Network address translation (NAT) enables one device (a router, switch,
or firewall) to connect a local area network with the internet and
outside devices. The NAT device forwards traffic to the intended host,
and serves as a firewall to systems that are behind the device, making
them inaccessible from outside the network.
In a Control Center system without a NAT device, the master host
connects directly to the delegate host's address:rpcport and requests
host information.
When the Control Center master host is outside the network, it can
connect to the NAT device, but cannot access delegate hosts behind the
device because they have private IP addresses. The NAT device forwards
its port to the delegate hosts' address:rpcport.
When you add a delegate host by using either Control Center interface
(browser or command-line) you must specify the hostname or IP address
and port for the NAT device. After you add delegate hosts, you must
transfer host keys to the delegate hosts and register them.
The Control Center master host always attempts registration on port 22.
If the NAT device forwards port 22 to the delegate host that you are
registering, you can remotely register the keys.
If you have two delegates behind the NAT device, change the port
forwarding for port 22 between adding the hosts, or transfer the keys
file manually to and register from each delegate.
When resetting keys, the CLI supports the --nat-address argument. If the
delegate is behind a NAT device and port 22 is forwarded to that
delegate, you can attempt to register the delegate when resetting the
key:
Security considerations for using Control Center with a NAT device
To attach to a service on a delegates behind the NAT device, you must
use ssh to access the delegate. From the delegate host, run serviced
service attach. For security reasons, you cannot use serviced service
attach from the master to connect to a delegate.
In the Control Center browser interface, for security reasons, you
cannot drill down to a service that is running on a delegate behind a
NAT device and click Container Log for the instance