picks up the NAT Gateway available or creates a new one, if none exists in the VCN. In our case, the workflow created a new NAT Gateway with the name we provided.
  • Route Table Entries – It shows the respective route-table and entries that will be created as part of the workflow.

At this stage, you can click on apply configuration and the workflow will give you confirmation once all the required steps have been completed.

NSX Configuration

In order to establish outbound connectivity to the internet, there are a couple of steps that you will need to perform on NSX to complete the setup. The configuration is related to configuring NAT on Tier-0 router and I will break it down into 2 pieces:

  • SNAT for Internet Connectivity
  • No-SNAT for On-prem, VCN and OSN Connectivity

SNAT for Internet Connectivity

We will Configure SNAT on Tier-0, in order to forward traffic to the NAT Gateway. All outbound flows to the internet will be using the IP Address of Uplink-1 on the NSX Edge.

Details of the SNAT required:

ActionSNAT
ProtocolAny Protocol
Source IPCIDR Block for Overlay or Subnet requiring internet connectivity.
In my case it is the entire CIDR 192.168.192.0/20
Destination IP0.0.0.0/0
Translation IPIP Address of Uplink-1 of Tier-0. I will be using 172.16.0.132.

No-SNAT for On-prem, VCN and OSN Connectivity

The next step would be to configure No SNAT on Tier-0 for VCN, OSN and On-prem Networks. We do not want traffic to these destinations to be NATed on the Tier-0 and the real IP Address of the VMs should be seen on the destination system(s).

  • Details of the rule for On-prem and VCN would be similar, as given below:
ActionNO_SNAT
ProtocolAny Ptotocol
Source IPCIDR Block for Overlay or Subnet requiring internet connectivity.
In my case it is the entire CIDR 192.168.192.0/20
Destination IP (For VCN)CIDR Block for VCN.
In my case if it 172.16.0.0/16
Destination IP (For On-prem)IP range for On-prem network(s)
I am using 10.0.0.0/14

Note: We will have individual rules for VCN and On-prem. I have provided information in a single table.


  • The configuration for the Oracle Services Network will be slightly more complex in terms of information, than the rules explained above. This is where we will be configuring NO_SNAT for the Public IP ranges (including OSN) for the Oracle Cloud region you are using for OCVS.
  • You can get more information on Oracle Services Network and OCI Public IP Ranges here. I have also explained OSN briefly in my earlier post regarding connectivity to OSN from your SDDC.
ActionNO_SNAT
ProtocolAny Protocol
Source IPCIDR Block for Overlay or Subnet requiring internet connectivity.
In my case it is the entire CIDR 192.168.192.0/20
Destination IPIP Blocks used by OCI Public Ranges and OSN in the OCI region with your OCVS deployment.
You can find OCI Public Ranges and OSN IP Address here.

Note:

  • We have the option of ignoring this step and applying SNAT to the traffic going to the OSN. However, in cases where you want the source IP of the connection to be registered, you will need to configure this step.
  • You will need to configure individual rules for each range used in the region of your choice. The OSN / Object Storage ranges will be required at a minimum.
  • If you provided a logical segment as part of the OCVS provisioning flow, the SNAT will be configured for you. This will however be for the network provided only.

Resulting Setup

The quick action workflow will configure the NAT Gateway and the related Route-table entry to forward traffic to the internet via the created NAT Gateway. As we already have an egress security rule for all traffic, there will be no new entry created for the same.

  • The route-rule configured is given below:
Route-TableAssociated withDestinationRoute-target
Route Table for VLAN-OCI-FRA-SDDC-NSX Edge Uplink 1Uplink VLAN0.0.0.0/0NAT Gateway
NAT Gateway
Route Table for Uplink VLAN

  • The image below gives a sample of the NO_SNAT rules created on the NSX Tier-0 router for the purpose of establishing connectivity to On-prem, VCN and Oracle Services Network without getting NATed.
  • Given below is a sample of the SNAT rule configured on NSX-T Tier-0 router for ourbound internet connectivity

Traffic Flow

The figure below shows the traffic flow for the outbound connectivity from the Logical Networks to the Internet. The connectivity to VCN, On-prem and Oracle Services Network has not been shown, as it remains the same as explained in previous posts, with the only difference of a NO_SNAT on NSX Tier-0.

  1. The Virtual Machine will initiate traffic to access a system on the internet eg. http://www.oracle.com.
  2. The VM will forward the packet to it’s default gateway, which is the NSX Tier-1 router as shown in the figure above.
  3. The packet will traverse the Tier-1-Tier-0 inter-router link and reach the Tier-0 router.
  4. The Tier-0 has a SNAT configured on it for all traffic going to the internet. All traffic except to destinations defined in the NO_SNAT rules will be translated to 172.16.0.132.
  5. The T0 has a default route to send all traffic out it’s Uplink-1 and forward it to 172.16.0.129, which is the VLAN Gateway in this case.
  6. The Quick Action Workflow had added an entry to forward traffic for 0.0.0.0/0 to the NAT Gateway.
  7. Once the traffic is received by the NAT Gateway, it is translated to the Public IP of the NAT Gateway and sent to the required destination, which we are considering as http://www.oracle.com.
  8. The return traffic will be sent to the NAT Gateway which will translate it back to the Tier-0 Uplink IP and forward the traffic to 172.16.0.132.
  9. Once received by the Tier-0, it will be translated back and the traffic will be forwarded to the VM that initiated the traffic.

Note: We have focused on the North-South traffic flow and not double-clicked on the East-West flows that come into the picture as well. We will look at those in a future post.


In this series of blog posts, we reviewed the OCVS Default Networking and Quick Actions and workflows that help in establishing connectivity from your SDDC in the Oracle Cloud VMware Solution.


Additional Resources

Leave a Reply