Skip to content

Source NAT

Source NAT (SNAT) allows traffic originating from private IP addresses within your Virtual Network (VNET) to access the internet or other external networks. It translates the internal source IP address of a packet to a specified public IP address.

When to use Source NAT

  • Internet Access for Private Hosts: Enabling servers without public IPs to reach external web services.
  • Standardized Outbound IP: Ensuring all outbound traffic from a specific subnet or group of servers appears to come from a single, predictable public IP address.
  • Security: Masking internal network topology from external observers by using the gateway's public IP.

Prerequisites

Before configuring Source NAT, ensure you have:

  • A Virtual Network (VNET) already deployed.
  • An Internet Service attached to your VNET to provide the public IP addresses.
  • Defined Traffic Objects (Configuration Objects, Traffic Identifiers, or Address Books) representing the internal sources. See Working with Objects.

Configuring Source NAT

Follow these steps to create a Source NAT rule:

  1. Navigate to the Services page and select your VNET.
  2. In the left sidebar, expand Policies and select Source NAT.
  3. Click the Add Source NAT button.
  4. Complete the following fields in the configuration screen:
    • Name: Enter a descriptive name for the rule (e.g., "General Internet Access").
    • Group Name (Optional): Enter an optional Group Name.
    • Source: Define the internal IP addresses to be translated in one of the following ways:
      • Configuration Object: Select a Configuration Object from the list.
      • IP-Address: Enter an IP address.
      • Any: Apply this rule for any source address.
    • Destination: Define the External IP addresses to be used a a criteria for this rule:
      • Configuration Object: Select a Configuration Object from the list.
      • IP-Address: Enter an IP address.
      • Any: Apply this rule for any destination address.
    • Destination NAT: Select the public IP address from your Internet Service that the traffic should be translated to.
  5. Click Save.

Important Considerations

Note

Rule Order: Source NAT rules are evaluated in sequence across Rule Groups. Ensure more specific rules are placed above more general rules if you have multiple translation requirements.

Note

Directionality: Source NAT only handles outbound connectivity (Internal to External). If you need external users to initiate connections to an internal server (External to Internal), use 1:1 NAT or Destination NAT

Note

Applying Changes: Like all networking services in the portal, your Source NAT will not be active until you deploy the changes. See Workflows and Applying Changes.