DocsAPI Explorer
ZHEN
DocumentationZCFZStack CloudUser GuideZCF

Port Forwarding

What is Port Forwarding?

Port forwarding functions based on the layer-3 forwarding service of VPC vRouters. This service forwards traffic flows of the specified IP addresses and ports in a public network to specified ports of VM instances by using the specified protocol. If your public IP addresses are insufficient, you can configure port forwarding for multiple VM instances by using one public IP address and port.

  • VM instances in a private network for which SNAT is enabled can access external networks. However, the VM instances in a private network are inaccessible to external networks. You can use a port forwarding rule to allow the access to specified ports of the VM instances from external networks.
  • You can associate a port forwarding rule with a VM NIC and disassociate a port forwarding rule from a VM NIC based on your business needs.
  • Port forwarding services are provided only by VPC vRouters.
    Port forwarding rules are applied to a public network associated with a VPC vRouter and a private network where VM instances reside, as shown in the following figure.
    Figure 1. Port Forwarding


  • Port forwarding is achieved by using a virtual IP address (VIP).
    • A VIP is an available IP address in a public network.
    • You can use an existing VIP or create a VIP to provide port forwarding services.
    • Two port forwarding methods are supported: port-to-port mapping and port range-based mapping.
    Figure 2. VIP-Port Forwarding


Limits

The port forwarding service has the following limits:
  • The firewall policy of a VM instance must open the port specified for port forwarding.
  • The ports used for port forwarding by the same VIP must be unique.
  • You can use a VIP to provide port forwarding services for different ports of multiple VM NICs in the same L3 network.
  • You can use only one VIP to provide port forwarding services for a VM instance.
  • If you disassociate a VIP from a VM instance and then associate the VIP with the VM instance, you can select VM NICs that reside in the same L3 network as the previously disassociated VM instance.
  • The source port range and target port range used for port forwarding must be consistent. For example, if you set the source port range to 22-80, the target port range must also be 22-80.

Create a Port Forwarding Rule

On the main menu of ZStack Cloud, choose Resource Center > Network Service > Basic Network Service > Port Forwarding. On the Port Forwarding page, click Create Port Forwarding. Then, the Create Port Forwarding page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the port forwarding rule. The name must be 1 to 128 characters in length and can contain Chinese characters, letters, digits, spaces, hyphens (-), underscores (_), periods (.), parenthesis (), colons (:), and plus signs (+) and cannot begin or end with spaces.
  • Description: Optional. Enter a description for the port forwarding rule.
  • VIP: You can create a VIP or use an existing VIP to provide port forwarding services.
    • Create VIP: Create a VIP. If you select to create a VIP, set the following parameters:
      • Network: Select a public network to create a VIP.
      • Network Range: Optional. Select a network range. If you selected an IPv4 public network, you can select a normal network range or an address pool.
      • Assign IP: Optional. You can assign a virtual IP address.
        Note:
        • If left blank, the system automatically assigns a VIP.
        • If you do not select a network range, you can specify an IP address only from a normal network range.
    • Use Existing VIP: Use an existing VIP. If you select to use an existing VIP, set the following parameters:
      • VIP: Select an existing VIP.
    Note: The system VIP of a VPC vRouter can be used to provide port forwarding services.
  • Protocol: Select a protocol, Valid values: TCP and UDP.
    • TCP: supports ports 1-65535.
    • UDP: supports ports 1-65535.
  • Port: Select a port mapping method.

    Two port mapping methods are supported: port-to-port mapping and port range-based mapping.

    • Specified Port: If you specify ports, set the following parameters:
      • Source Port: Select a port from ports 1-65535 as the source port.
      • VM Port: Select a port from ports 1-65535 as the VM port.

      For example, if you set 24 as the source port and 22 as the VM port, the traffic to port 24 of the public IP will be forwarded to port 22 of the VM instance.

    • Port Range: Select two ports from ports 1-65535 as the start port and end port, respectively.

      For example, if the port range is 22-80, traffic to ports 22-80 of the public IP will be forwarded to ports 22-80 of the VM instance.

  • Allowed CIDR: Optional. You can specify a CIDR block to allow access to only this CIDR block.
Figure 1. Create Port Forwarding Rule


PreviousElastic IPNextLoad Balancing