Network Address Translation

Table of Contents


Network Address Translation is the process by which a local IP address is translated into a global IP address to provide network access to the “internal” local IP range. Many public clouds offer NAT products, often pricing by instance hour and per GB of data processed. Running VNS3 as a NAT instance can cut your costs dramatically.


Using VNS3 as a NAT device is simple:

  1. Launch VNS3 with Source/Destination Check Disabled in a subnet with access to the public internet
  2. Add a Source NAT or Destination NAT rule to your VNS3 firewall
  3. Add a cloud route table rule for the network routable via VNS3. For example, if VNS3 as a NAT gateway for public internet you would add a routing rule for to route to your VNS3 network interface IP.


Let be a network running in cloud that requires access to the internet. Let VNS3 be launched with a static public IP of and a private ip of

  1. Add a route for to In AWS you will direct this route to the network interface. In Azure, you will set the Next Hop to be the private IP address of VNS3
  2. Add a VNS3 firewall NAT rule POSTROUTING_CUST -o eth0 -s -j SNAT --to This replaces the source of traffic from to the public IP of VNS3,

Typically you would run VNS3 in a small subnet that has an internet gateway. All other subnets would be private and instead rely on routing traffic via VNS3 to the public internet.