Enable Public IP on the NSX-T Data Center Edge for Azure VMware Solution

Article
05/01/2023

In this article, you'll learn how to enable Public IP on the NSX-T Data Center Edge for your Azure VMware Solution.

Tip

Before you enable Internet access to your Azure VMware Solution, review the Internet connectivity design considerations.

Public IP on the NSX-T Data Center Edge is a feature in Azure VMware Solution that enables inbound and outbound internet access for your Azure VMware Solution environment.

Important

The use of Public IPv4 addresses can be consumed directly in Azure VMware Solution and charged based on the Public IPv4 prefix shown on Pricing - Virtual Machine IP Address Options..

The Public IP is configured in Azure VMware Solution through the Azure portal and the NSX-T Data Center interface within your Azure VMware Solution private cloud.

With this capability, you have the following features:

A cohesive and simplified experience for reserving and using a Public IP down to the NSX Edge.
The ability to receive up to 1000 or more Public IPs, enabling Internet access at scale.
Inbound and outbound internet access for your workload VMs.
DDoS Security protection against network traffic in and out of the internet.
HCX Migration support over the Public Internet.

Important

You can configure up to 64 total Public IP addresses across these network blocks. If you want to configure more than 64 Public IP addresses, please submit a support ticket stating how many.

Prerequisites

Azure VMware Solution private cloud
DNS Server configured on the NSX-T Data Center

Reference architecture

The architecture shows internet access to and from your Azure VMware Solution private cloud using a Public IP directly to the NSX-T Data Center Edge.

Important

The use of Public IP down to the NSX-T Data Center Edge is not compatible with reverse DNS Lookup.

Configure a Public IP in the Azure portal

Log in to the Azure portal.
Search for and select Azure VMware Solution.
Select the Azure VMware Solution private cloud.
In the left navigation, under Workload Networking, select Internet connectivity.
Select the Connect using Public IP down to the NSX-T Edge button.

Important

Before selecting a Public IP, ensure you understand the implications to your existing environment. For more information, see Internet connectivity design considerations. This should include a risk mitigation review with your relevant networking and security governance and compliance teams.

Select Public IP.
Enter the Public IP name and select a subnet size from the Address space dropdown and select Configure.
This Public IP should be configured within 20 minutes and will show the subnet.
If you don't see the subnet, refresh the list. If the refresh fails, try the configuration again.
After configuring the Public IP, select the Connect using the Public IP down to the NSX-T Edge checkbox to disable all other Internet options.
Select Save.

You have successfully enabled Internet connectivity for your Azure VMware Solution private cloud and reserved a Microsoft allocated Public IP. You can now configure this Public IP down to the NSX-T Data Center Edge for your workloads. The NSX-T Data Center is used for all VM communication. There are several options for configuring your reserved Public IP down to the NSX-T Data Center Edge.

There are three options for configuring your reserved Public IP down to the NSX-T Data Center Edge: Outbound Internet Access for VMs, Inbound Internet Access for VMs, and Gateway Firewall used to Filter Traffic to VMs at T1 Gateways.

Outbound Internet access for VMs

A Sourced Network Translation Service (SNAT) with Port Address Translation (PAT) is used to allow many VMs to one SNAT service. This connection means you can provide Internet connectivity for many VMs.

Important

To enable SNAT for your specified address ranges, you must configure a gateway firewall rule and SNAT for the specific address ranges you desire. If you don't want SNAT enabled for specific address ranges, you must create a No-NAT rule for the address ranges to exclude. For your SNAT service to work as expected, the No-NAT rule should be a lower priority than the SNAT rule.

Add rule

From your Azure VMware Solution private cloud, select vCenter Server Credentials
Locate your NSX-T Manager URL and credentials.
Log in to VMware NSX-T Manager.
Navigate to NAT Rules.
Select the T1 Router.
Select ADD NAT RULE.

Configure rule

Enter a name.
Select SNAT.
Optionally, enter a source such as a subnet to SNAT or destination.
Enter the translated IP. This IP is from the range of Public IPs you reserved from the Azure VMware Solution Portal.
Optionally, give the rule a higher priority number. This prioritization will move the rule further down the rule list to ensure more specific rules are matched first.
Click SAVE.

Logging can be enabled by way of the logging slider. For more information on NSX-T Data Center NAT configuration and options, see the NSX-T Data Center NAT Administration Guide

No Network Address Translation rule for specific address ranges

A No SNAT rule in NSX-T Manager can be used to exclude certain matches from performing Network Address Translation. This policy can be used to allow private IP traffic to bypass existing network translation rules.

From your Azure VMware Solution private cloud, select vCenter Server Credentials.
Locate your NSX-T Manager URL and credentials.
Log in to VMware NSX-T Manager and then select NAT Rules.
Select the T1 Router and then select ADD NAT RULE.
Select NO SNAT rule as the type of NAT rule.
Select the Source IP as the range of addresses you do not want to be translated. The Destination IP should be any internal addresses you are reaching from the range of Source IP ranges.
Select SAVE.

Inbound Internet Access for VMs

A Destination Network Translation Service (DNAT) is used to expose a VM on a specific Public IP address and/or a specific port. This service provides inbound internet access to your workload VMs.

Log in to VMware NSX-T Manager

From your Azure VMware Solution private cloud, select VMware credentials.
Locate your NSX-T Manager URL and credentials.
Log in to VMware NSX-T Manager.

Configure the DNAT rule

Name the rule.
Select DNAT as the action.
Enter the reserved Public IP in the destination match. This IP is from the range of Public IPs reserved from the Azure VMware Solution Portal.
Enter the VM Private IP in the translated IP.
Select SAVE.
Optionally, configure the Translated Port or source IP for more specific matches.

The VM is now exposed to the internet on the specific Public IP and/or specific ports.

Gateway Firewall used to filter traffic to VMs at T1 Gateways

You can provide security protection for your network traffic in and out of the public internet through your Gateway Firewall.

From your Azure VMware Solution Private Cloud, select VMware credentials.
Locate your NSX-T Manager URL and credentials.
Log in to VMware NSX-T Manager.
From the NSX-T home screen, select Gateway Policies.
Select Gateway Specific Rules, choose the T1 Gateway and select ADD POLICY.
Select New Policy and enter a policy name.
Select the Policy and select ADD RULE.
Configure the rule.
1. Select New Rule.
2. Enter a descriptive name.
3. Configure the source, destination, services, and action.
Select Match External Address to apply firewall rules to the external address of a NAT rule.

For example, the following rule is set to Match External Address, and this setting will allow SSH traffic inbound to the Public IP.

If Match Internal Address was specified, the destination would be the internal or private IP address of the VM.

For more information on the NSX-T Data Center Gateway Firewall see the NSX-T Data Center Gateway Firewall Administration Guide. The Distributed Firewall could be used to filter traffic to VMs. This feature is outside the scope of this document. For more information, see NSX-T Data Center Distributed Firewall Administration Guide.