You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/nat-gateway/nat-gateway-resource.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Designing virtual networks with NAT gateway
2
+
title: Design virtual networks with NAT gateway
3
3
titleSuffix: Azure Virtual Network NAT
4
4
description: Learn how to design virtual networks that use Network Address Translation (NAT) gateway resources.
5
5
services: virtual-network
@@ -17,7 +17,7 @@ ms.date: 11/11/2021
17
17
ms.author: allensu
18
18
---
19
19
20
-
# Designing virtual networks with NAT gateway
20
+
# Design virtual networks with NAT gateway
21
21
22
22
NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network. Once NAT gateway is associated to a subnet, NAT provides source network address translation (SNAT) for that subnet. NAT gateway specifies which static IP addresses virtual machines use when creating outbound flows. Static IP addresses come from public IP addresses, public IP prefixes, or both. If a public IP prefix is used, all IP addresses of the entire public IP prefix are consumed by a NAT gateway. A NAT gateway can use a total of up to 16 static IP addresses from either.
Review this section to familiarize yourself with considerations for designing virtual networks with NAT.
49
49
50
-
### Connecting to Azure services
50
+
### Connect to Azure services
51
51
52
52
When connecting to Azure services from your private network, the recommended approach is to use [Private Link](../../private-link/private-link-overview.md).
53
53
54
54
Private Link lets you access services in Azure from your private network without the use of a public IP address. Connecting to these services over the internet are not necessary and are handled over the Azure backbone network. For example, when you access Azure Storage, you can use a private endpoint to ensure your connection is fully private.
55
55
56
-
### Connecting to the internet
56
+
### Connect to the internet
57
57
58
58
NAT is recommended for outbound scenarios for all production workloads where you need to connect to a public endpoint. The following scenarios are examples of how to ensure coexistence of inbound with NAT gateway for outbound.
59
59
@@ -102,7 +102,7 @@ Any outbound configuration from a load-balancing rule or outbound rules is super
102
102
103
103
Any outbound configuration from a load-balancing rule or outbound rules is superseded by NAT gateway. The VM will also use NAT gateway for outbound. Inbound originated isn't affected.
104
104
105
-
### Monitoring outbound network traffic
105
+
### Monitor outbound network traffic
106
106
107
107
A network security group allows you to filter inbound and outbound traffic to and from a virtual machine. To monitor outbound traffic flowing from NAT, you can enable NSG flow logs.
108
108
@@ -148,15 +148,15 @@ The destination will now see the source of the flows as 65.52.1.1 (source tuple
148
148
149
149
#### Source (SNAT) port reuse
150
150
151
-
Virtual machines can use any available port provided by the public IP(s) configured to NAT gateway for outbound connectivity. NAT gateway selects a port at random out of the available inventory of ports for the virtual machine to use. NAT gateway will also opportunistically reuse source (SNAT) ports.
151
+
An inventory of ports are available to any virtual machine within a subnet that is attached to NAT gateway. NAT gateway selects a port at random out of the available inventory of ports for the virtual machine to use. NAT gateway will also opportunistically reuse source (SNAT) ports.
152
152
153
153
The following flow illustrates this concept with a VM flowing to destination IP 65.52.0.2 after flows 1 - 3 from the above tables have already taken place.
154
154
155
155
| Flow | Source tuple | Destination tuple |
156
156
|:---:|:---:|:---:|
157
157
| 4 | 192.168.0.16:4285 | 65.52.0.2:80 |
158
158
159
-
A NAT gateway will translate flow 4 to a port that may have been recently used for other destinations as well. See [Scaling](#scaling) for more discussion on correctly sizing your IP address provisioning.
159
+
A NAT gateway will translate flow 4 to a port that may have been recently used for other destinations as well. See [Scale NAT](#scale-nat) for more discussion on correctly sizing your IP address provisioning.
@@ -190,7 +190,7 @@ Any IP configuration of a virtual machine can create outbound flows on-demand as
190
190
191
191
After a SNAT port is released, it's available for use by any VM on subnets configured with NAT. On-demand allocation allows dynamic and divergent workloads on subnets to use SNAT ports as needed. As long as SNAT ports are available, SNAT flows will succeed. SNAT port hotspots benefit from a larger inventory. SNAT ports aren't left unused for VMs not actively needing them.
192
192
193
-
### Scaling
193
+
### Scale NAT
194
194
195
195
Scaling NAT is primarily a function of managing the shared, available SNAT port inventory. NAT needs sufficient SNAT port inventory for expected peak outbound flows for all subnets that are attached to a NAT gateway. You can use public IP addresses, public IP prefixes, or both to create SNAT port inventory.
0 commit comments