The private network within the IBM Cloud is always assigned an address from a 10.X subnet. As a result, accessing the IBM Cloud network from addresses outside the 10.X range may prove to be a challenge since the network will drop packets from an unrecognized address. For example, if you created an IPsec VPN from your on-prem environment that is assigned a 192.X address, you will not be able to reach vCenter or any other VLAN-backed 10.X address resident on the IBM Cloud private network. The same is true for VXLAN-backed virtual machines assigned addresses outside of the IBM Cloud address space. This is why we must use NAT.
Prior to NAT Config
Make sure that you have an NSX edge deployed within the VMware Cloud Foundation environment. The edge must have a vNIC interface connected to the SDDC-DPortGroup-Mgmt port group and assigned at least one private portable address from the management network.
Configuring the NAT rule
From within the NSX ESG, select the “Manage” tab and click on the “NAT” button on the menu ribbon. Click the green “+” icon and select “Add SNAT Rule” to begin configuring the NAT.
In the “Applied On” drop-down menu, select the name of the interface you wish to apply the rule. I named my interface “SoftLayer 10.x” to denote the connection to the management network, so this is the interface I will select. Next, select the protocol you wish to NAT. In my case, I left the default option to “any” since I want to be able to use ping and tcp. Then, enter the source IP address or address range you want to NAT. If you’re connected via IPsec VPN this is
the address range you specified in the remote subnets field. If you wish to access the 10.X network from VXLAN(s) connected to the ESG, enter these subnet(s).
Once the original source IP and range is complete, enter “10.0.0.0/8” in the “Destination IP/Range” field. Finally, enter one of the IBM Cloud private portable addresses assigned that is to the ESG and connected to the SDDC-DPortGroup-Mgmt port group. In my situation, I used one of the secondary IPs assigned rather than the primary for tracking ease. When you’re done, make sure there’s a check in the “Enabled” checkbox and click “Ok”. Lastly, enable NAT configuration by pressing the “Publish Changes” button.
Since I already have an IPsec VPN connected to a Cloud Foundation instance in IBM Cloud, I performed a simple ping to verify I could reach vCenter. Looks good!