InlineNatRule1

JSON Example

{
    "action": "string",
    "applied_tos": [
        {
            "is_valid": false,
            "target_display_name": "string",
            "target_id": "string",
            "target_type": "string"
        }
    ],
    "enabled": false,
    "firewall_match": "string",
    "internal_rule_id": "string",
    "logging": false,
    "logical_router_id": "string",
    "match_destination_network": "string",
    "match_service": "NSServiceElement Object",
    "match_source_network": "string",
    "pb_vpn_mode": "string",
    "rule_priority": 0,
    "translated_network": "string",
    "translated_ports": "string"
}

string

action

Required

Valid actions: SNAT, DNAT, NO_SNAT, NO_DNAT, REFLEXIVE, NAT64. All rules in a logical router are either stateless or stateful. Mix is not supported. SNAT and DNAT are stateful, can NOT be supported when the logical router is running at active-active HA mode; REFLEXIVE is stateless. NO_SNAT and NO_DNAT have no translated_fields, only match fields are supported.

Possible values are : SNAT, DNAT, REFLEXIVE, NO_SNAT, NO_DNAT, NAT64,

array of ResourceReference

applied_tos

Optional

Constraints: maxItems: 1

Holds the list of LogicalRouterPort Ids that a NAT rule can be applied to. The LogicalRouterPort used must belong to the same LogicalRouter for which the NAT Rule is created. As of now a NAT rule can only have a single LogicalRouterPort as applied_tos. When applied_tos is not set, the NAT rule is applied to all LogicalRouterPorts beloging to the LogicalRouter.

boolean

enabled

Optional

Constraints: default: true

Indicator to enable/disable the rule.

string

firewall_match

Optional

Indicate how firewall is applied to a traffic packet. Firewall can be bypassed, or be applied to external/internal address of NAT rule.

Possible values are : MATCH_EXTERNAL_ADDRESS, MATCH_INTERNAL_ADDRESS, BYPASS,

string

internal_rule_id

Optional

Internal NAT rule uuid for debug used in Controller and backend.

boolean

logging

Optional

Enable/disable the logging of rule.

string

logical_router_id

Optional

The logical router id which the nat rule runs on.

string

match_destination_network

Optional

IP Address | CIDR | (null implies Any)

NSServiceElement

match_service

Optional

An NSService element that describes traffic corresponding to an NSService

string

match_source_network

Optional

IP Address | CIDR | (null implies Any)

string

pb_vpn_mode

Optional

Constraints: default: BYPASS

Indicate how the rule applies to Policy-Based VPN traffic. It's supported only for NAT rule action type DNAT and NO_DNAT.

BYPASS indicates that NAT rule is applied to the traffic received on Routed-Based VPN tunnel.

EXCLUSIVE indicates that NAT rule is applied to the inbound traffic received on Policy-Based VPN tunnel only.

Possible values are : BYPASS, EXCLUSIVE,

integer As int64 As int64

rule_priority

Optional

Constraints: default: 1024

Ascending, valid range [0-2147483647]. If multiple rules have the same priority, evaluation sequence is undefined.

string

translated_network

Optional

The translated address for the matched IP packet. For a SNAT, it can be a single ip address, an ip range, or a CIDR block. For a DNAT and a REFLEXIVE, it can be a single ip address or a CIDR block. Translated network is not supported for NO_SNAT or NO_DNAT.

string

translated_ports

Optional

The translated port(s) for the mtached IP packet. It can be a single port or a port range. Please note, port translating is supported only for DNAT.

Used By

NatRule