This resource provides a means to configure a NAT rule in NSX. NAT provides network address translation between one IP address space and another IP address space. NAT rules can be destination NAT or source NAT rules.

Example Usage

resource "nsxt_nat_rule" "rule1" {
  logical_router_id         = "${nsxt_logical_tier1_router.rtr1.id}"
  description               = "NR provisioned by Terraform"
  display_name              = "NR"
  action                    = "SNAT"
  enabled                   = true
  logging                   = true
  nat_pass                  = false
  translated_network        = ""
  match_destination_network = ""
  match_source_network      = ""

  tag {
    scope = "color"
    tag   = "blue"

Argument Reference

The following arguments are supported:

  • logical_router_id - (Required) ID of the logical router.
  • description - (Optional) Description of this resource.
  • display_name - (Optional) The display name of this resource. Defaults to ID if not set.
  • tag - (Optional) A list of scope + tag pairs to associate with this NAT rule.
  • action - (Required) NAT rule action type. Valid actions are: SNAT, DNAT, NO_NAT and REFLEXIVE. All rules in a logical router are either stateless or stateful. Mix is not supported. SNAT and DNAT are stateful, and can NOT be supported when the logical router is running at active-active HA mode. The REFLEXIVE action is stateless. The NO_NAT action has no translated_fields, only match fields.
  • enabled - (Optional) enable/disable the rule.
  • logging - (Optional) enable/disable the logging of rule.
  • match_destination_network - (Optional) IP Address | CIDR | (null implies Any).
  • match_source_network - (Optional) IP Address | CIDR | (null implies Any).
  • nat_pass - (Optional) Enable/disable to bypass following firewall stage. The default is true, meaning that the following firewall stage will be skipped. Please note, if action is NO_NAT, then nat_pass must be set to true or omitted.
  • translated_network - (Optional) IP Address | IP Range | CIDR. For DNAT rules only a single ip is supported.
  • translated_ports - (Optional) port number or port range. DNAT only.

Attributes Reference

In addition to arguments listed above, the following attributes are exported:

  • id - ID of the nat_rule.
  • revision - Indicates current revision number of the object as seen by NSX-T API server. This attribute can be useful for debugging.
  • rule_priority - The priority of the rule which is ascending, valid range [0-2147483647]. If multiple rules have the same priority, evaluation sequence is undefined.


An existing NAT rule can be imported into this resource, via the following command:

terraform import nsxt_nat_rule.rule1 logical-router-uuid/nat-rule-num

The above command imports the NAT rule named rule1 with the number id nat-rule-num that belongs to the tier 1 logical router with the NSX id logical-router-uuid.

© 2018 HashiCorpLicensed under the MPL 2.0 License.