If you are new to Azure, you might be wondering what is a NAT gateway and why do you need one. In this blog post, I will explain the basics of Azure NAT Gateway and how it can help you connect your Azure resources to the internet.
SNAT – Source Network Address Translation
Before diving into Azure NAT Gateway, have you ever wondered how your devices or services can access the internet using a single public IP address? This is possible thanks to a technique called SNAT, which stands for source network address translation. SNAT changes the original IP address and port of your outgoing packets to match the public IP address and a unique port. Let’s dig deeper.
At home, your Internet Service Provider provides you with a router to which all your devices connect to via wireless or a physical cable as demonstrated in the drawing below,
In most cases the devices connecting to your home router are issued with an IP address automatically using a built in DHCP service built into the router, see example below. Each device has an IP address.
The above assigned IP addresses are private and can only be used on your home network, these IP addresses are not internet routable so can not access the Internet. Yet, we know that your devices at home can access the Internet. How do your devices access the internet? via the router.
To allow access to the internet, your Internet Service Provider assigns you a public IP address, allocated to your router. As shown in the diagram below. (Public IP selected for demo purposes).
When your home devices connect to the Internet via the router, the router has a built in SNAT (Source Network Translation) which translates to allow traffic from a private network (your home network) to go out to the internet. All your devices use the public IP address assigned to your router to gain access to the internet. If you were to visit each one of your devices, open an internet browser (ensure you’re connected to your home router wirelessly or a cable) and visit the website https://whatismyip.com/ you will find that the public IP address is the same for all your devices (mobiles, ipads, laptops). This is because your devices are using the same Public IP to access the internet.
Now that you have a basic idea of SNAT (Source Network Address Translation), let’s move onto understand what a Azure NAT Gateway is.
What is a Azure NAT Gateway?
An Azure Network Gateway is similar to your home router but more intelligent and built for larger networks. An Azure Network Gateway allows your private resources (such as Virtual Machines) located in Azure to connect to the internet through a central, managed and highly resilient Network Address Translation (NAT) service.
But a Azure virtual machine can get out to the Internet by default, right?
Correct, and let’s understand how Virtual Machines in Azure access the internet (outbound) without the implementation of an Azure NAT Gateway.
Important Announcement: Default outbound access for vm’s in Azure will be retired September 2025
In Azure, virtual machines without explicit outbound connectivity defined are assigned a default outbound public IP address via the Azure platform. This IP address enables outbound connectivity from your virtual machine to the Internet. This access is referred to as default outbound access. This auto assigned public IP address belongs to Microsoft and is subject to change so it’s not recommended to depend on this default public IP address for production workloads. Customers don’t own the default outbound access IP and have no control over it. This IP may change, and any dependency on it could cause issues in the future. Logon to a virtual machine in Azure without a public IP address explicitly assigned and try accessing the Internet or browse to https://whatismyip.com/ and take a note of the automatically assigned default public IP address.
Can I assign an explicit outbound connectivity method by manually assigning an instance level public IP address to a Virtual Machine?
Yes, this is another option. You could create a Public IP address in Azure which you will have more control over such as ensuring it is static and doesn’t change, and then assign this public IP address to your Virtual Machine. Creating a public IP address will also allow Internet resources to communicate inbound to your Azure virtual machine and enable your virtual machine to communicate to the Internet. You dedicate the public IP address to the resource until you unassign/remove it, you’re in control.
A resource without a public IP assigned can communicate outbound to the Internet as we now know but inbound access is not allowed until you assign your own created public IP address and configure the required NSG/Firewall rules to allow inbound access from the Internet. Therefore, you could assign your virtual machines a public IP address but ask yourself a question, am I only granting these virtual machines a public IP to allow access to the internet? how many virtual machines do you have that require access to the internet? is it a good idea assigning each virtual machine a dedicated public IP address to allow access to the Internet? there is definitely another layer of management overhead as an accidental configuration could allow access to your resources from the outside world, such as accidentally allowing RDP from the outside world would trigger a brute force attack in no time.
So what do Microsoft recommend for resources in Azure requiring outbound Internet access without assigning each resource a public IP address?
Azure NAT Gateway
Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. You can use Azure NAT Gateway to allow your resources in your Virtual Network subnets connect outbound to the internet while remaining fully private, as there is no need to assign all your resources a public IP address. Unsolicited inbound connections from the internet aren’t permitted through a NAT gateway, the service is secure by default. A NAT Gateway allows traffic to flow outbound to the Internet only. However, only packets arriving as response packets to an outbound connection can pass through a NAT gateway.
In the diagram above we have a NAT Gateway connected to two subnets inside a VNET (Virtual Network). The NAT gateway assumes the subnet’s default next hop type for all outbound traffic directed to the internet. No extra routing configurations are required. Outbound Internet traffic for Virtual Machines in Subnet A and Subnet B, along with the Virtual Machine Scale Set (VMSS) will flow through the NAT Gateway. The NAT gateway can be configured with up to 16 public IP addresses which can scale automatically as demand increases.
In the diagram below, we introduce a Load balancer, so how does traffic flow outbound when a Azure load balancer comes into the picture? traffic being distributed to a backend pool of servers via a load balancer will open the flow to allow traffic to return outbound via the Load balancer, so packets arriving as response packets to an inbound connection can pass back through the load balancer and not outbound via the NAT Gateway. Yes, the NAT Gateway has this intelligence built in.
What about a Virtual machine with a public IP assigned?
Exactly the same as inbound traffic via a load balancer (mentioned above), packets arriving as response packets to an inbound connection can pass back through the public IP address assigned to the Virtual Machine and will not flow outbound via the NAT Gateway.
Azure NAT Gateway benefits
- Simple setup
- Secure by default
- Scalable – Each NAT gateway public IP address provides 64,512 SNAT ports, and NAT gateway can
scale to use up to 16 public IP addresses, reducing the chances of SNAT Port Exhaustion. NAT gateway solves the problem of SNAT port exhaustion by providing a dynamic pool of SNAT ports so ports are only allocated to virtual machines when needed instead of a pool based SNAT allocation where a number of ports are assigned to a virtual machine from which some are used and others remain available but not used by the virtual machine. The virtual machines would keep hold of the additional assigned ports, which can cause SNAT port exhaustion.
Another cool feature of Azure NAT Gateway is that it selects SNAT ports at random from it’s available inventory to make new outbound connections and it only assigns ports to virtual machines as and when needed. As mentioned in the earlier paragraph, virtual machines are not being assigned additional ports when they will not be used.
Also, Azure NAT Gateway allows a SNAT port to be reused to connect to the same destination endpoint. However, before doing so, NAT Gateway places a reuse cooldown timer on the port after the initial connection closes, which prevents ports from being selected too quickly.
When NAT gateway cannot find any available SNAT ports to make new outbound connections, it can reuse a SNAT port that is currently in use so long as that SNAT port connects to a different destination endpoint.
- Performance – each NAT Gateway can process up to 50 Gbps of data. A NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. The NAT gateway can process 1M packets per second and scale up to 5M packets per second. The total number of connections that a NAT gateway can support at any given time is up to 2 million. While it’s possible that the NAT gateway can exceed 2 million connections, you have increased risk of connection failures.
- NAT gateway takes precedence over other outbound connectivity methods, including Load balancer, instance-level public IP addresses (assigning a public IP address to a Virtual Machine), and Azure Firewall.
- NAT gateway automatically replaces the default Internet public IP assigned by the Azure platform.
- No traffic routing configurations are required to use NAT gateway.
Azure NAT Gateway Limitations
Yes, there are limitations you need to be aware of when implementing a Azure NAT Gateway. Documented at Azure NAT Gateway resource | Microsoft Learn
Thank you and see you at the next post 🙂