IBM Cloud Docs
Configure NAT for Internet access from a private network

Configure NAT for Internet access from a private network

This tutorial describes the use of Classic Infrastructure. Most workloads can be implemented using IBM Cloud® Virtual Private Cloud resources. Use IBM Cloud VPC to create your own private cloud-like computing environment on shared public cloud infrastructure. A VPC gives an enterprise the ability to define and control a virtual network that is logically isolated from all other public cloud tenants, creating a private, secure place on the public cloud. Specifically, virtual server instances, security groups, network ACLs and public gateways.

This tutorial may incur costs. Use the Cost Estimator to generate a cost estimate based on your projected usage.

In today’s world of web based IT applications and services, few applications exist in isolation. Developers have come to expect access to services on the Internet, whether it is open-source application code and updates or ‘third party’ services providing application functionality via REST APIs. Network Address Translation (NAT) masquerade, is a commonly used approach to securing the access to Internet hosted service from private networks. In NAT masquerade, private IP addresses are translated to the IP address of the out-bound public interface in a many-to-one relationship, shielding the private IP address from public view.

This tutorial presents the setup of Network Address Translation (NAT) masquerade on a Virtual Router Appliance (VRA) to connect to a secured subnet on the IBM Cloud private network. It builds on the Isolating workloads with a secure private network tutorial, adding a Source NAT (SNAT) configuration, where the source address is obfuscated and firewall rules are used to secure out-bound traffic. More complex NAT configurations can be found in the supplemental VRA documentation.

Objectives

  • Setup Source Network Address Translation (SNAT) on a Virtual Router Appliance (VRA)
  • Setup firewall rules for Internet access

Architecture
Figure 1. Architecture diagram of the tutorial

  1. Document required Internet services.
  2. Setup NAT.
  3. Create Internet firewall zone and rules.

Before you begin

This tutorial enables hosts in the secure private network enclosure created by the Isolate workloads with a secure private network tutorial to access public Internet services. That tutorial must be completed first.

Document Internet services

The first step is to identify the services that will be accessed on the public Internet and to document the ports that must be enabled for outbound and corresponding inbound traffic from the Internet. This list of ports will be required for the firewall rules in a later step.

In this example only http and https ports are enabled as these cover a majority of requirements. DNS and NTP services are provided from the IBM Cloud private network. If these and other services such as SMTP (Port 25) or MySQL (Port 3306) are required, additional firewall rules will be necessary. The two basic port rules are:

  • Port 80 (http)
  • Port 443 (https)

Verify if the third party service supports defining a list of allowed source addresses. If yes, the public IP address of the VRA will be required to configure the third party service to limit access to the service.

NAT masquerade to Internet

Follow the instructions here to configure external Internet access for hosts in the APP zone using NAT masquerade.

  1. SSH into VRA and enter [edit] (config) mode.

    SSH vyatta@<VRA Private IP Address>
configure

  2. Create the SNAT rules on the VRA, specifying the same <Subnet Gateway IP>/<CIDR> as determined for the APP zone subnet/VLAN in the prior VRA provisioning tutorial.

    set service nat source rule 1000 description 'pass traffic to the Internet'
set service nat source rule 1000 outbound-interface 'dp0bond1'
set service nat source rule 1000 source address <Subnet Gateway IP>/<CIDR>
set service nat source rule 1000 translation address masquerade
commit

Create Firewalls

  1. Create firewall rules for APP-TO-OUTSIDE

    set security firewall name APP-TO-OUTSIDE default-action drop
set security firewall name APP-TO-OUTSIDE description 'APP traffic to the Internet'
set security firewall name APP-TO-OUTSIDE default-log

set security firewall name APP-TO-OUTSIDE rule 90 protocol tcp
set security firewall name APP-TO-OUTSIDE rule 90 action accept
set security firewall name APP-TO-OUTSIDE rule 90 destination port 80

set security firewall name APP-TO-OUTSIDE rule 100 protocol tcp
set security firewall name APP-TO-OUTSIDE rule 100 action accept
set security firewall name APP-TO-OUTSIDE rule 100 destination port 443

set security firewall name APP-TO-OUTSIDE rule 200 protocol icmp
set security firewall name APP-TO-OUTSIDE rule 200 icmp type 8
set security firewall name APP-TO-OUTSIDE rule 200 action accept
commit

  2. Create firewall rules OUTSIDE-TO-APP

    set security firewall name OUTSIDE-TO-APP default-action drop
set security firewall name OUTSIDE-TO-APP description 'Internet traffic to APP'
set security firewall name OUTSIDE-TO-APP default-log

set security firewall name OUTSIDE-TO-APP rule 100 protocol tcp
set security firewall name OUTSIDE-TO-APP rule 100 action accept
set security firewall name OUTSIDE-TO-APP rule 100 destination port 443

set security firewall name OUTSIDE-TO-APP rule 90 protocol tcp
set security firewall name OUTSIDE-TO-APP rule 90 action accept
set security firewall name OUTSIDE-TO-APP rule 90 destination port 80

set security firewall name OUTSIDE-TO-APP rule 200 protocol icmp
set security firewall name OUTSIDE-TO-APP rule 200 icmp type 8
set security firewall name OUTSIDE-TO-APP rule 200 action accept
commit

Create Zone and apply rules

  1. Create zone OUTSIDE to control access to the external Internet.

    set security zone-policy zone OUTSIDE default-action drop
set security zone-policy zone OUTSIDE interface dp0bond1
set security zone-policy zone OUTSIDE description 'External Internet'

  2. Assign firewalls to control traffic to and from the Internet.

    set security zone-policy zone APP to OUTSIDE firewall APP-TO-OUTSIDE
set security zone-policy zone OUTSIDE to APP firewall OUTSIDE-TO-APP
commit

  3. Validate the VSI in the APP zone can now access services on the Internet. Login to the local VSI using SSH:

    ssh root@<VSI Private IP>

    use ping and curl to validate icmp and tcp access to sites on the Internet:

    ping 8.8.8.8
curl www.google.com

Remove resources

Steps to take to remove the resources created in this tutorial.

The VRA is on a monthly paid plan. Cancellation does not result in a refund. It is suggested to only cancel if this VRA will not be required again in the next month. If a dual VRA High-Availability cluster is required, this single VRA can be upgraded on the Gateway Details page.

  1. Cancel any virtual servers or bare-metal servers
  2. Cancel the VRA
  3. Cancel any VLANs

Related content