Open NonoCX opened 1 month ago
Thanks for the report @NonoCX
In NSX API for NAT rules the category is controlled by the sequence_number
parameter. In the terraform provider this is configured with the rule_priority
attribute (mayebe we should have kept the same name...).
For instance setting a rule_priority < 1024 should result in the NAT rule being assigned to the INTERNAL category.
If you did already try this and it's not working for you, we should treat this issue as a bug.
Hi
I think these are a bug because the rule_priority
does not put the NAT rule in the correct section according to the value :
The valid range of rule_priority number is from 0 to 2147483647(MAX_INT).
- INTERNAL section rule_priority reserved from 0 - 1023 (1024 rules) valid sequence_number range 0 - 1023
- USER section rule_priority reserved from 1024 - 2147482623 (2147481600 rules) valid sequence_number range 0 - 2147481599
- DEFAULT section rule_priority reserved from 2147482624 - 2147483647 (1024 rules) valid sequence_number range 0 - 1023
When a create NAT rule with rule_priority = 0
resource "nsxt_policy_nat_rule" "dnat1" {
display_name = "dnat_rule1"
action = "DNAT"
source_networks = ["9.1.1.1", "9.2.1.1"]
destination_networks = ["11.1.1.1"]
translated_networks = ["10.1.1.1"]
gateway_path = data.nsxt_policy_tier1_gateway.this.path
logging = false
firewall_match = "MATCH_INTERNAL_ADDRESS"
rule_priority = 0
tag {
scope = "color"
tag = "blue"
}
}
The rule is created under USER section with sequence_number: 0
The are nothing under INTERNAL section
For test to create NAT under DEFAULT section, i was created a NAT rule with the max value of rule_priority rule_priority = 2147483647
, i have a error because terraform put the NAT under USER section and the max value of rule_priority in USER section is 2147482623
To conclude : Terraform create NAT rule under USER section only.
I will open a bug
Is your feature request related to a problem? Please describe.
With the API of NSX it can be possible to create NAT under 3 different categories/sections (INTERNAL, USER and DEFAULT).
https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/3.2.1/html/api_includes/method_PatchPolicyNatRule.html
All NAT under INTERNAL are takes priority over USER categorie/section.
We need to create nat rules under INTERNAL to force SNAT of our customers' traffic when it join our shared services.
But when i use the resource
nsxt_policy_nat_rule
it is not possible to create nat rule under INTERNAL categorie/section. All rules are created under USER sectionDescribe the solution you'd like
Please, is it possible to add a feature for specify where the nat rule must be create under the categorie/section (INTERNAL, USER and DEFAULT) ?
Describe alternatives you've considered
No response
Additional context
No response