Network address translation (NAT) conserves IPv4 address space by translating the unregistered private IP addresses used for an organization’s private inner network into a single registered public IP address. This single public IP address is then used to connect to external networks, like the internet.
This article describes how NAT on the MCR is designed to specifically support public peering types to Cloud Service Providers.
Many-to-one NAT using different ports
NAT is performed by the MCR at the boundary where two networks are connected. Before forwarding packets from the inner network to the outer network, MCR translates the private, non-unique IP addresses to a single, globally unique public IP address. This many-to-one translation allows the MCR to advertise only one IP address to the outside world, while hiding multiple private source IP addresses behind the IP address of the MCR interface. To create a unique session, MCR assigns a different TCP or UDP source port number to the public IP address.
To map multiple IP addresses to a single IP address, MCR NAT uses a combination of source NAT (SNAT) and port address translation (PAT).
Note: NAT on the MCR is similar to Cisco’s NAT overload or Checkpoint’s Hide NAT functionality.
MCR NAT example
In this example, the MCR is logically sitting between a customer’s data center (10.100.0.0/16) and Azure (West US 188.8.131.52/16). Packets destined for 184.108.40.206/16 are sent from the data center to the MCR.
- The data center sends a packet with a source IP of 10.100.20.10 and a destination IP of 220.127.116.11 toward the MCR.
- The MCR receives the packet on its inside interface. Upon egress, the MCR performs a SNAT to translate the source IP address (10.100.20.10) to the local IP address of its outside interface (18.104.22.168). To create a unique session, the MCR also performs a port address translation (PAT) and assigns the session a unique TCP or UDP source port. The destination IP and port are left intact.
- When Azure receives the packet, it has a source IP of 22.214.171.124. Azure forwards the packet to the destination 126.96.36.199 and replies back to the source at 188.8.131.52.
- Assume that Azure receives another packet from the MCR with a source IP of 10.100.5.16 and a destination IP of 184.108.40.206. The MCR performs a SNAT to the same IP address of 220.127.116.11. The only difference is the TCP/UDP source port that has been automatically assigned by the MCR.
Verifying the NAT assignment
The MCR automatically configures the VLAN IDs used for private and public peering after you configure the peering type. When provisioning VXCs from the MCR to a service provider, MCR configures the private peering with VLAN 100 and the public peering with VLAN 200, by default.
This figure shows the MCR with a VXC connecting to Azure. During the initial VXC configuration, both Private and Public Microsoft peering types were selected. For this configuration, MCR automatically configured VLAN 100 to support private peering and VLAN 200 to support the public Microsoft peering.
On the VLAN 200 tab, the NAT IP Address field appears at the bottom of the page, below the Connection Details. This is the IP address of the MCR’s outside interface. Any packets will be translated to this interface.
Note: When multiple Azure VXCs on an MCR populate the same VLAN 100 tag (private peering) and the same VLAN 200 tag (public peering), MCR manages the 802.1Q tunnel, also known as a Q-in-Q tunnel, for each Azure VXC that terminates on the MCR. Each Azure VLAN will still be a separate logical interface.
Supported MCR NAT configurations
This table summarizes the supported MCR NAT configurations and use cases, indicated by a ✓. It also includes configurations that aren’t a good fit, indicated by an X.
|MCR NAT Type||MCR NAT Use Case|
|NAT Overload||✓||Connectivity to Cloud Service Providers public services||✓|
|Hide NAT||✓||Connectivity to SaaS and PaaS services||✓|
|Source NAT||X||Connectivity to Megaport Marketplace partners||✓|
|Destination NAT||X||Preserve the IP address space for outbound traffic||✓|
|Static NAT Pool||X||Allow for inbound access from the internet||X|
|Dynamic NAT Pool||X||Routing between overlapping networks||X|