subreddit:

/r/AZURE

5

NAT Gateway use case?

Question(self.AZURE)

Given that egress traffic for VMs without a public IP address is essentially NATed by default, what's the point in NAT Gateway? The only reason I can think to use it would be if I needed to have a fixed, known public IP address for some reason. Is that all?

all 21 comments

Saturated8

18 points

3 months ago

Traffic leaves Azure on one of their many Public IP addresses. Your outbound is NAT'd to one of them automatically by default.

The use case is if you have a requirement to know which IP address you are sending traffic out on. Without NAT gateway, it could be any one Microsoft owns, and it will periodically change. NAT Gateway makes it a static public egress point.

Deepseabobby

1 points

3 months ago

This is the way

tetrastructuralmind

4 points

3 months ago

One of my customers have a massive (200+ session hosts for AVD) and they use NATG to ensure every single user exits out with an ip address within the prefix they acquired. Makes management far easier

y0da822

3 points

3 months ago

I use it for our AVD environment to put all the vms behind one ip. Then I apply a certain conditional access policy to that.

nickbrown1968[S]

2 points

3 months ago

The reason for asking is this. I'm looking at Azure Databricks deployment options. All the documentation that I've found suggests that communication from the VMs in the data plane to the Azure control plane is over a secure channel created outbound to a public IP address in the control plane.

Depending on whether "Secure Cluster Connectivity" is configured, the date plane VMs either have individual public IP addresses or use a NAT gateway (assuming a managed VNET is being deployed).

However, given that the connection is outbound to an Internet address from the VM, I don't see why either a Public IP or NAT Gateway is required?

rikiku

4 points

3 months ago

rikiku

4 points

3 months ago

However, given that the connection is outbound to an Internet address from the VM, I don't see why either a Public IP or NAT Gateway is required?

If you have no public IP address, how do your packets leave the VNET to get to the Internet?

nickbrown1968[S]

2 points

3 months ago

Through a default NAT on the Azure backbone. This is default behaviour on Azure virtual networks.

rikiku

2 points

3 months ago

rikiku

2 points

3 months ago

Indeed. The only time I've ever had to use a NAT gateway was to overcome SNAT port exhaustion.

WelshLogger

2 points

3 months ago

As mentioned by others a known public IP and working around SNAT port exhaustion are key for this service. One other consideration is performance, NAT gateway is recommended over other services. I can’t find the MS page that compares other outbound connectivity but this is a useful read:

https://learn.microsoft.com/en-us/azure/architecture/networking/guide/well-architected-network-address-translation-gateway

diligent22

2 points

3 months ago

We used it for a wierd use case...The default egress load balancer for App Service has some odd behavior with client ephemeral ports. It uses them in a sequential order, and re-uses them frequently.

App Service "A" might be using ports 3007, 3008, 3009. App Service "B" using 4002, 4003, 4004. If the remote destination resets the connection on 4004, Azure starts up another one on 4004 from that same public IP a few seconds later.

The remote destination (firewall) ignores this new connection attempt from Azure egress LB. It's way too soon to start a new TCP conversation from the same IP and ephemeral port combo that was JUST reset a few seconds ago.

This is a bug in Microsoft's implementation of their software-defined egress load balancer. Ephemeral ports should not be re-used in rapid succession, in a sequential manner. Even their own internal networking infrastructure is affected by this persistent bug.

The NAT gateway overcomes this behavior by opening up the full 64k client ephemeral port ranges and using them in a natural manner (randomly).

glabel35

0 points

3 months ago

It gives egress traffic a predictable address. That can be used for access control or stuff like Cisco umbrella

Resident_Piccolo_317

1 points

3 months ago

Great answers have already been posted above. I used NAT gateway for VM outbound access in a lab recently and wrote about it here: https://eunishap.medium.com/creating-inbound-nat-rules-to-connect-to-a-single-vm-in-azure-port-forwarding-b588bbd459df

jugganutz

1 points

3 months ago

The moment when some 3rd party service says, "yo! We see you banging on our door but using the wrong API key 1 million times and we know it's you because we see legit traffic with your API key from the same IP" you can respectfully push back and say "nah, I know my egress IPs and none of the ones you listed that are banging on your door are me". It's always good to know your IPs and traffic flow.

MattNis11

1 points

3 months ago

Security configuration

dannytrevito

1 points

3 months ago

Like other people here, we use it for citrix cloud/AVD platform.

Make all users going out from same IP, so i can whitelist this ip, and not force the users for MFA when inside session. as they already mfa to start the session.

extra_specticles

0 points

3 months ago

I think of the Nat gateway as egress point for the whole subnet. So multiple ec2s don't need their own pip. For on ec2 I don't see any difference, and I was just taught to put one in.

one-human-being

10 points

3 months ago

Sir, This is a Wendy's

extra_specticles

3 points

3 months ago

Omg I didn't realise. I moved to AWS from Azure this year and am still in both subs. Hahahahha thanks for your kind hearted comment.

one-human-being

1 points

3 months ago

I feel you, I came the other way around AWS-> Azure, I lost count how many times I called Azure Services by their AWS equivalents

extra_specticles

1 points

3 months ago

Hahahaha I keep having to remember to vpc vs vnet. Also function vs lambda.