Επεξεργασία

Κοινή χρήση μέσω


Tutorial: Configure dual stack outbound connectivity with a NAT gateway and a public load balancer

In this tutorial, learn how to configure NAT gateway and a public load balancer to a dual stack subnet in order to allow for outbound connectivity for v4 workloads using NAT gateway and v6 workloads using Public Load balancer.

NAT gateway supports the use of IPv4 public IP addresses for outbound connectivity whereas load balancer supports both IPv4 and IPv6 public IP addresses. When NAT gateway with an IPv4 public IP is present with a load balancer using an IPv4 public IP address, NAT gateway takes precedence over load balancer for providing outbound connectivity. When a NAT gateway is deployed in a dual-stack network with a IPv6 load balancer, IPv4 outbound traffic uses the NAT gateway, and IPv6 outbound traffic uses the load balancer.

Diagram of resources created during the tutorial.

In this tutorial, you learn how to:

  • Create a virtual network
  • Create a NAT gateway with an IPv4 public address
  • Add IPv6 to the virtual network
  • Create a public load balancer with an IPv6 public address
  • Create a dual-stack virtual machine
  • Validate outbound connectivity from your dual stack virtual machine

Prerequisites

Sign in to Azure

Sign in to the Azure portal with your Azure account.

Create virtual network

In this section, create a virtual network for the virtual machine and load balancer.

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and an Azure Bastion host.

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter test-rg in Name.
    Select OK.
    Instance details
    Name Enter vnet-1.
    Region Select East US 2.

    Screenshot of Basics tab of Create virtual network in the Azure portal.

  4. Select Next to proceed to the Security tab.

  5. Select Enable Bastion in the Azure Bastion section of the Security tab.

    Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see Azure Bastion

    Note

    Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

  6. Enter or select the following information in Azure Bastion:

    Setting Value
    Azure Bastion host name Enter bastion.
    Azure Bastion public IP address Select Create a public IP address.
    Enter public-ip in Name.
    Select OK.

    Screenshot of enable bastion host in Create virtual network in the Azure portal.

  7. Select Next to proceed to the IP Addresses tab.

  8. In the address space box in Subnets, select the default subnet.

  9. In Edit subnet, enter or select the following information:

    Setting Value
    Subnet details
    Subnet template Leave the default Default.
    Name Enter subnet-1.
    Starting address Leave the default of 10.0.0.0.
    Subnet size Leave the default of /24(256 addresses).

    Screenshot of default subnet rename and configuration.

  10. Select Save.

  11. Select Review + create at the bottom of the screen, and when validation passes, select Create.

It takes a few minutes for the bastion host to deploy. You can proceed to the next steps when the virtual network is deployed.

Create NAT gateway

The NAT gateway provides the outbound connectivity for the IPv4 portion of the virtual network. Use the following example to create a NAT gateway.

  1. In the search box at the top of the portal, enter NAT gateway. Select NAT gateways in the search results.

  2. Select + Create.

  3. In the Basics tab of Create network address translation (NAT) gateway, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    NAT gateway name Enter nat-gateway.
    Region Select East US 2.
    Availability zone Select a zone or No Zone.
    TCP idle timeout (minutes) Leave the default of 4.
  4. Select Next: Outbound IP.

  5. In Public IP addresses, select Create a new public IP address.

  6. Enter public-ip-nat in Name. Select OK.

  7. Select Next: Subnet.

  8. In Virtual network, select vnet-1.

  9. In the list of subnets, select the box for subnet-1.

  10. Select Review + create.

  11. Select Create.

Add IPv6 to virtual network

The addition of IPv6 to the virtual network must be done after the NAT gateway is associated with subnet-1. Use the following example to add and IPv6 address space and subnet to the virtual network you created in the previous steps.

  1. In the search box at the top of the portal, enter Virtual network. Select Virtual networks in the search results.

  2. Select vnet-1.

  3. In Settings, select Address space.

  4. In the box that displays Add additional address range, enter 2404:f800:8000:122::/63.

  5. Select Save.

  6. Select Subnets in Settings.

  7. Select subnet-1 in the list of subnets.

  8. Select the box next to Add IPv6 address space.

  9. Enter 2404:f800:8000:122::/64 in IPv6 address space.

  10. Select Save.

Create dual-stack virtual machine

The network configuration of the virtual machine has IPv4 and IPv6 configurations. Create the virtual machine with an internal IPv4 address. Then add the IPv6 configuration to the network interface of the virtual machine.

The following procedure creates a test virtual machine (VM) named vm-1 in the virtual network.

  1. In the portal, search for and select Virtual machines.

  2. In Virtual machines, select + Create, then Azure virtual machine.

  3. On the Basics tab of Create a virtual machine, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Virtual machine name Enter vm-1.
    Region Select East US 2.
    Availability options Select No infrastructure redundancy required.
    Security type Select Standard.
    Image Select Ubuntu Server 22.04 LTS - x64 Gen2.
    VM architecture Leave the default of x64.
    Size Select a size.
    Administrator account
    Authentication type Select Password.
    Username Enter azureuser.
    Password Enter a password.
    Confirm password Reenter the password.
    Inbound port rules
    Public inbound ports Select None.
  4. Select the Networking tab at the top of the page.

  5. Enter or select the following information in the Networking tab:

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1 (10.0.0.0/24).
    Public IP Select None.
    NIC network security group Select Advanced.
    Configure network security group Select Create new.
    Enter nsg-1 for the name.
    Leave the rest at the defaults and select OK.
  6. Leave the rest of the settings at the defaults and select Review + create.

  7. Review the settings and select Create.

Note

Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
  • An Azure NAT Gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Wait for the virtual machine to finish deploying before continuing on to the next steps.

Add IPv6 to virtual machine

The support IPv6, the virtual machine must have a IPv6 network configuration added to the network interface. Use the following example to add a IPv6 network configuration to the virtual machine.

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select vm-1.

  3. In Settings select Networking.

  4. Select the name of the network interface in the Network Interface: field. The name of the network interface is the virtual machine name plus a random number. In this example, it's vm-1202.

  5. In the network interface properties, select IP configurations in Settings.

  6. Select + Add.

  7. Enter or select the following information in Add IP configuration:

    Setting Value
    Name Enter ipconfig-ipv6.
    IP version Select IPv6.
  8. Leave the rest of the settings at the defaults and select Add.

Create public load balancer

The public load balancer has a front-end IPv6 address and outbound rule for the backend pool of the load balancer. The outbound rule controls the behavior of the external IPv6 connections for virtual machines in the backend pool. Use the following example to create an IPv6 public load balancer.

  1. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

  2. Select + Create.

  3. In the Basics tab of Create load balancer, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg.
    Instance details
    Name Enter load-balancer.
    Region Select East US 2.
    SKU Leave the default of Standard.
    Type Select Public.
    Tier Leave the default of Regional.
  4. Select Next: Frontend IP configuration.

  5. Select + Add a frontend IP configuration.

  6. Enter or select the following information in Add frontend IP configuration:

    Setting Value
    Name Enter frontend-ipv6.
    IP version Select IPv6.
    IP type Select IP address.
    Public IP address Select Create new.
    In Name enter public-ip-ipv6.
    Select OK.
  7. Select Add.

  8. Select Next: Backend pools.

  9. Select + Add a backend pool.

  10. Enter or select the following information in Add backend pool:

    Setting Value
    Name Enter backend-pool.
    Virtual network Select vnet-1 (test-rg).
    Backend Pool Configuration Leave the default of NIC.
  11. Select Save.

  12. Select Next: Inbound rules then Next: Outbound rules.

  13. Select Add an outbound rule.

  14. Enter or select the following information in Add outbound rule:

    Setting Value
    Name Enter outbound-rule.
    IP Version Select IPv6.
    Frontend IP address Select frontend-ipv6.
    Protocol Leave the default of All.
    Idle timeout (minutes) Leave the default of 4.
    TCP Reset Leave the default of Enabled.
    Backend pool Select backend-pool.
    Port allocation
    Port allocation Select Manually choose number of outbound ports.
    Outbound ports
    Choose by Select Ports per instance.
    Ports per instance Enter 20000.
  15. Select Add.

  16. Select Review + create.

  17. Select Create.

Wait for the load balancer to finish deploying before proceeding to the next steps.

Add virtual machine to load balancer

  1. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

  2. Select load-balancer.

  3. In Settings select Backend pools.

  4. Select backend-pool.

  5. In Virtual network select vnet-1 (test-rg).

  6. In IP configurations select + Add.

  7. Select the checkbox for vm-1 that corresponds with the IP configuration of ipconfig-ipv6. Don't select ipconfig1.

  8. Select Add.

  9. Select Save.

Validate outbound connectivity

Connect to the virtual machine with Azure Bastion to verify the IPv4 and IPv6 outbound traffic.

Obtain IPv4 and IPv6 public IP addresses

Before you can validate outbound connectivity, make not of the IPv4, and IPv6 public IP addresses you created previously. Use the following example to obtain the public IP addresses.

  1. In the search box at the top of the portal, enter Public IP address. Select Public IP addresses in the search results.

  2. Select public-ip-nat.

  3. Make note of the address in IP address. In this example, it's 203.0.113.5.

  4. Return to Public IP addresses.

  5. Select public-ip-ipv6.

  6. Make note of the address in IP address. In this example, it's 2001:DB8::14.

Make note of both IP addresses. Use the IPs to verify the outbound connectivity for each stack.

Test connectivity

  1. Sign-in to the Azure portal.

  2. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  3. Select vm-1.

  4. In the Overview of vm-1, select Connect then Bastion. Select Use Bastion

  5. Enter the username and password you created when you created the virtual machine.

  6. Select Connect.

  7. At the command line, enter the following command to verify the IPv4 address.

    curl -4 icanhazip.com
    
    azureuser@vm-1:~$ curl -4 icanhazip.com
    203.0.113.5
    
  8. At the command line, enter the following command to verify the IPv4 address.

    curl -6 icanhazip.com
    
    azureuser@vm-1:~$ curl -6 icanhazip.com
    2001:DB8::14
    
  9. Close the bastion connection to vm-1.

Clean up resources

When your finished with the resources created in this article, delete the resource group and all of the resources it contains.

  1. In the Azure portal, search for and select Resource groups.

  2. On the Resource groups page, select the test-rg resource group.

  3. On the test-rg page, select Delete resource group.

  4. Enter test-rg in Enter resource group name to confirm deletion and select Delete.

Next steps

Advance to the next article to learn how to: