Network address translation (NAT) is a service used by routers that allows devices on a private network to connect to public networks, such as the internet. The routers that ISPs issue to customers typically facilitate this process.
Operating at the edge of a private network, NAT assigns a group of devices one shared public IP address to enable them to establish connections with computers outside of the private network — much like an API gateway consolidates thousands of request paths behind a single IP address. NAT thus boosts security by keeping those individual device IPs hidden.
NAT can also be used at the ISP level to combine multiple customer IPs into a smaller group of public IPs. This requires carrier-grade NAT (CGNat) and is used solely for customer networks.
NAT was created in the early 90s, and is often cited to have originated conceptually at the ROAD Conference. As time passed, it became clearer that available IPv4 addresses could soon become exhausted as the internet continued to grow. By arranging devices under one IP address, organizations could greatly reduce the number of IPv4 addresses consumed — giving researchers more time to define the new IPv6 specification and usher in a massive influx of brand new IP addresses.
Why is network address translation (NAT) beneficial?
NAT conserves IP addresses and saves those available IPs for allocation elsewhere. This has become increasingly important as available public IPv4 addresses become rarer (and thus more expensive). Most devices must be able to reach dedicated IPv4 servers. This occurs either through an IPv4 NAT gateway — for devices with both IPv4 and IPv6 addresses — or a NAT64 gateway allowing IPv6-only devices to communicate with IPv4 addresses. The internet still hasn't fully transitioned to IPv6, and NAT can continue to support that process.
Because private networks often host numerous devices, having such internal devices on private, separated IP spaces simplifies network management. This is important since most devices don't need to be (and likely shouldn't be) directly accessible from the internet. ISPs only need to issue one or more public IPs to connect as many devices as needed.
NAT has the following benefits:
Better network performance and lower bandwidth consumption, since packets between devices on a private network don’t need to traverse border routers
Greater network topology design options, as different device classes can be assigned to different address segments
Easier network administration through increased observability and a cleaner network layout
Multi-homing capabilities for organizations that want or need to connect to multiple ISPs, or when devices on a private network need to reach multiple public networks
Cost savings, since organizations don't need to acquire or manage nearly as many individual IP addresses
How does network address translation (NAT) work?
NAT requires a router to intercept outbound network traffic, which then replaces the source IP address with its own public IP address to enable internet communication. In port address translation, NAT variants rewrite the source port to identify return traffic.
This data is then sent onward to its destination. When inbound traffic hits the router, the router translates that public IP address into the source IP address of the receiving device — a process which devices on both networks can see.
Nearly every router has NAT functionality built into it. While private networks need a NAT to reach the public internet, public-facing IP addresses do not require NAT translation to communicate.
There are three types of NAT:
Static NAT – Internal IP addresses are mapped to unique external IP addresses, which typically happens in a one-to-one fashion. Each IP maps to a set IP and the router enforces this translation as traffic arrives. This is common within web servers.
Dynamic NAT – The router maps internal IPs to a grouping (or pool) of external IP addresses. One internal IP address can map to multiple IP addresses, and the router will map the global IP of incoming requests to source IPs internally. This is more beneficial for devices communicating outwardly across the web.
Port address translation (PAT) – The most widely used form of dynamic NAT, PAT uses port numbers to map multiple internal IP addresses to a single external IP address. This combination of port and IP determines the unique IP address for the device in question.
Internal-to-external NAT works after routing, while external-to-internal NAT occurs before routing is completed. It's also possible to configure your NAT setup to enable rate limiting, TCP load balancing, and functionality over wireless LAN. It's also possible to apply NAT to subinterfaces — or divisions of a physical interface on either a router or Layer 3 device based on logical principles.
Does HAProxy support network address translation (NAT)?
Yes! HAProxy ALOHA leverages NAT to replace the destination and source IP addresses of incoming packets, then forwards them to the backend server. HAProxy ALOHA will take those resulting server responses, restore the original IPs, then send the packets back to the client. You also have the option to define source NATs or establish HAProxy ALOHA as the default backend gateway.
To learn more about NAT support in HAProxy, check out our network address translation (NAT) documentation.