Source NAT (SNAT)
SNAT translates the source IP of the outbound packets to a known public IP address so that the app can communicate with the outside world without using its private IP address. It also keeps track of the reply.
Destination NAT (DNAT)
DNAT allows for access to internal private IP addresses from the outside world by translating the destination IP address when inbound communication is initiated. It also takes care of the reply.
For both SNAT and DNAT, users can apply NAT rules based on 5 tuple match criteria.
Reflexive NAT
Reflexive NAT rules are stateless ACLs which must be defined in both directions. These do not keep track of the connection. Reflexive NAT rules can be used in cases where stateful NAT cannot be used due to asymmetric paths (e.g., user needs to enable NAT on active/active ECMP routers).
This table summarizes NAT rules and usage restrictions:
| NAT Rules Type | Type | Specific Usage Guidelines |
|---|---|---|
| Stateful | SNAT, DNAT | Can be enabled on both provider and vendor logical routers. |
| Stateless | Reflexive NAT | Can be enabled on provider routers; generally used when the provider router is in active/active mode. |