How to handle Multiple NAT Gateway with Single Static Public IP for outbound connections

Harsh Thakor 116

We are having two set up in two different regions, and we are using NAT Gateway for static Public IP. Inside NAT Gateway we are using Public IP prefixes, due to which for each setup we are having 2 static Public IP. In total, we are having 4 static Public Ip for 2 setups. We are looking for a solution using which instead of those 4 IPs all outbound calls should go from 1 or max 2 public IPs. Please let me know how the same can be achieved.

GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee

2022-06-08T07:09:16.147+00:00

Hello @Harsh Thakor ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

AFAIK, NAT Gateways are restricted to the scope of the region where it is being deployed. So two NAT gateways deployed in 2 different regions cannot share the same public IP or Public IP prefix. When creating a NAT gateway in a particular region, you can only associate a Public IP or Public IP prefix from the same region.

So, the only way to reduce the number of Public IP addresses from 4 to 2 would be to delete the attached Public IP prefixes and create & add single Public IP addresses to both NAT gateways.

I will discuss this requirement with the Product group team to get more information, if any and will keep you posted.

Regards,
Gita
Harsh Thakor 116 Reputation points

2022-06-08T07:15:32.473+00:00

Hello,

Thanks for your revert on this,

We are having two app services running behind NAT Gateways with multiple parallel requests going on. Initially, we were using single IP instead of a prefix but at that time some requests were getting failed because of the unavailability of IP for making outbound calls, so we were suggested to use Public IP prefix instead of single public IP. We are expecting around 25/50K requests a day in the near future, which may increase.
GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee

2022-06-08T07:35:51.857+00:00

Hello @Harsh Thakor ,

Thank you for the details.

NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. If you are expecting more than 50K requests a day, then 2 Public IP per NAT gateway is expected. May I know the reason why you would like to reduce the Public IP count?

Also, when you were seeing request failures in the past, did you investigate the cause of that issue? Adding more SNAT ports to a scenario without understanding the cause of the demand should be a last resort. I would request you to go through the below troubleshooting article and look into your metrics for a better understanding of connection issues, if any.
Refer : https://video2.skills-academy.com/en-us/azure/virtual-network/nat-gateway/troubleshoot-nat

Regards,
Gita
Harsh Thakor 116 Reputation points

2022-06-08T07:56:24.247+00:00

We are offering API service to our clients, using which they are making and outbound calls. the end destination is allowing traffic from trusted sources only, due to which clients are required to share their public IP in advance and there is a limitation in terms of numbers per organization for allowing IPs.

We are having two setups ( DC and DR), so accordingly we are sharing 4 IPs with them which they are supposed to whitelist. But due to the Limitation that the end destination has kept whitelisting the total number of IPs the organization is facing issues and their 4 Ips are getting utilized for single services.
GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee

2022-06-08T12:13:33.7+00:00

Hello @Harsh Thakor ,

Thank you for the update.

I will discuss this scenario with the backend team and get back to you with further updates.

Regards,
Gita
Harsh Thakor 116 Reputation points

2022-06-08T13:28:48.067+00:00

Noted, thanks for the update.

Even by taking any additional service, this can be achieved, then also let us know about that.
GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee

2022-06-13T10:55:42.657+00:00

Hello @Harsh Thakor ,

I discussed this scenario with the Product group team and their response is as below:

Because NAT gateway IPs cannot be shared across regions, the best solution for the proposed set up is to disassociate the public IP prefix from each NAT gateway in each respective region and to assign a single public IP address to each instead. This limit of 50K connections on NAT gateway refers to the number of connections per IP going to the same destination endpoint that are supported at any given time on the NAT gateway. The key here is not how many connections can be made in a day, but rather how many connections the customer has open on their NAT gateway at any given time. So long as the customer does not have more than 50k connections open at the same time going to the same destination endpoint, a single IP address on their NAT gateway should be able to support the number of requests made.

If you do not expect more than 50K connections open on your NAT gateway at any given time in a day, then you can remove the Public IP prefixes and use Public IPs instead which would reduce the total to 2 IPs.

If you expect more than 50K connections open on your NAT gateway at any given time in a day, then as suggested by @msrini-MSFT below, the best option is to go with NAT gateway and reduce the IP of the DR setup by 1 with a total of 3 IPs in your setup.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" below if the information helped you.
Harsh Thakor 116 Reputation points

2022-06-13T11:55:29.277+00:00

Noted, Thanks for the information.

Accepted answer

msrini-MSFT 9,266 Reputation points Microsoft Employee

2022-06-09T04:21:53.077+00:00

@Harsh Thakor ,

I understand that your app service needs more than 1 IP to make sure that the IP exhaustion is not happening. Since you have DR setup the minimum IP that you might need to whitelist is 4. If you still need to reduce the IP count, you can reduce it to 3 IP by having 1 IP in the DR App service.

There are other service such as Azure firewall which can be used for SNAT but since you mentioned that there will be 25k to 50k connections, that will consume more IPs than NAT gateway.

The best option is to go with NAT gateway where you can reduce the IP of the DR setup by 1. You need to work with your On-Premises to whitelist these 3 IPs for your service.

Regards,
Karthik Srinivas
Please sign in to rate this answer.
Harsh Thakor 116 Reputation points

2022-06-09T04:36:08.537+00:00

Thanks for your revert,

One possibility which I got is to reduce it to 3 IPS. I want to know more about the Azure firewall, in that case, all the outbound calls will directly go through the firewall only, so how that will consume more IPs than the NAT gateway? Also, would like to mention the number of active parallel threads can go up to 8/10 for now, but it may increase in future and the total number of calls can vary from 25k to 100 k a day in future. So please consider that too.

Along with this, one suggestion came to us from our client to go with APIC IP to reduce the number of IPs. Can you please let us know whether it's feasible and can be used to achieve the same with the app services?

msrini-MSFT 9,266 Reputation points Microsoft Employee

2022-06-09T05:13:39.89+00:00

When you build Firewall and configure SNAT via it, you will be able to egress 2496 ports per IP per Instance of firewall. Reference: https://video2.skills-academy.com/en-us/azure/firewall/integrate-with-nat-gateway

But with NAT gateway it would be 60k ports per IP. AFAIK, APIC is not possible in Azure. Other option is to deploy a NVA and force internet traffic via the NVA. Again, that will be same as you use NAT gateway. You will need more than 2 IPs.

Harsh Thakor 116 Reputation points

2022-06-09T08:50:41.167+00:00

Thanks for the information!!!

Harsh Thakor 116 Reputation points

2022-06-29T06:46:41.957+00:00

Hello,

One of our Clients is requesting us to use APNIC and share the IP of APNIC instead of NAT Gateways' multiple IPs. If it's possible, please let us know, how we can procure the same. If that is not possible, please share a detailed reason behind the same, so that we can convey it.

GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee

2022-07-06T14:08:52.743+00:00

Hello @Harsh Thakor ,

Apologies for the delay in response.
Could you please elaborate your requirement a bit more in detail? What are you referring to as APNIC here?

Regards,
Gita
Sign in to comment

Share via

How to handle Multiple NAT Gateway with Single Static Public IP for outbound connections

0 additional answers