introduce section for no-nat rule

Author: jjaygbay

articles/azure-vmware/enable-public-ip-nsx-edge.md

@@ -3,7 +3,7 @@ title: Enable Public IP to the NSX Edge for Azure VMware Solution (Preview)
 description: This article shows how to enable internet access for your Azure VMware Solution.
 ms.topic: how-to
 ms.service: azure-vmware
-ms.date: 05/12/2022
+ms.date: 07/21/2022
 ---
 
 # Enable Public IP to the NSX Edge for Azure VMware Solution (Preview)
@@ -62,6 +62,18 @@ There are three options for configuring your reserved Public IP down to the NSX
 
 A Sourced Network Translation Service (SNAT) with Port Address Translation (PAT) is used to allow many VMs to one SNAT service. This connection means you can provide Internet connectivity for many VMs.
 
+
+
+>[!Note]
+> To enable SNAT for your specified address ranges, you must [configure a gateway firewall rule](#gateway-firewall-used-to-filter-traffic-to-vms-at-t1-gateways).
+
+>[!Note]
+> Creating the following SNAT rules enables addresses ranges specified in the source. If you don't want SNAT enabled for specific address ranges, create a [No-NAT rule for the address ranges](#no-nat-rule-for-specific-address-ranges) to exclude the specified address range. For this functionality to work as expected, make the No-NAT rule a higher priority than the SNAT rule .
+
+
+
+
+
 **Add rule**
 1.	From your Azure VMware Solution private cloud, select **vCenter Credentials**
 2.	Locate your NSX-T URL and credentials.
@@ -81,6 +93,22 @@ A Sourced Network Translation Service (SNAT) with Port Address Translation (PAT)
 
 Logging can be enabled by way of the logging slider. For more information on NSX-T NAT configuration and options, see the 
 [NSX-T NAT Administration Guide](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-7AD2C384-4303-4D6C-A44A-DEF45AA18A92.html)
+
+## No-NAT rule for specific address ranges
+
+A No-NAT rule can be used to exclude certain matches from performing Network Address Translation.  This can be used to allow private IP traffic to bypass the NAT rule.
+
+1. Navigate to NAT Rules.
+1. Select the T1 Router, and then select **ADD NAT RULE**.
+1. Configure the rule. 
+      1. Enter the name, then select No SNAT.
+         :::image type="content" source="media/public-ip-nsx-edge/public-ip-internet-3nat-rules.png" alt-text="Diagram that shows how to add a no-Nat rule to exclude certain matches." border="false" lightbox="media/public-ip-nsx-edge/architecture-internet-access-avs-public-ip.png":::
+      1. Enter the match criteria.
+         :::image type="content" source="media/public-ip-nsx-edge/public-ip-internet-add-nat-rule.png" alt-text="Diagram that shows how to add a T1 router to a Nat rule." border="false" lightbox="media/public-ip-nsx-edge/architecture-internet-access-avs-public-ip.png":::
+      1. Select **SAVE**.
+         :::image type="content" source="media/public-ip-nsx-edge/public-ip-internet-save-no-nat.png" alt-text="Diagram that shows how to add a T1 router to a Nat rule." border="false" lightbox="media/public-ip-nsx-edge/architecture-internet-access-avs-public-ip.png":::
+
+
 ### Inbound Internet Access for VMs
 A Destination Network Translation Service (DNAT) is used to expose a VM on a specific Public IP address and/or a specific port. This service provides inbound internet access to your workload VMs.
 
@@ -101,7 +129,7 @@ The VM is now exposed to the internet on the specific Public IP and/or specific
 
 ### Gateway Firewall used to filter traffic to VMs at T1 Gateways
 
-You can provide security protection for your network traffic in and out of the public Internet through your Gateway Firewall. 
+You can provide security protection for your network traffic in and out of the public internet through your Gateway Firewall. 
 1.	From your Azure VMware Solution Private Cloud, select **VMware credentials**
 2.	Locate your NSX-T URL and credentials.
 3.	Log in to **VMware NSX-T**.