Network Address Translation (NAT) is one of those stateful services that’s almost impossible to scale out, because you have to distribute the state of the service (NAT mappings) across all potential ingress and egress points.
Midokura implemented distributed stateful services architecture in their Midonet product, but faced severe scalability challenges, which they claim to have solved with more intelligent state distribution.
Nuage Networks took a different approach in the Virtualized Services Platform: they figured out that in most cases you don’t need a generic (hard to solve) solution, but one of two manageable subsets:
- Static 1:1 NAT between an external (service) IP address and an internal (VM) IP address. The mapping is static (no state to distribute) and can be moved to the hypervisor host on which the VM is running;
- Dynamic outbound PAT (port-and-address NAT) to give internal servers access to outside resources. The outside IP address is irrelevant, allowing each hypervisor host to keep independent state.
Outbound sessions traversing per-host PAT are lost after a live VM migration. Inbound sessions traversing static 1:1 NAT are not affected, as the NAT mapping and the outside IP address are moved together with the VM.