You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/nat-gateway-resource.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.devlang: na
13
13
ms.topic: overview
14
14
ms.tgt_pltfrm: na
15
15
ms.workload: infrastructure-services
16
-
ms.date: 03/30/2020
16
+
ms.date: 03/31/2020
17
17
ms.author: allensu
18
18
---
19
19
@@ -177,33 +177,35 @@ NAT gateways take precedence over outbound scenarios of the subnet. Basic load b
177
177
#### Zone isolation with zonal stacks
178
178
179
179
<palign="center">
180
-
<imgsrc="media/nat-overview/az-directions.svg"width="425"title="Virtual Network NAT with availability zones">
180
+
<img src="media/nat-overview/az-directions.svg" width="425" title="Virtual Network NAT with zone isolation, creating multiple "zonal stacks"">
181
181
</p>
182
182
183
183
*Figure: Virtual Network NAT with zone isolation, creating multiple "zonal stacks"*
184
184
185
185
Even without availability zones, NAT is resilient and can survive multiple infrastructure component failures. Availability zones build on this resiliency with zone isolation scenarios for NAT.
186
186
187
-
Virtual networks and their subnets are regional constructs. Subnets are not aligned with a zone.
187
+
Virtual networks and their subnets are regional constructs. Subnets aren't restricted to a zone.
188
188
189
-
A zonal promise for zone isolation exists when a virtual machine instance using a NAT gateway resource is in the same zone as the NAT gateway resource and its public IP addresses. The pattern you want to use for zone isolation is creating a "zonal stack" per availability zone. This "zonal stack" consists of virtual machine instances, NAT gateway resources, public IP address and/or prefix resources on a subnet that is assumed to be serving only the same zone. The control plane operations and data plane are then constrained to the specified zone.
189
+
A zonal promise for zone isolation exists when a virtual machine instance using a NAT gateway resource is in the same zone as the NAT gateway resource and its public IP addresses. The pattern you want to use for zone isolation is creating a "zonal stack" per availability zone. This "zonal stack" consists of virtual machine instances, NAT gateway resources, public IP address and/or prefix resources on a subnet that is assumed to be serving only the same zone. The control plane operations and data plane are then aligned with and constrained to the specified zone.
190
190
191
191
Failure in a zone other than where your scenario exists is expected to be without impact to NAT. Outbound traffic from virtual machines in the same zone will fail because of zone isolation.
192
192
193
+
#### Integrating inbound endpoints
194
+
193
195
If your scenario requires inbound endpoints, you have two options:
194
196
195
197
| Option | Pattern | Example | Pro | Con |
196
198
|---|---|---|---|---|
197
-
| (1) |**Align** the inbound endpoints with the respective zonal stacks you're creating for outbound. | Create a standard load balancer with zonal frontend. | Same health model and failure mode for inbound and outbound. Simpler to operate. | Individual IP addresses per zone may need to be masked by a common DNS name. |
198
-
| (2) |**Overlay** the zonal stacks with a cross-zone inbound endpoint. | Create a standard load balancer with zone-redundant frontend. | Single IP address for inbound endpoint. | Varying health model and failure modes for inbound and outbound. More complex to operate. |
199
+
| (1) |**Align** the inbound endpoints with the respective **zonal stacks** you're creating for outbound. | Create a standard load balancer with zonal frontend. | Same health model and failure mode for inbound and outbound. Simpler to operate. | Individual IP addresses per zone may need to be masked by a common DNS name. |
200
+
| (2) |**Overlay** the zonal stacks with a **cross-zone** inbound endpoint. | Create a standard load balancer with zone-redundant frontend. | Single IP address for inbound endpoint. | Varying health model and failure modes for inbound and outbound. More complex to operate. |
199
201
200
202
>[!NOTE]
201
203
> A zone-isolated NAT gateway requires IP addresses to match the zone of the NAT gateway. NAT gateway resources with IP addresses from a different zone or without a zone aren't allowed.
0 commit comments