Merge pull request #293051 from brianlehr/outboundconnectionsbranch

v-ccolin · web-flow · commit 96a358d0270e · 2025-01-15T20:57:55.000Z
modified outbound connections doc to include implicit outbound from LB
diff --git a/articles/load-balancer/load-balancer-outbound-connections.md b/articles/load-balancer/load-balancer-outbound-connections.md
@@ -16,18 +16,46 @@ Certain scenarios require virtual machines or compute instances to have outbound
 
 ## <a name="scenarios"></a>Azure's outbound connectivity methods
 
-The following methods are Azure's most commonly used methods to enable outbound connectivity:
+The following methods are Azure's most commonly used methods to enable outbound connectivity, listed in order of priority when multiple methods are used:
 
 | # | Method | Type of port allocation | Production-grade? | Rating |
 | ------------ | ------------ | ------ | ------------ | ------------ |
-| 1 | Use the frontend IP address(es) of a load balancer for outbound via outbound rules | Static, explicit | Yes, but not at scale | OK | 
-| 2 | Associate a NAT gateway to the subnet | Dynamic, explicit | Yes | Best | 
-| 3 | Assign a public IP to the virtual machine | Static, explicit | Yes | OK | 
-| 4 | [Default outbound access](../virtual-network/ip-services/default-outbound-access.md) | Implicit | No | Worst |
+| 1 | Associate a NAT gateway to the subnet | Dynamic, explicit | Yes | Best |  
+| 2 | Assign a public IP to the virtual machine | Static, explicit | Yes | OK | 
+| 3 | Use the frontend IP address(es) of a load balancer for outbound via outbound rules | Static, explicit | Yes, but not at scale | OK |
+| 4 | Use the frontend IP address(es) of a load balancer for outbound without outbound rules | Static, Implicit | No | Worst |
+| 5 | [Default outbound access](../virtual-network/ip-services/default-outbound-access.md) | Implicit | No | Worst |
 
 :::image type="content" source="./media/load-balancer-outbound-connections/outbound-options.png" alt-text="Diagram of Azure outbound options.":::
 
-## <a name="outboundrules"></a>1. Use the frontend IP address of a load balancer for outbound via outbound rules
+## 1. Associate a NAT gateway to the subnet
+
+:::image type="content" source="./media/load-balancer-outbound-connections/nat-gateway.png" alt-text="Diagram of a NAT gateway and public load balancer.":::
+
+Azure NAT Gateway simplifies outbound-only Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses. Outbound connectivity is possible without load balancer or public IP addresses directly attached to virtual machines. NAT Gateway is fully managed and highly resilient.
+
+Using a NAT gateway is the best method for outbound connectivity. A NAT gateway is highly extensible, reliable, and doesn't have the same concerns of SNAT port exhaustion.
+
+NAT gateway takes precedence over other outbound connectivity methods, including a load balancer, instance-level public IP addresses, and Azure Firewall.
+
+For more information about Azure NAT Gateway, see [What is Azure NAT Gateway](../virtual-network/nat-gateway/nat-overview.md).
+For details on how SNAT behavior works with NAT Gateway, see [SNAT with NAT Gateway](/azure/nat-gateway/nat-gateway-snat).
+
+##  2. Assign a public IP to the virtual machine
+
+:::image type="content" source="./media/load-balancer-outbound-connections/instance-level-public-ip.png" alt-text="Diagram of virtual machines with instance level public IP addresses.":::
+
+ | Associations | Method | IP protocols |
+ | ---------- | ------ | ------------ |
+ | Public IP on VM's NIC | SNAT (Source Network Address Translation) </br> isn't used. | TCP (Transmission Control Protocol) </br> UDP (User Datagram Protocol) </br> ICMP (Internet Control Message Protocol) </br> ESP (Encapsulating Security Payload) |
+
+Traffic returns to the requesting client from the virtual machine's public IP address (Instance Level IP).
+ 
+Azure uses the public IP assigned to the IP configuration of the instance's NIC for all outbound flows. The instance has all ephemeral ports available. It doesn't matter whether the VM is load balanced or not. This scenario takes precedence over the others, except for NAT Gateway. 
+
+A public IP assigned to a VM is a 1:1 relationship (rather than 1: many) and implemented as a stateless 1:1 NAT.
+
+## <a name="outboundrules"></a>3. Use the frontend IP address(es) of a load balancer for outbound via outbound rules
 
 :::image type="content" source="./media/load-balancer-outbound-connections/public-load-balancer-outbound.png" alt-text="Diagram public load balancer with outbound rules.":::
 
@@ -51,38 +79,16 @@ Calculate ports per instance as follows:
 
 If you have Virtual Machine Scale Sets in the backend, it's recommended to allocate ports by "maximum number of backend instances". If more VMs are added to the backend than remaining SNAT ports allowed, scale out of Virtual Machine Scale Sets could be blocked, or the new VMs won't receive sufficient SNAT ports. 
 
-When multiple frontend IPs are configured using outbound rules, outbound connections may come from any of the frontend IPs configured to the backend instance. We do not recommend building any dependencies on which frontend IP may be selected for connections.
+> [!NOTE]
+> When multiple frontend IPs are configured using outbound rules, outbound connections may come from any of the frontend IPs configured to the backend instance. We do not recommend building any dependencies on which frontend IP may be selected for connections.
 
 For more information about outbound rules, see [Outbound rules](outbound-rules.md).
 
-## 2. Associate a NAT gateway to the subnet
-
-:::image type="content" source="./media/load-balancer-outbound-connections/nat-gateway.png" alt-text="Diagram of a NAT gateway and public load balancer.":::
+## 4. Use the frontend IP address(es) of a load balancer for outbound without outbound rules
 
-Azure NAT Gateway simplifies outbound-only Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses. Outbound connectivity is possible without load balancer or public IP addresses directly attached to virtual machines. NAT Gateway is fully managed and highly resilient.
+This option is similar to the previous one, except when no outbound rules are created. In this case, the load balancer frontend(s) are still used for outbound, but this is done implicitly without rules that specify which frontend would be used.  Not using outbound rules also decreases scalability of outbound, as implicit outbound connectivity has a fixed number of SNAR ports per frontend IP address, which could lead to port exhaustion in high-traffic scenarios.
 
-Using a NAT gateway is the best method for outbound connectivity. A NAT gateway is highly extensible, reliable, and doesn't have the same concerns of SNAT port exhaustion.
-
-NAT gateway takes precedence over other outbound connectivity methods, including a load balancer, instance-level public IP addresses, and Azure Firewall.
-
-For more information about Azure NAT Gateway, see [What is Azure NAT Gateway](../virtual-network/nat-gateway/nat-overview.md).
-For details on how SNAT behavior works with NAT Gateway, see [SNAT with NAT Gateway](/azure/nat-gateway/nat-gateway-snat).
-
-##  3. Assign a public IP to the virtual machine
-
-:::image type="content" source="./media/load-balancer-outbound-connections/instance-level-public-ip.png" alt-text="Diagram of virtual machines with instance level public IP addresses.":::
-
- | Associations | Method | IP protocols |
- | ---------- | ------ | ------------ |
- | Public IP on VM's NIC | SNAT (Source Network Address Translation) </br> isn't used. | TCP (Transmission Control Protocol) </br> UDP (User Datagram Protocol) </br> ICMP (Internet Control Message Protocol) </br> ESP (Encapsulating Security Payload) |
-
-Traffic returns to the requesting client from the virtual machine's public IP address (Instance Level IP).
- 
-Azure uses the public IP assigned to the IP configuration of the instance's NIC for all outbound flows. The instance has all ephemeral ports available. It doesn't matter whether the VM is load balanced or not. This scenario takes precedence over the others, except for NAT Gateway. 
-
-A public IP assigned to a VM is a 1:1 relationship (rather than 1: many) and implemented as a stateless 1:1 NAT.
-
-## 4. Default outbound access
+## 5. Default outbound access
 
 :::image type="content" source="./media/load-balancer-outbound-connections/default-outbound-access.png" alt-text="Diagram of default outbound access.":::
 
@@ -131,7 +137,6 @@ The following <a name="snatporttable"></a>table shows the SNAT port preallocatio
 | 401-800 | 64 |
 | 801-1,000 | 32 | 
 
-
 ## Port exhaustion
 
 Every connection to the same destination IP and destination port uses a SNAT port. This connection maintains a distinct **traffic flow** from the backend instance or **client** to a **server**. This process gives the server a distinct port on which to address traffic. Without this process, the client machine is unaware of which flow a packet is part of.
