Chapter 16. Managing Networks and Traffic
186
5. Click the IP address you want to work with.
6.
Click the Static NAT button.
The button toggles between Enable and Disable, depending on whether static NAT is currently
enabled for the IP address.
7. If you are enabling static NAT, a dialog appears where you can choose the destination VM and
click Apply.
16.21. IP Forwarding and Firewalling
By default, all incoming traffic to the public IP address is rejected. All outgoing traffic from the guests is
also blocked by default.
To allow outgoing traffic, follow the procedure in Section 16.21.1, “Egress Firewall Rules in an
Advanced Zone”.
To allow incoming traffic, users may set up firewall rules and/or port forwarding rules. For example,
you can use a firewall rule to open a range of ports on the public IP address, such as 33 through 44.
Then use port forwarding rules to direct traffic from individual ports within that range to specific ports
on user VMs. For example, one port forwarding rule could route incoming traffic on the public IP's
port 33 to port 100 on one user VM's private IP. For more information, see Section 16.21.2, “Firewall
Rules” and Section 16.21.3, “Port Forwarding”.
16.21.1. Egress Firewall Rules in an Advanced Zone
The egress traffic originates from a private network to a public network, such as the Internet. By
default, the egress traffic is blocked in default network offerings, so no outgoing traffic is allowed from
a guest network to the Internet. However, you can control the egress traffic in an Advanced zone by
creating egress firewall rules. When an egress firewall rule is applied, the traffic specific to the rule is
allowed and the remaining traffic is blocked. When all the firewall rules are removed the default policy,
Block, is applied.
16.21.1.1. Prerequisites and Guidelines
Consider the following scenarios to apply egress firewall rules:
• Egress firewall rules are supported on Juniper SRX and virtual router.
• The egress firewall rules are not supported on shared networks.
• Allow the egress traffic from specified source CIDR. The Source CIDR is part of guest network
CIDR.
• Allow the egress traffic with protocol TCP,UDP,ICMP, or ALL.
• Allow the egress traffic with protocol and destination port range. The port range is specified for TCP,
UDP or for ICMP type and code.
• The default policy is Allow for the new network offerings, whereas on upgrade existing network
offerings with firewall service providers will have the default egress policy Deny.
16.21.1.2. Configuring an Egress Firewall Rule
1. Log in to the CloudPlatform UI as an administrator or end user.