The NAT thing is a miss from a product perspective and something few, if any, want to spend time managing.<p>That said, there is a place for just using the NAT for software updates. For instance, if you're running Rethink -- or any self-hosted db -- there are few (if any?) good reasons to expose that service to public IP space. In that case, the NAT isn't particularly important after setup and can serve as a bastion host while your're at it.