When should you use Azure NAT Gateway?
When considering deployment of the Azure NAT Gateway service, you should first analyze your scenario. The service isn’t deployed by default with Azure Virtual Network, and not every scenario fits this service. However, it’s a good solution for resolving connectivity problems with Azure VMs in your online retail company.
Scenarios for using the Azure NAT Gateway service
Azure NAT Gateway provides NAT gateway resources for on-demand outbound connectivity without complex preplanning, which makes it relatively easy to deploy when needed. After you set it up, all your VM instances have outbound connectivity and use your specified static IP addresses, which in turn simplifies allowlists creation.
If you want to dedicate public IP addresses that your VMs use when accessing internet resources, Azure NAT Gateway can help. Let's say that you have a partner organization that only allows connections from a fixed set of IP addresses. You can associate a public IP prefix to Azure NAT Gateway to ensure that a contiguous set of IPs is used for outbound connectivity. Then you can then configure the firewall at the destination based on this predictable IP list. For example, this solution might address a scenario where your partner hosts an internet-facing API that you need to connect to.
If you have resources on your Azure virtual network that make many outbound connections and intensively use various ports for outbound communication, then you should consider deploying the Azure NAT Gateway service. The service helps you consolidate and maximize the available port numbers, and also avoid port exhaustion.
For example, you might have a virtual network with a few subnets created. This subnet hosts your Azure VMs, while another subnet hosts an app service with a website or some other service. Without using Azure NAT Gateway, your VMs and other services have a limited number of ports available for outbound connections. Usually, this number is smaller than the 65,535 ports that are theoretically available. The connection times out If one of your VMs or services exhausts the available port pool. You can’t share a port pool from other VMs, because ports are assigned on a per-VM basis, and all these resources might have a different IP address used for public communication. Azure VMs that have a public IP assigned, use this address to access internet resources. Whereas VMs without a public IP, use the address that’s currently available in the Azure service pool of addresses. Azure NAT Gateway helps resolve both these issues by providing a full scope of ports for VMs in the subnet that it covers, and a unique public IP (or IP scope) for outbound connectivity.
Scenarios that aren’t appropriate for using the Azure NAT Gateway service
Although Azure NAT Gateway is a useful and easy-to-deploy service, it might not be appropriate for every scenario. Here are some examples:
- If your Azure VM layout is simple, with only a few VMs that rarely make many connections to internet resources, you probably don’t need Azure NAT Gateway. You can instead use Azure native address translation or assign a public IP to one or more VMs.
- If you need to manage inbound connections to your Azure VMs that are coming from the internet, Azure NAT Gateway isn’t useful. Azure NAT Gateway only manages inbound connections when they’re initiated from the Azure VM (or other service) that’s behind NAT. An Azure VM or software installed on an Azure VM initiates a connection to a resource on the internet. Azure NAT Gateway registers that connection. If that resource on the internet should return some data to the Azure VM or initiate an inbound connection, it's allowed. However, connections initiated from the internet that aren’t in response to outbound directed traffic are blocked.
- If you need to provide a connection to other Azure-based services, such as Azure SQL Database or Azure Storage, you shouldn’t use Azure NAT Gateway. You don’t need to deploy Azure NAT Gateway to connect to Azure resources. When connecting to Azure services, you can use Azure Private Link to tie Azure resources to your virtual network and control access to your Azure service resources. For example, when you access Azure Storage, use a private endpoint for storage to help ensure that your connection is fully private.
- You can’t use Azure NAT Gateway with Azure Gateway subnets. You also can't use a single Azure NAT Gateway service with more than one virtual network in Azure. However, you can use a single Azure NAT Gateway service to cover more than one subnet within the same virtual network.