MSDN

Microsoft Docs

Manage NAT in Azure Virtual Networks

Overview

Network Address Translation (NAT) enables resources in a virtual network to communicate with the internet while keeping the internal IP addresses private. Azure provides several NAT solutions, including Outbound NAT (SNAT), Inbound NAT Rules on load balancers, and Azure NAT Gateway.

Prerequisites

  • An active Azure subscription.
  • A Virtual Network with at least one subnet.
  • Appropriate permissions (Owner or Network Contributor) on the resource group.

How to Configure NAT

Outbound SNAT
Inbound NAT Rules
NAT Gateway

Configure Outbound SNAT using Load Balancer

  1. Navigate to Load balancers in the Azure portal.
  2. Create a new Public Load Balancer or select an existing one.
  3. Under Settings > Outbound rules, click Add.
  4. Specify the backend pool (your VM subnet) and the frontend IP configuration.
  5. Save the rule; Azure automatically creates SNAT rules for outbound traffic.

az network lb outbound-rule create \
  --resource-group MyResourceGroup \
  --lb-name MyLoadBalancer \
  --name OutboundSNAT \
  --frontend-ip-config MyFrontEnd \
  --backend-pool MyBackendPool \
  --protocol All \
  --idle-timeout 4

Configure Inbound NAT Rules

  1. Open the Load Balancer you wish to use.
  2. Go to Settings > Inbound NAT rules and click Add.
  3. Set the frontend IP, protocol, port, and target VM / NIC.
  4. Apply the rule; traffic arriving on the specified port is forwarded to the VM.

az network lb inbound-nat-rule create \
  --resource-group MyResourceGroup \
  --lb-name MyLoadBalancer \
  --name SSH-NAT \
  --frontend-ip-name MyFrontEnd \
  --protocol Tcp \
  --frontend-port 4222 \
  --backend-port 22 \
  --backend-pool-name MyBackendPool

Deploy Azure NAT Gateway

  1. Create a NAT Gateway resource.
  2. Associate it with the subnet containing the VMs.
  3. Assign a public IP or public IP prefix.
  4. All outbound traffic from the subnet will use the NAT Gateway.

az network nat gateway create \
  --resource-group MyResourceGroup \
  --name MyNatGateway \
  --public-ip-addresses MyPublicIP \
  --location eastus

az network vnet subnet update \
  --resource-group MyResourceGroup \
  --vnet-name MyVNet \
  --name MySubnet \
  --nat-gateway MyNatGateway

Best Practices

  • Use NAT Gateway for high-scale outbound connectivity.
  • Prefer Load Balancer inbound NAT rules for RDP/SSH access to individual VMs.
  • Monitor NAT usage via Metrics Explorer and set alerts for SNAT port exhaustion.

FAQ

What is the difference between SNAT and NAT Gateway?

SNAT is provided automatically by Load Balancers and is suitable for low to moderate traffic. NAT Gateway offers a dedicated, highly available solution with scalable outbound connections.

How many concurrent connections does a NAT Gateway support?

Each public IP address on a NAT Gateway supports up to 64,000 concurrent connections. Use a Public IP Prefix for larger scales.