Skip to content

Using Control Center with a NAT device

Network address translation (NAT) enables one device (a router, switch, or firewall) to connect a local area network with the internet and outside devices. The NAT device forwards traffic to the intended host, and serves as a firewall to systems that are behind the device, making them inaccessible from outside the network.

In a Control Center system without a NAT device, the master host connects directly to the delegate host's address:rpcport and requests host information.

When the Control Center master host is outside the network, it can connect to the NAT device, but cannot access delegate hosts behind the device because they have private IP addresses. The NAT device forwards its port to the delegate hosts' address:rpcport.

When you add a delegate host by using either Control Center interface (browser or command-line) you must specify the hostname or IP address and port for the NAT device. After you add delegate hosts, you must transfer host keys to the delegate hosts and register them.

The Control Center master host always attempts registration on port 22. If the NAT device forwards port 22 to the delegate host that you are registering, you can remotely register the keys.

serviced host add Hostname-Or-IP:Host-Port \
  --nat-address==NAT-Hostname-Or-IP:NAT-Port \
  [--register]

If you have two delegates behind the NAT device, change the port forwarding for port 22 between adding the hosts, or transfer the keys file manually to and register from each delegate.

When resetting keys, the CLI supports the --nat-address argument. If the delegate is behind a NAT device and port 22 is forwarded to that delegate, you can attempt to register the delegate when resetting the key:

serviced key reset Hostname-Or-IP:Host-Port --register \ 
  --nat-address==NAT-Hostname-Or-IP:NAT-Port

Example: Adding delegate hosts to a resource pool

The master host is outside the network. Delegate hosts delegate1 and delegate2 are behind a NAT router. IP address and port information is as follow:

  • NAT router: 192.0.2.0
  • Delegate1: 198.51.100.0:4979
  • Delegate2: 203.0.113.0:4979

The router forwards port 4979 to delegate1's RPC port (4979):

serviced host add 198.51.100.0:4979 Resource-Pool \
  --nat-address=192.0.2.0:4979

The router forwards port 4980 to delegate2's RPC port (4979):

serviced host add 203.0.113.0:4979 Resource-Pool \
  --nat-address=192.0.2.0:4980 

Security considerations for using Control Center with a NAT device

To attach to a service on a delegates behind the NAT device, you must use ssh to access the delegate. From the delegate host, run serviced service attach. For security reasons, you cannot use serviced service attach from the master to connect to a delegate.

In the Control Center browser interface, for security reasons, you cannot drill down to a service that is running on a delegate behind a NAT device and click Container Log for the instance