Azure Documentation

Azure NAT Gateway

Azure NAT Gateway provides outbound connectivity from subnets to the internet or other Azure services. It simplifies outbound connectivity for virtual machines and services within your virtual network without requiring public IP addresses on individual resources.

What is NAT Gateway?

Network Address Translation (NAT) Gateway is a fully managed and highly resilient Azure Networking service that provides outbound-only Internet connectivity for virtual networks. NAT Gateway is configured on a subnet and allows all outbound traffic from the subnet to use the NAT Gateway's public IP addresses for source network address translation.

Key Features and Benefits

  • Simplified Outbound Connectivity: Eliminates the need to manage public IP addresses on individual VMs or other resources.
  • High Performance: Designed to handle high volumes of outbound traffic with low latency.
  • Scalability: Automatically scales to meet demand.
  • Resilience: Offers high availability and fault tolerance.
  • Security: Provides a controlled point of outbound access.
  • SNAT Port Overflow Prevention: Offers a large pool of SNAT ports to avoid common SNAT port exhaustion issues.

How NAT Gateway Works

When you deploy a NAT Gateway, you associate it with one or more subnets in your virtual network. All outbound traffic originating from resources within these subnets will automatically use the public IP addresses configured on the NAT Gateway as the source IP address. This process is known as Source Network Address Translation (SNAT).

NAT Gateway supports both Public IP addresses and Public IP Prefix resources for its outbound IP addresses.

NAT Gateway Configuration

To configure a NAT Gateway, you typically perform the following steps:

  1. Create a NAT Gateway resource: Specify a name, region, and SKU.
  2. Associate Public IP addresses: Link one or more Public IP addresses or Public IP Prefixes to the NAT Gateway.
  3. Configure Idle Timeout: Set the TCP idle timeout for connections.
  4. Associate with a Subnet: Link the NAT Gateway to the desired subnet(s) in your virtual network.

# Example Azure CLI command to create a NAT Gateway
az network nat gateway create \
  --name MyNatGateway \
  --resource-group MyResourceGroup \
  --location eastus \
  --public-ip-address MyPublicIp \
  --sku Standard \
  --idle-timeout 4 \
  --zone 1

Use Cases

  • Web Servers: Allow web servers in a private subnet to receive incoming requests via a load balancer and send outbound responses without exposing them directly.
  • Backend Services: Enable backend services that need to initiate outbound connections (e.g., to SaaS APIs) without public IP addresses on each instance.
  • IoT Devices: Provide secure and reliable outbound connectivity for IoT devices deployed within an Azure VNet.
  • Scalable Outbound Connectivity: When you have a large number of VMs or services that require outbound internet access and want to avoid managing individual public IPs.

Important Considerations:

NAT Gateway only handles outbound traffic. Inbound traffic must be managed by other Azure services like Load Balancers, Application Gateways, or individual Public IP addresses.

Further Reading