Windows Server 2016 TP 4 include a NAT mode for VmSwitch. Even if this feature is built for container, you can use it for all VM. The NAT engine is part of the Windows core routing engine. Nat VmSwitch will have the save limit.

The process is very simple, create a vmSwtich in NAT mode and Create NAT Policy in windows

$Subnet = "192.168.100.0/23"

New-VmSwitch –name SwNat -SwitchType NAT -NatSubnetAddress $Subnet
New-NetNat -Name NatPolicy -InternalIPInterfaceAddressPrefix $Subnet

The NatSubnetAdress and InternalIPInterfaceAddressPrefix must be the Same.

For now, it’s seem that you can only have one Nat Policy with an internal Ip interface. You will have an error If you already have a Nat Policy. It is the case if you test the container on the same host.

If so you can remove the nat policy if you don’t want to use

Get-netnat | remove-netnat 

Or you can simply use it. In this case, the subnet is 172.16.0.0/12

If you want more detail about NetNat you can use

PS>get-command –module NetNat

get-command.png

Get-netnat give you more detail about the netnat object
get-netnat.png

Get-NetNatExternalAddress will give you all external address used in the Nat instance.

Now you can setup a VM and plug it on the Nat Switch You will need to use an IP address in the subnet 192.168.100.0/23. The default gateway is 192.168.100.1.

Check that you can access to internet. Now you can map a service to your VM, a destination NAT.

Add-NetNatStaticMapping -NatName NatPolicy  -Protocol TCP -ExternalIPAddress 0.0.0.0 -InternalIPAddress 192.168.100.25 -InternalPort 80 -ExternalPort 80

This will create destination map from everywhere to the VM with 192.168.100.25 IP using standard http port.

Nat feature is a good solution for a containers host or a lab environment. With all this limitation you should use a more robust tool. You can choose Sophos UTM in VM or a windows 2012 R2/2016 with RAS or any other firewall/network virtual appliance.