You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/load-balancer/load-balancer-outbound-connections.md
+22-17Lines changed: 22 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,13 @@
1
1
---
2
2
title: Source Network Address Translation (SNAT) for outbound connections
3
3
titleSuffix: Azure Load Balancer
4
-
description: Learn how Azure Load Balancer is used for outbound internet connectivity (SNAT).
4
+
description: Learn how Azure Load Balancer is used for outbound internet connectivity using Source Network Address Translation (SNAT).
5
5
services: load-balancer
6
6
author: mbender-ms
7
7
ms.service: load-balancer
8
8
ms.topic: conceptual
9
-
ms.custom: template-concept, contperf-fy21q1
10
-
ms.date: 03/01/2022
9
+
ms.custom: engagement-fy23
10
+
ms.date: 03/06/2023
11
11
ms.author: mbender
12
12
---
13
13
@@ -46,11 +46,11 @@ With outbound rules, you have full declarative control over outbound internet co
46
46
47
47
You can manually allocate SNAT ports either by "ports per instance" or "maximum number of backend instances". If you have virtual machines in the backend, it's recommended that you allocate ports by "ports per instance" to get maximum SNAT port usage.
48
48
49
-
Ports per instance should be calculated as below:
49
+
Calculate ports per instance as follows:
50
50
51
51
**Number of frontend IPs * 64K / Number of backend instances**
52
52
53
-
If you have Virtual Machine Scale Sets in the backend, it's recommended to allocate ports by "maximum number of backend instances". If more VMs are added to the backend than remaining SNAT ports allowed, it's possible that virtual machine scale set scaling out could be blocked or that the new VMs won't receive sufficient SNAT ports.
53
+
If you have Virtual Machine Scale Sets in the backend, it's recommended to allocate ports by "maximum number of backend instances". If more VMs are added to the backend than remaining SNAT ports allowed, scale out of Virtual Machine Scale Sets could be blocked, or the new VMs won't receive sufficient SNAT ports.
54
54
55
55
For more information about outbound rules, see [Outbound rules](outbound-rules.md).
56
56
@@ -72,7 +72,7 @@ For more information about Azure Virtual Network NAT, see [What is Azure Virtual
72
72
| ---------- | ------ | ------------ |
73
73
| Public IP on VM's NIC | SNAT (Source Network Address Translation) </br> isn't used. | TCP (Transmission Control Protocol) </br> UDP (User Datagram Protocol) </br> ICMP (Internet Control Message Protocol) </br> ESP (Encapsulating Security Payload) |
74
74
75
-
Traffic will return to the requesting client from the virtual machine's public IP address (Instance Level IP).
75
+
Traffic returns to the requesting client from the virtual machine's public IP address (Instance Level IP).
76
76
77
77
Azure uses the public IP assigned to the IP configuration of the instance's NIC for all outbound flows. The instance has all ephemeral ports available. It doesn't matter whether the VM is load balanced or not. This scenario takes precedence over the others.
78
78
@@ -85,12 +85,17 @@ A public IP assigned to a VM is a 1:1 relationship (rather than 1: many) and imp
85
85
>[!NOTE]
86
86
> This method is **NOT recommended** for production workloads as it adds risk of exhausting ports. Please refrain from using this method for production workloads to avoid potential connection failures.
87
87
88
-
Any Azure resource that doesn't have a public IP associated to it, doesn't have a load balancer with outbound Rules in front of it, isn't part of virtual machine scale sets flexible orchestration mode, or doesn't have a NAT gateway resource associated to its subnet is allocated a minimal number of ports for outbound. This access is known as default outbound access and is the worst method to provide outbound connectivity for your applications.
88
+
Default outbound access is when An Azure resource is allocated a minimal number of ports for outbound. This access occurs when the resource meets any of the following conditions:
89
+
90
+
- doesn't have a public IP associated to it.
91
+
- doesn't have a load balancer with outbound Rules in front of it.
92
+
- isn't part of Virtual Machine Scale Sets flexible orchestration mode.
93
+
- doesn't have a NAT gateway resource associated to its subnet.
89
94
90
95
Some other examples of default outbound access are:
91
96
92
97
- Use of a basic SKU load balancer
93
-
- A virtual machine in Azure (without the associations mentioned above). In this case outbound connectivity is provided by the default outbound access IP. This IP is a dynamic IP assigned by Azure that you can't control. Default SNAT isn't recommended for production workloads and can cause connectivity failures.
98
+
- A virtual machine in Azure (without the associations mentioned above). In this case, outbound connectivity is provided by the default outbound access IP. This IP is a dynamic IP assigned by Azure that you can't control. Default SNAT isn't recommended for production workloads and can cause connectivity failures.
94
99
- A virtual machine in the backend pool of a load balancer without outbound rules. As a result, you use the frontend IP address of a load balancer for outbound and inbound and are more prone to connectivity failures from SNAT port exhaustion.
95
100
96
101
### What are SNAT ports?
@@ -99,15 +104,15 @@ Ports are used to generate unique identifiers used to maintain distinct flows. T
99
104
100
105
If a port is used for inbound connections, it has a **listener** for inbound connection requests on that port. That port can't be used for outbound connections. To establish an outbound connection, an **ephemeral port** is used to provide the destination with a port on which to communicate and maintain a distinct traffic flow. When these ephemeral ports are used for SNAT, they're called **SNAT ports**.
101
106
102
-
By definition, every IP address has 65,535 ports. Each port can either be used for inbound or outbound connections for TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). When a public IP address is added as a frontend IP to a load balancer, 64,000 ports are eligible for SNAT. While all public IPs that are added as frontend IPs can be allocated, frontend IPs are consumed one at a time. For example, if two backend instances are allocated 64,000 ports each, with access to two frontend IPs, both backend instances will consume ports from the first frontend IP until all 64,000 ports have been exhausted.
107
+
By definition, every IP address has 65,535 ports. Each port can either be used for inbound or outbound connections for TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). When a public IP address is added as a frontend IP to a load balancer, 64,000 ports are eligible for SNAT. While all public IPs that are added as frontend IPs can be allocated, frontend IPs are consumed one at a time. For example, if two backend instances are allocated 64,000 ports each, with access to two frontend IPs, both backend instances consume ports from the first frontend IP until all 64,000 ports have been exhausted.
103
108
104
-
Each port used in a load balancing or inbound NAT rule consumes a range of eight ports from the 64,000 available SNAT ports. This usage reduces the number of ports eligible for SNAT, if the same frontend IP is used for outbound connectivity. If ports used in load-balancing or inbound NAT rules are in the same block of eight ports as consumed by another rule, it wil not require extra ports.
109
+
Each port used in a load balancing or inbound NAT rule consumes a range of eight ports from the 64,000 available SNAT ports. This usage reduces the number of ports eligible for SNAT, if the same frontend IP is used for outbound connectivity. If load-balancing or inbound NAT rules consumed ports are in the same block of eight ports consumed by another rule, the rules don't require extra ports.
105
110
106
111
### How does default SNAT work?
107
112
108
113
When a VM creates an outbound flow, Azure translates the source IP address to an ephemeral IP address. This translation is done via SNAT.
109
114
110
-
If using SNAT without outbound rules via a public load balancer, SNAT ports are pre-allocated as described in the default SNAT ports allocation table below.
115
+
If using SNAT without outbound rules via a public load balancer, SNAT ports are pre-allocated as described in the following default SNAT ports allocation table:
111
116
112
117
## <aname="preallocatedports"></a> Default port allocation table
113
118
@@ -124,7 +129,7 @@ The following <a name="snatporttable"></a>table shows the SNAT port preallocatio
124
129
125
130
## Port exhaustion
126
131
127
-
Every connection to the same destination IP and destination port will use a SNAT port. This connection maintains a distinct **traffic flow** from the backend instance or **client** to a **server**. This process gives the server a distinct port on which to address traffic. Without this process, the client machine is unaware of which flow a packet is part of.
132
+
Every connection to the same destination IP and destination port uses a SNAT port. This connection maintains a distinct **traffic flow** from the backend instance or **client** to a **server**. This process gives the server a distinct port on which to address traffic. Without this process, the client machine is unaware of which flow a packet is part of.
128
133
129
134
Imagine having multiple browsers going to https://www.microsoft.com, which is:
130
135
@@ -134,15 +139,15 @@ Imagine having multiple browsers going to https://www.microsoft.com, which is:
134
139
135
140
* Protocol = TCP
136
141
137
-
Without different destination ports for the return traffic (the SNAT port used to establish the connection), the client will have no way to separate one query result from another.
142
+
Without SNAT ports for the return traffic, the client has no way to separate one query result from another.
138
143
139
144
Outbound connections can burst. A backend instance can be allocated insufficient ports. Use **connection reuse** functionality within your application. Without **connection reuse**, the risk of SNAT **port exhaustion** is increased.
140
145
141
146
For more information about connection pooling with Azure App Service, see [Troubleshooting intermittent outbound connection errors in Azure App Service](../app-service/troubleshoot-intermittent-outbound-connection-errors.md#avoiding-the-problem)
142
147
143
-
New outbound connections to a destination IP will fail when port exhaustion occurs. Connections will succeed when a port becomes available. This exhaustion occurs when the 64,000 ports from an IP address are spread thin across many backend instances. For guidance on mitigation of SNAT port exhaustion, see the [troubleshooting guide](./troubleshoot-outbound-connection.md).
148
+
New outbound connections to a destination IP fail when port exhaustion occurs. Connections succeed when a port becomes available. This exhaustion occurs when the 64,000 ports from an IP address are spread thin across many backend instances. For guidance on mitigation of SNAT port exhaustion, see the [troubleshooting guide](./troubleshoot-outbound-connection.md).
144
149
145
-
For TCP connections, the load balancer will use a single SNAT port for every destination IP and port. This multiuse enables multiple connections to the same destination IP with the same SNAT port. This multiuse is limited if the connection isn't to different destination ports.
150
+
For TCP connections, the load balancer uses a single SNAT port for every destination IP and port. This multiuse enables multiple connections to the same destination IP with the same SNAT port. This multiuse is limited if the connection isn't to different destination ports.
146
151
147
152
For UDP connections, the load balancer uses a **port-restricted cone NAT** algorithm, which consumes one SNAT port per destination IP whatever the destination port.
148
153
@@ -162,9 +167,9 @@ A port is reused for an unlimited number of connections. The port is only reused
162
167
163
168
* A TCP SNAT port can be used for multiple connections to the same destination IP provided the destination ports are different.
164
169
165
-
* SNAT exhaustion occurs when a backend instance runs out of given SNAT Ports. A load balancer can still have unused SNAT ports. If a backend instance’s used SNAT ports exceed its given SNAT ports, it will be unable to establish new outbound connections.
170
+
* SNAT exhaustion occurs when a backend instance runs out of given SNAT Ports. A load balancer can still have unused SNAT ports. If a backend instance’s used SNAT ports exceed its given SNAT ports, it's unable to establish new outbound connections.
166
171
167
-
* Fragmented packets will be dropped unless outbound is through an instance level public IP on the VM's NIC.
172
+
* Fragmented packets are dropped unless outbound is through an instance level public IP on the VM's NIC.
168
173
169
174
* Secondary IP configurations of a network interface don't provide outbound communication (unless a public IP is associated to it) via a load balancer.
0 commit comments