Intro

Documentation

• Configure internet access with Azure Virtual NAT

Tips and Tidbits

• NAT can't span multiple virtual networks.

• IP fragmentation is not supported.

• NAT is compatible with standard SKU public IP, public IP prefix, and load balancer resources.

  • Basic resources (for example basic load balancer) and any products derived from them aren't compatible with NAT.

Configure internet access with Azure Virtual NAT

• Network Address Translation (NAT) arose out of this need for internal resources on a private network to share routable IPv4 addresses to gain access to external resources on a public network.

• Rather than purchasing an IPv4 address for each resource that requires internet access, you can use a NAT service to map outgoing requests from internal resources to an external IP address, so that communication can take place.

• NAT services provide mappings for a single IP address, a range of IP addresses defined by an IP Prefix, and a range of ports associated with an IP address.

• You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT will map all traffic to the range of IP addresses of the prefix.

• NAT allows flows to be created from the virtual network to the Internet.

  • Return traffic from the Internet is only allowed in response to an active flow.

Open

• You define the NAT configuration for each subnet within a VNet to enable outbound connectivity by specifying which NAT gateway resource to use.

• After NAT is configured, all UDP and TCP outbound flows from any virtual machine instance will use NAT for internet connectivity.

• you don’t need to create any user-defined routes.

  • NAT takes precedence over other outbound scenarios and replaces the default Internet destination of a subnet.

• NAT scales to support dynamic workloads.

  • By using port network address translation (PNAT or PAT), NAT provides up to 64,000 concurrent flows for UDP and TCP respectively, for each attached public IP address.

  • NAT can support up to 16 public IP addresses.

Open

• NAT is compatible with the following standard SKU resources:

  • Load balancer

  • Public IP address

  • Public IP prefix

• NAT and compatible Standard SKU features are aware of the direction the flow was started.

  • Inbound and outbound scenarios can coexist.

Design virtual networks with NAT gateway

• Design virtual networks with NAT gateway

• NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network.

• Once NAT gateway is associated to a subnet, NAT provides source network address translation (SNAT) for that subnet.

• NAT gateway specifies which static IP addresses virtual machines use when creating outbound flows.

• Static IP addresses come from public IP addresses, public IP prefixes, or both.

  • If a public IP prefix is used, all IP addresses of the entire public IP prefix are consumed by a NAT gateway.

  • A NAT gateway can use a total of up to 16 static IP addresses from either.

NAT gateway:

• Create a non-zonal or zonal NAT gateway.

• Assign a public IP address or public IP prefix.

• If necessary, modify TCP idle timeout (optional). Review timers before you change the default.

Virtual network:

• Configure virtual network subnet to use a NAT gateway.

• Create a non-zonal NAT GW

• Create a Zonal NAT

Zonal services: A resource can be deployed to a specific, self-selected availability zone to achieve more stringent latency or performance requirements. Resiliency is self-architected by replicating applications and data to one or more zones within the region.

From inside the VM

And the NAT’s public IP

Co-Existence Of Instance-Level IP Addresses

• NAT and VM with an instance-level public IP

• VM will use NAT gateway for outbound. Inbound originated isn't affected.

• NAT and VM with a standard public load balancer

• Any outbound configuration from a load-balancing rule or outbound rules is superseded by NAT gateway. Inbound originated isn't affected.

• NAT and VM with an instance-level public IP and a standard public load balancer

• Any outbound configuration from a load-balancing rule or outbound rules is superseded by NAT gateway.

  • The VM will also use NAT gateway for outbound.

  • Inbound originated isn't affected.