แก้ไข

แชร์ผ่าน


Frequently asked questions for Azure NAT Gateway

Here are some answers to common questions about using Azure NAT Gateway.

Azure NAT Gateway basics

What is Azure NAT Gateway?

Azure NAT Gateway is a fully managed, highly resilient outbound connectivity solution for Azure virtual networks. To achieve secure and scalable outbound connectivity, attach a NAT gateway to subnets within a virtual network and to at least one static public IP address.

What is the pricing for Azure NAT Gateway?

What are the known limits of Azure NAT Gateway?

How many NAT gateway resources are allowed per subscription?

The number of NAT gateway resources allowed per subscription per region varies based on the offer category type, such as free trial, pay-as-you-go, Cloud Solution Provider (CSP), and Enterprise Agreement. Enterprise Agreement and CSP offer types can have up to 1,000 NAT gateway resources. Sponsored and pay-as-you-go offer types can have up to 100 NAT gateway resources. All other offer types, such as free trial, can have up to 15 NAT gateway resources.

Can a NAT gateway be used across subscriptions?

No, a NAT gateway resource can't be used with more than one subscription at a time. For step-by-step guidance, see Create and configure a NAT gateway after a region move.

Can a NAT gateway be moved from a region/subscription/resource group to another?

No, a NAT gateway can't be moved across subscriptions, regions, or resource groups. A new NAT gateway must be created for the other subscription, region, or resource group.

Can a NAT gateway be used to connect inbound?

A NAT gateway provides outbound connectivity from a virtual network. Return traffic in direct response to an outbound flow can also pass through a NAT gateway. No inbound traffic directly from the internet can pass through a NAT gateway.

How can I obtain logs for my NAT gateway resource?

Virtual network (VNet) flow logs are a feature of Azure Network Watcher that logs information about IP traffic flowing through a virtual network. Flow data from virtual network flow logs is sent to Azure Storage. From there, you can access the data and export it to any visualization tool, security information and event management (SIEM) solution, or intrusion detection system (IDS).

VNet flow logs provide connection information for your virtual machines. The connection information contains the source IP and port and the destination IP and port and the state of the connection. The traffic flow direction and the size of the traffic in number of packets and bytes sent is also logged. The source IP and port specified in the VNet flow log is for the virtual machine and not the NAT gateway.

For general guidance to create and manage virtual network flow logs, see Manage virtual network flow logs.

How do I delete a NAT gateway resource?

To delete a NAT gateway resource, the resource must first be disassociated from the subnet. After the NAT gateway resource is disassociated from all subnets, it can be deleted. For guidance, see Remove a NAT gateway resource from an existing subnet and delete the resource.

Does a NAT gateway support IP fragmentation?

No, a NAT gateway doesn't support IP fragmentation for Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

NAT gateway metrics

What is the difference between SNAT Connection Count and Total SNAT Connection Count metrics for a NAT gateway?

The SNAT Connection Count metric shows the number of new source network address translation (SNAT) connections made per second. The Total SNAT Connection Count metric shows the total number of active connections on a NAT gateway resource.

How can I see SNAT port usage on a NAT gateway?

There's no SNAT port usage metric for a NAT gateway. Use the SNAT Connection Count and Total SNAT Connection Count metrics to help you evaluate the SNAT capacity of your NAT gateway resource.

How can I store my NAT gateway metrics long term?

NAT gateway metrics can be retrieved by using the metrics REST API. Alternatively, you can select Share and then Download to Excel from the NAT gateway metrics pane in the Azure portal.

Can NAT gateway metrics be retrieved by using diagnostic settings?

No, NAT gateway metrics can't be exported by using diagnostic settings. NAT gateway metrics are multidimensional. Diagnostic settings don't support the export of multidimensional metrics.

Outbound connectivity with a NAT gateway

How can I use a NAT gateway to connect outbound in a setup where I'm currently using a different service for outbound?

A NAT gateway automatically connects outbound to the internet after being attached to a public IP address or prefix and a subnet. A NAT gateway takes priority over Azure Load Balancer with outbound rules, instance-level public IP addresses on virtual machines (VMs), and Azure Firewall for outbound connectivity.

Are connections disrupted after attaching a NAT gateway to a subnet where a different service is currently used for outbound connectivity?

No, there's no disruption in connections. Existing connections with the previous outbound service (Load Balancer, Azure Firewall, instance-level public IP addresses) continues to work until those connections close. After a NAT gateway is added to the subnet of the virtual network, all new connections use a NAT gateway for making outbound connections.

Can a NAT gateway public IP connect directly to a private IP address over the internet?

No, a public IP address of a NAT gateway can't connect directly to a private IP over the internet.

If multiple public IP addresses are assigned to a NAT gateway resource, is traffic flow disrupted when one of the IP addresses is removed?

Any active connections associated with a public IP address terminate when the public IP address is removed. If the NAT gateway resource has multiple public IPs, new traffic is distributed among the assigned IPs.

What does it mean when I see an IP being used to connect outbound that's different from my NAT gateway public IP?

There are a few possible reasons for why you could be seeing a different IP being used to connect outbound than the one associated to your NAT gateway. To help troubleshoot, refer to the Azure NAT Gateway connectivity troubleshooting guide.

Traffic routes

What happens to a NAT gateway if I force tunnel 0.0.0.0/0 (internet) traffic to an NVA, Azure VPN Gateway, or Azure ExpressRoute?

A NAT gateway uses a subnet's system default internet path to route traffic to the internet. Traffic doesn't pass through a NAT gateway if a user-defined route is created to direct 0.0.0.0/0 traffic to the next hop type network virtual appliance (NVA) or a virtual network gateway.

What configuration must I make on the subnet route table to connect outbound with a NAT gateway?

No configuration on the subnet route table is required to start connecting outbound with a NAT gateway. When a NAT gateway is assigned to a subnet, the NAT gateway becomes the next hop type for all internet-destined traffic. Traffic can start connecting outbound to the internet as soon as the NAT gateway is assigned to a subnet and at least one public IP address.

NAT gateway configurations

Can a NAT gateway be deployed without a public IP address or subnet?

Yes, a NAT gateway can be deployed without a public IP address or prefix and subnet. However, it's not operational until you attach at least one public IP address or prefix and a subnet.

Is the NAT gateway public IP address static?

Yes, public IP addresses on your NAT gateway are fixed and don't change.

How many public IP addresses can be attached to a NAT gateway?

A NAT gateway can use up to 16 public IP addresses. A NAT gateway can use any combination of public IP addresses and public IP prefixes totaling 16 addresses. A NAT gateway can support the following prefix sizes: /28 (16 addresses), /29 (8 addresses), /30 (4 addresses), and /31 (2 addresses).

How can I use custom IP prefixes (BYOIP) with a NAT gateway?

You can use public IP prefixes and addresses derived from custom IP prefixes, also known as bring your own IP (BYOIP), with your NAT gateway. To learn more, see Custom IP address prefix (BYOIP).

Can an IPv6 public IP address be used with a NAT gateway?

No, a NAT gateway doesn't support IPv6 public IP addresses. You can, however, have a dual-stack configuration with a NAT gateway and a load balancer to provide IPv4 and IPv6 outbound connectivity. For more information, see Configure dual stack outbound connectivity with a NAT gateway and a public load balancer.

Can public IP addresses with the routing preference "internet" be used with a NAT gateway?

No, a NAT gateway doesn't support public IP addresses with the routing preference "internet." To see a list of Azure services that do support the routing configuration type "internet" on public IPs, see Supported services for routing over the public internet.

Can public IP addresses with DDoS protection enabled be used with a NAT gateway?

No, a NAT gateway doesn't support public IP addresses with DDoS protection enabled. For more information, see DDoS limitations.

Can public IPs of an existing NAT gateway be changed?

No, the address of an existing public IP can't be changed. If you need to change the public IP address on your NAT gateway, see Add or remove a public IP address for guidance.

If multiple public IP addresses are assigned to a NAT gateway, which public IPs do my subnet resources use?

Your subnet resources can use any of the public IP addresses attached to your NAT gateway for outbound connectivity. Each time a new outbound connection is made through a NAT gateway, the outbound public IP is selected at random.

Can I assign one of my NAT gateway public IP addresses to a specific VM or subnet to use exclusively for connecting outbound?

No. IP assignment to specific subnets or VM instances in a NAT gateway-configured subnet isn't supported.

Can a NAT gateway be attached to multiple virtual networks?

No, a NAT gateway can't be attached to multiple virtual networks.

Can a NAT gateway be attached to multiple subnets?

Yes, a NAT gateway can be associated with up to 800 subnets in a virtual network. It isn't required to be associated with all subnets within a virtual network.

Can a NAT gateway be attached to a gateway subnet?

No, a NAT gateway can't be associated with a gateway subnet.

Can multiple NAT gateways be attached to a single subnet?

No, a NAT gateway operates based on the properties of the subnet, so multiple NAT gateways can't be attached to a single subnet.

Does a NAT gateway work in a hub-and-spoke network architecture?

Traffic from the spoke virtual networks can be routed to the centralized hub virtual network through an NVA or Azure Firewall. A NAT gateway can then provide outbound connectivity for all spoke virtual networks from the centralized hub network. To set up a NAT gateway in a hub-and-spoke architecture with NVAs, see Use a NAT gateway in a hub-and-spoke network. To use a NAT gateway with Azure Firewall in a hub-and-spoke setup, see Integrate a NAT gateway with Azure Firewall.

Availability zones

How does a NAT gateway work with availability zones?

A NAT gateway can be zonal or placed in "no zone." For more information, see Azure NAT Gateway and availability zones. In addition:

  • A no-zone NAT gateway is placed in a zone for you by Azure.
  • A zonal NAT gateway is associated to a specific zone by the user when the NAT gateway is created.
  • The zonal configuration of a NAT gateway can't be changed after deployment.

Can a zone-redundant public IP address be attached to a NAT gateway?

Zone-redundant public IP addresses and prefixes can be attached to either a no-zone NAT gateway or a NAT gateway assigned to a specific availability zone. For more information, see Azure NAT Gateway and availability zones.

Azure NAT Gateway and basic SKU resources

Are basic SKU resources (Basic load balancer and Basic public IP addresses) compatible with a NAT gateway?

No, a NAT gateway is compatible with standard SKU resources. To learn more, see Azure NAT Gateway basics. Upgrade your basic load balancer and basic public IP address to standard to work with a NAT gateway. For more help:

Connection timeouts and timers

What is the idle timeout for a NAT gateway?

For TCP connections, the idle timeout timer defaults to 4 minutes and is configurable up to 120 minutes. If you need to maintain long connection flows, use TCP keepalives instead of extending the idle timeout timer. TCP keepalives maintain active connections for a longer period.

The UDP idle timeout timer is set to 4 minutes and isn't configurable.

What is the SNAT port reuse behavior of a NAT gateway?

When a TCP/UDP connection is closed, the port is placed in a cool-down period before it can be reused to connect to the same destination endpoint. For more information, see SNAT port reuse timers. Connections going to a different destination can use a SNAT port right away. For more information, see SNAT with Azure NAT Gateway.

NAT gateway integration with other Azure services

Can I use a NAT gateway with Azure App Service?

Yes, a NAT gateway can be used with Azure App Service to allow applications to direct outbound traffic to the internet from a virtual network. To use this integration between a NAT gateway and Azure App Service, regional virtual network integration must be enabled. For guidance on how to enable virtual network integration with a NAT gateway, see Azure NAT Gateway integration.

Can I use a NAT gateway with Azure Kubernetes Service?

Yes. For more information about NAT gateway integration with Azure Kubernetes Service, see Managed NAT Gateway.

When is NAT gateway used to connect from my AKS cluster to the AKS API server?

To manage an AKS cluster, you interact with its API server. When you create a non-private cluster that resolves to the API server's fully qualified domain name (FQDN), the API server is assigned a public IP address by default. After you attach a NAT Gateway to the subnets of your AKS cluster, NAT Gateway will be used to connect to the public IP of the AKS API server. Refer to Access an AKS API Server for additional information and design guidance.

Can I use a NAT gateway with Azure Firewall?

Yes, a NAT gateway can be used with Azure Firewall. When Azure Firewall is used with a NAT gateway, it should be in a zonal configuration. A NAT gateway works with a zone-redundant firewall, but we don't recommend the deployment at this time. For more information about NAT gateway integration with Azure Firewall, see Scale SNAT ports with a NAT gateway.

Yes, the addition of a NAT gateway to a subnet with service endpoints doesn't affect the endpoints. Virtual Network service endpoints enable a more specific route for the destination Azure service traffic they represent. Traffic for the service endpoint traverses the Azure backbone instead of the internet. We recommend Private Link over service endpoints when you connect to Azure platform as a service (PaaS) directly from your Azure network.

Can I use a NAT gateway with my Azure Databricks workspace?

Yes. If you enable secure cluster connectivity in your workspace, a NAT gateway can be used with Azure Databricks in one of two ways:

  • If you use secure cluster connectivity with the default virtual network that Azure Databricks creates, Azure Databricks automatically creates a NAT gateway for outbound traffic from your workspace's subnets. The NAT gateway is created within the managed resource group that Azure Databricks manages. You can't modify this resource group or any resources provisioned within it.
  • If you enable secure cluster connectivity on your workspace that uses virtual network injection, you can deploy a NAT gateway on both of the workspace's subnets to provide outbound connectivity. You can modify the configuration for customized outbound connectivity requirements in this case. For more information, see Secure cluster connectivity.

Next steps

If your question isn't listed here, please send feedback about this page with your question. This information will create a GitHub issue for the product team to ensure that all our valued customer questions are answered.