Azure NAT Gateway Documentation

msdn/documentation/azure/features/networking/nat-gateway

Introduction to Azure NAT Gateway

Azure NAT Gateway is a fully managed and highly resilient network service that provides outbound connectivity for virtual machines (VMs) or virtual machine scale sets within a virtual network. It simplifies outbound-only NAT, allowing you to create a scalable, easy-to-configure solution for managing outbound IP addresses.

NAT Gateway is designed to overcome the limitations of traditional outbound SNAT port allocation by providing a large pool of SNAT ports, ensuring that your applications can scale without encountering SNAT port exhaustion issues. It also offers a static, predictable outbound IP address, which is crucial for allow-listing scenarios.

Azure NAT Gateway Architecture Diagram

Simplified diagram of Azure NAT Gateway in a virtual network.

By abstracting the complexity of managing outbound connectivity, NAT Gateway allows developers and network administrators to focus on building and deploying applications rather than managing IP addresses and ports.

How Azure NAT Gateway Works

When you associate a NAT Gateway with a subnet, all outbound traffic originating from resources within that subnet is automatically routed through the NAT Gateway. The NAT Gateway then uses its configured public IP addresses or IP prefixes to establish outbound connections.

Key components:

  • Subnet Association: NAT Gateway is associated with a virtual network's subnet. All resources within this subnet will use the NAT Gateway for outbound traffic.
  • Public IP Addresses/Prefixes: You configure one or more Public IP addresses or Public IP prefixes for the NAT Gateway. These IPs become the source IP addresses for all outbound connections.
  • SNAT Port Allocation: NAT Gateway provides a large pool of SNAT ports (4000 ports per instance, scalable to 16 instances for 64,000 SNAT ports). This ensures ample port availability for numerous concurrent outbound connections.
  • Stateful Firewall: NAT Gateway maintains connection state information, ensuring that return traffic is correctly routed back to the originating VM.

When a VM in the associated subnet initiates an outbound connection:

  1. The traffic leaves the VM with its private IP address.
  2. The NAT Gateway intercepts this traffic.
  3. It translates the private IP address to one of its configured public IP addresses and assigns an available SNAT port.
  4. The translated packet is sent to the destination.
  5. When the response arrives at the public IP and SNAT port, the NAT Gateway translates it back to the original private IP and port and forwards it to the VM.

Key Features

  • Simplified Outbound Connectivity: Provides a straightforward way to enable outbound internet access for Azure resources.
  • Scalability: Automatically scales to handle large volumes of outbound traffic.
  • High Availability: Inherently highly available, with no single point of failure.
  • Static Outbound IP Addresses: Offers predictable outbound IP addresses, which are essential for firewall allow-listing and integrations with third-party services.
  • SNAT Port Exhaustion Mitigation: Provides a large pool of SNAT ports, significantly reducing the risk of SNAT port exhaustion for scalable applications.
  • Secure by Design: Only allows outbound traffic by default. Inbound traffic is not permitted through NAT Gateway.
  • Regional Service: NAT Gateway is deployed within a specific Azure region.
  • Subnet Granularity: Can be associated with one or more subnets within a virtual network.

Benefits of Using Azure NAT Gateway

  • Improved Application Resilience: Eliminates SNAT port exhaustion issues, ensuring your applications remain accessible and performant.
  • Enhanced Security: Predictable outbound IPs simplify allow-listing on external firewalls and services.
  • Reduced Management Overhead: Eliminates the need to manage public IPs on individual VMs or load balancers for outbound connectivity.
  • Cost-Effective: Offers a more predictable and often more cost-effective solution compared to managing outbound IPs with load balancers or individual public IPs for every VM.
  • Simplified Networking: Streamlines the configuration of outbound internet access for complex network topologies.

Common Use Cases

  • Web Applications: Enabling outbound access for web servers to download updates, call external APIs, or send notifications.
  • Containerized Workloads: Providing outbound connectivity for containers deployed on Azure Kubernetes Service (AKS) or Azure Container Instances.
  • Data Processing and Analytics: Allowing compute nodes to access external data sources or cloud services for processing.
  • IoT Solutions: Enabling IoT devices to send data to cloud endpoints or receive updates.
  • DevOps Pipelines: Allowing build agents and deployment tools to access external repositories or services.

Pricing

Azure NAT Gateway pricing is based on the following components:

  • NAT Gateway Processing: Charged per hour the NAT Gateway is deployed and running.
  • Data Processed: Charged per GB of data processed by the NAT Gateway.
  • Associated Public IP Addresses/Prefixes: Standard charges for the Public IP addresses or prefixes associated with the NAT Gateway.

For the most up-to-date and detailed pricing information, please refer to the official Azure NAT Gateway pricing page.

Deployment and Configuration

Deploying an Azure NAT Gateway involves a few key steps:

  1. Create a NAT Gateway Resource: Define the NAT Gateway, including its SKU (Standard), region, and idle timeout for TCP connections.
  2. Configure Public IP Addresses or Prefixes: Associate one or more Public IP addresses or Public IP prefixes with the NAT Gateway.
  3. Associate with a Subnet: Link the NAT Gateway to one or more subnets within your virtual network. It's recommended to associate NAT Gateway with the entire subnet to ensure all outbound traffic is routed through it.

Azure CLI Example:


az network public-ip create --resource-group MyResourceGroup --name MyNatGatewayPip --sku Standard --allocation-method Static
az network nat gateway create --resource-group MyResourceGroup --name MyNatGateway --public-ip-addresses MyNatGatewayPip --idle-timeout 4
az network vnet subnet update --resource-group MyResourceGroup --vnet-name MyVnet --name MySubnet --nat-gateway MyNatGateway

Azure Portal:

You can also deploy and configure NAT Gateway through the Azure portal by navigating to the NAT Gateway service and following the creation wizard.

Important: A NAT Gateway is associated with a subnet. All resources within that subnet will use the NAT Gateway for outbound communication. Ensure that the subnet you associate does not have any other outbound configurations (like explicit Load Balancer outbound rules or individual Public IPs on VMs) that might conflict.

Limitations and Considerations

  • Outbound Only: NAT Gateway is exclusively for outbound traffic. It does not allow inbound connections to your VMs.
  • No Inbound SNAT: Inbound connections initiated from the internet to the NAT Gateway's public IPs are not supported.
  • Idle Timeout: The idle timeout for TCP connections can be configured from 4 to 120 minutes. UDP idle timeout is fixed at 4 minutes.
  • Subnet Association: A NAT Gateway can be associated with multiple subnets, but a subnet can only be associated with one NAT Gateway.
  • Standard SKU Only: NAT Gateway is a Standard SKU service.

Frequently Asked Questions (FAQ)

Q: What is SNAT port exhaustion?
SNAT (Source Network Address Translation) ports are temporary ports used for outbound connections. When a VM makes many outbound connections, it can exhaust its allocated SNAT ports, leading to connection failures. NAT Gateway significantly mitigates this by providing a much larger pool of SNAT ports.
Q: Can I use NAT Gateway for inbound connections?
No, NAT Gateway is designed solely for outbound connections. For inbound connectivity, you would typically use a Load Balancer, Application Gateway, or individual Public IPs on your VMs.
Q: How does NAT Gateway handle UDP traffic?
NAT Gateway supports UDP traffic. The idle timeout for UDP connections is fixed at 4 minutes.
Q: What happens if I associate a subnet with both NAT Gateway and a Load Balancer for outbound?
If a subnet is associated with both NAT Gateway and a Load Balancer that has outbound rules configured, the NAT Gateway will take precedence for outbound traffic originating from VMs within that subnet.
Q: Can I associate NAT Gateway with multiple virtual networks?
No, a NAT Gateway is tied to a single virtual network.