Information Technology Reference
In-Depth Information
Configuration
Features
Port restricted NAT
Internal address (iAddr:iPort) is mapped to an external address
(eAddr:ePort).
Internal host can send packets to external host (hAddr:hPort) using
iAddr:iPort.
External host (hAddr:hPort) can send packets to internal host using
eAddr:ePort, if and only if the internal host previously sent a packet to
hAddr:hPort.
Symmetric NAT
Each request from the same iAddr:iPort to a specific destination
IP address and port is mapped to a unique eAddr:ePort.
External host can send packets to an internal host, if and only
if the internal host previously sent a packet to the external host
(hAddr:hPort).
Port Address Translation (PAT)
, a port-based variant of NAT, allows many internal
hosts to share a single external IPv4 address. The main idea is to use ports to distinguish
between, and correctly route, traffic of various internal hosts.
Generally, cloud service providers implement NAT-ing as part of the service package.
However, there could be cases where organizations need to provision Internet connectivity
for the instances within their virtual private cloud (VPC). For such scenarios, cloud service
providers allow using a NAT instance to enable outbound traffic to the Internet, but they
prevent inbound traffic by unknown hosts from the Internet using any one of the aforemen-
tioned NAT configurations. The selection of configuration varies depending on the particu-
larities of the business use case and an application's network behavior (some are network
intensive and some just follow a symmetric pattern).
Dividing a Physical Network into Smaller Logical Networks
To logically divide a single physical network into two or more smaller logical networks
(called subnetworks or subnets), we use subnetting. In large organizations, it is necessary
to allocate address space efficiently; that is, the static IP addresses should be used only for
machines or hosts that have to be made externally or publicly accessible. It also helps in
network management because different subnets can be administered by different groups
having varying needs. And it helps in enhancing routing efficiency.
The division is expressed in
Classless Inter-Domain Routing (CIDR)
notation: the address
prefix of the network followed by the bit length of the network address space. For example,
192.168.1.0/24 depicts that the network starts at the given address and has 24 bits (3 octets)
allocated for the network prefix and the remaining 8 bits (1 octet) are allocated for the subnet
address space.
In a cloud setup, a NAT instance can act as a bridge between the private subnet and the
public subnet within the VPC. The NAT instance can send traffic to the Internet gateway
for the VPC, where the traffic is attributed to the IP address of the NAT. The response is
then collected by the NAT instance and forwarded to the relevant instance in the private
subnet. This is accomplished by implementing PAT-ing.
Search WWH ::
Custom Search