NAT on VMware Cloud on AWS: Deep Dive

I had covered some of the aspects of NAT with VMware Cloud on AWS in a previous blog post but from talking to customers and colleagues, it sounds like I could do with expanding on the topic.

First a recap from the previous blog.

How do VMC Compute VMs access the Internet?

Access to the Internet for the VMs is extremely easy – by default, the VMs will have access to the Internet as soon as the Compute Gateway has the appropriate firewall rule.

There is no need to configure NAT for outbound traffic as we have a default source NAT rule to translate the source IP of the VM to the public IP assigned to your VMware Cloud on AWS. More details on this public IP in the upcoming section. In my SDDC, the public IP is

The NAT table will look like this:

VM NameVM-Private IPVM-Public IP

The only task you need to complete to provide Internet access to your VMs is to go to the Networking and Security Window in the VMware Cloud Console and on the Compute Gateway, create a rule to allow outbound traffic to the Internet.

In “Source”, you can specify the subnet that you want to allow Internet access for (for example, You can also be specific about where you want to apply the firewall (I apply it on the ‘Internet Interface’).

That’s it, you’re done – your VMs have Internet access.

How do I find the ‘public IP allocated’ to VMware Cloud on AWS?

Funny you should ask that – we’ve just made it easy to find by updating the user interface in the recent February 2019 release of VMware Cloud on AWS:

Public IP for Compute VM

We expose the public IP address that the VMs would be natted to once traffic exits the Internet interface.

In our lab, the traffic from our VMs (that don’t have a specified NAT rule – see next section) will be natted to the address. In this direction, it would be source-natting – the source IP in the outbound traffic to the Internet will be changed from to in the example below.

What if I need to expose VMs to the Internet ?

For VMs that need to be exposed to the Internet (or need a 1:1 Natting), go on the VMC networking and security console, request a new IP and give it a description (’Notes’).

What we (VMware) do in the background is request a public IP from the AWS pool of public IPs via the APIs. In seconds, a public IP is allocated:

Public IPs do not come free – we would only pass through the standard AWS cost of a public IP to customers.

IP address charges:
Elastic IP address associated with a running instance: $0.005/IP/hour ​
Elastic IP address not associated with a running instance: $0.005/IP/hour ​
Elastic IP address remap: $0.1/IP

Note you will see the fee for the public IP on your VMware Cloud on AWS bill, not on your standard AWS bill.  

Once that the public IP is allocated, we can start natting it to the Private IP for the VM. All the traffic from the Internet to the destination IP will be translated to the destination (and vice-versa).

Finally, I configure a simple firewall rule to allow Internet access to the Private IP of my VM (note the firewall rule needs to refer to the Private IP and not the Public IP as NAT is done before inbound firewalling).

And that’s it for our compute VMs… and my NAT table will look like this:

VM NameVM-Private IPVM-Public IP

What about our vCenter? Everything above relates to Compute workloads and not to the management system.

How do I access the vCenter over the Internet?

At creation of the SDDC, vCenter access is one of the first tasks our customers want to perform.

The VMC vCenter picks up a public IP and a private IP.

The private IP is within the management subnet range you define during the deployment of the SDDC.

The public IP is allocated during the provisioning of the SDDC (it also comes from the AWS pool of public IP addresses).

Look in “Settings / vCenter Information” to find the private and public IP addresses and the FQDN of the vCenter.

The vCenter can easily be accessed over the Internet by opening a rule on the Management Gateway Firewall (read more on the management gateway firewall here).

Source: Any or your own public IP range

Destination: vCenter (”System-Defined Groups”)

Services: HTTPS (TCP 443)

That’s all you need: just connect to your vCenter FQDN over the Internet:

How do I access the vCenter once I have VPN or Direct Connect set up?

Once VPN/Direct Connect has been established and the DC has access to the management CIDR, a user on-prem will want to access the vCenter over DX/VPN instead of going over the Internet.

If the user wants to access the vCenter via its FQDN, he/she will need to update this setting in the VMC Console (“Settings / vCenter Information”).

Change it from “Public” to “Private”:

Customers do not need to modify their own DNS settings – VMware manage the vCenter FQDN settings and the vCenter FQDN will be automatically updated through DynDNS.

Let me say it again as it can be confusing – no need for you to update your DNS records, the publicly available FQDN will switch over from the public IP to the private IP once you have done the change from Public to Private above.

Hopefully that clarifies how NAT works for your Cloud virtual machines and vCenter on VMware Cloud on AWS.

Categories: VMC

9 thoughts on “NAT on VMware Cloud on AWS: Deep Dive

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s