Azure – Networking – Part 29 – Azure Virtual Network NAT Gateway
Hope you all are doing good. In our last article we have discussed about, another Networking Service Network Address Translation (NAT). Today in this article we will continue with NAT service and will see how NAT Gateway works with Azure Virtual Network.
Tool Installation Articles :
- Configure Azure Command Line Interface ( Azure CLI) On Windows
- Configure PowerShell For Microsoft Azure Az Module On Windows
Previous Azure Series :
- Learn Basics Of Azure Networking In 100 Hours
- Learn Basics Of Microsoft Azure Storage services
- Learn Basic Of Azure Active Directory And Azure Identity And Access Management
- Azure DevOps – Learn at one place
- Learn Basics Of Lift-And-Shift Migration To Azure
If you have missed our previous articles on Azure Networking, please check it in following links.
Network Address Translation (NAT)
To access the Internet, one public IP address is required. But we can also use a private IP address in our own private network and then access internet using NAT concept. The concept of Network address translation (NAT) is to allowing multiple devices to access the Internet through a single public address. To achieve this, the translation of a private IP address to a public IP address is required.
When To Use NAT Service
Microsoft recommended, to use NAT for outbound scenarios for all production workloads where we need to connect to a public endpoint. But when connecting to Azure services from our own private network, Microsoft recommended approach is to use Private Link.
Azure Virtual Network NAT
Virtual Network NAT is a fully managed and highly resilient Network Address Translation (NAT) service. NAT gateway simplifies provides outbound internet connectivity for one or more subnets of a virtual network. We need to associate the NAT Gateway with subnet.
Once NAT gateway is associated to a subnet, NAT provides source network address translation (SNAT) for that subnet. NAT gateway specifies which static IP addresses virtual machines use when creating outbound flows. Static IP addresses come from public IP addresses, public IP prefixes, or both. If a public IP prefix is used, all IP addresses of the entire public IP prefix are consumed by a NAT gateway. A NAT gateway can use a total of up to 16 static IP addresses from either.
Source Network Address Translation
Source Network Address Translation (SNAT) rewrites the source of a flow to originate from a different IP address and/or port. Typically, SNAT is used when a private network needs to connect to a public host over the internet. SNAT allows multiple compute resources within the private VNet to use the same single Public IP address or set of IP addresses (prefix) to connect to the internet. NAT gateway uses SNAT to rewrite the source IP address and source port.
Scaling NAT Gateway
Scaling NAT Gateway is primarily a function of managing the shared, available SNAT port inventory. NAT needs sufficient SNAT port inventory for expected peak outbound flows for all subnets that are attached to a NAT gateway. As we discussed e can use public IP addresses, public IP prefixes, or both to create SNAT port inventory. If we assign a public IP prefix, the entire public IP prefix is used.
Each NAT gateway can provide up to 50 Gbps of throughput. We can split our deployments into multiple subnets and assign each subnet or group of subnets a NAT gateway to scale out.
Each NAT gateway can support 64,000 flows each for TCP and UDP per assigned outbound IP address.
NAT gateway interacts with IP and IP transport headers of UDP and TCP flows. Other IP protocols aren’t supported.
- Basic load balancers and basic Public IP addresses are not compatible with NAT. Use standard SKU load balancers and Public IPs instead.
- To upgrade a basic load balancer to standard, see Upgrade Azure Public Load Balancer
- To upgrade a basic public IP address to standard, see Upgrade a public IP address
- IP fragmentation isn’t available for NAT gateway.
Troubleshoot Azure Virtual Network NAT connectivity
In this section of the article provides mitigating steps to resolve following common configuration and connectivity issues with NAT gateway.
Configuration issues with NAT gateway
Configuration issues with your subnets and virtual network
SNAT exhaustion due to NAT gateway configuration
Connection issues with NAT gateway and integrated services
NAT gateway public IP not being used for outbound traffic
Connection failures in the Azure infrastructure
Connection failures in the path between Azure and the public internet destination
Connection failures at the public internet destination
Connection failures due to TCP Resets received
How to deploy NAT
Following are the high label steps to configure NAT Gateway.
- Create a non-zonal or zonal NAT gateway.
- Assign a public IP address or public IP prefix.
- If necessary, modify TCP idle timeout (optional). Review timers before you change the default.
- Configure virtual network subnet to use a NAT gateway.
In our next article we will see how to configure a NAT gateway.
With the above information, I am concluding this article. I hope this is informative to you. Please let me know if I missed anything important or if my understanding is not up to the mark
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. In our next article we will continue with the Lab exercise with configuring load balancer.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂