diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
index 15ecc6c896c..1a2127463a1 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
@@ -28,6 +28,8 @@ usage() {
 
 #set -x
 
+vpnoutmark="0x525"
+
 static_nat() {
   local op=$1
   local publicIp=$2
@@ -41,8 +43,19 @@ static_nat() {
   [ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp 
   # the delete operation may have errored out but the only possible reason is 
   # that the rules didn't exist in the first place
-  [ "$op" == "-A" ] && rulenum=1
   [ "$op" == "-A" ] && op2="-I"
+  if [ "$op" == "-A" ]
+  then
+    # put static nat rule one rule after VPN no-NAT rule
+    # rule chain can be used to improve it later
+    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+    if [ $? -eq 0 ]
+    then
+      rulenum=2
+    else
+      rulenum=1
+    fi
+  fi
 
   # shortcircuit the process if error and it is an append operation
   # continue if it is delete
@@ -51,7 +64,7 @@ static_nat() {
   # add mark to force the package go out through the eth the public IP is on
   #(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
   #         --set-mark $tableNo &> $OUTFILE ||  [ "$op" == "-D" ]) &&
-  (sudo iptables -t nat $op2 POSTROUTING -o $ethDev -s $instIp -j SNAT \
+  (sudo iptables -t nat $op2 POSTROUTING $rulenum -o $ethDev -s $instIp -j SNAT \
            --to-source $publicIp &>> $OUTFILE )
   result=$?
   logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh
index 73b82471bf1..ea4065a8d60 100755
--- a/patches/systemvm/debian/config/root/firewall.sh
+++ b/patches/systemvm/debian/config/root/firewall.sh
@@ -24,6 +24,8 @@ then
     exit 1
 fi
 
+vpnoutmark="0x525"
+
 usage() {
   printf "Usage: %s: (-A|-D)   -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> -s <source cidrs> [-G]   \n" $(basename $0) >&2
 }
@@ -204,8 +206,19 @@ static_nat() {
   [ "$op" == "-A" ] && static_nat $publicIp $instIp  "-D" 
   # the delete operation may have errored out but the only possible reason is 
   # that the rules didn't exist in the first place
-  [ "$op" == "-A" ] && rulenum=1
   [ "$op" == "-A" ] && op2="-I"
+  if [ "$op" == "-A" ]
+  then
+    # put static nat rule one rule after VPN no-NAT rule
+    # rule chain can be used to improve it later
+    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+    if [ $? -eq 0 ]
+    then
+      rulenum=2
+    else
+      rulenum=1
+    fi
+  fi
 
   local dev=$(ip_to_dev $publicIp)
   [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1