You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add manual port allocation guidance and add clarity to SNAT
Add option to manually configure SNAT to resolve SNAT exhaustion
Specify that 64,000 ports per IP address are available for SNAT allocation
Call out in Understanding SNAT and PAT that SNAT is only done when VM instances do not have a dedicated Public IP address
Copy file name to clipboardExpand all lines: articles/load-balancer/load-balancer-outbound-connections.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -114,7 +114,7 @@ When using [Standard Load Balancer with Availability Zones](load-balancer-standa
114
114
115
115
### <aname="pat"></a>Port masquerading SNAT (PAT)
116
116
117
-
When a public Load Balancer resource is associated with VM instances, each outbound connection source is rewritten. The source is rewritten from the virtual network private IP address space to the frontend Public IP address of the load balancer. In the public IP address space, the 5-tuple of the flow (source IP address, source port, IP transport protocol, destination IP address, destination port) must be unique. Port masquerading SNAT can be used with either TCP or UDP IP protocols.
117
+
When a public Load Balancer resource is associated with VM instances which do not have dedicated Public IP addresses, each outbound connection source is rewritten. The source is rewritten from the virtual network private IP address space to the frontend Public IP address of the load balancer. In the public IP address space, the 5-tuple of the flow (source IP address, source port, IP transport protocol, destination IP address, destination port) must be unique. Port masquerading SNAT can be used with either TCP or UDP IP protocols.
118
118
119
119
Ephemeral ports (SNAT ports) are used to achieve this after rewriting the private source IP address, because multiple flows originate from a single public IP address. The port masquerading SNAT algorithm allocates SNAT ports differently for UDP versus TCP.
120
120
@@ -142,7 +142,7 @@ For patterns to mitigate conditions that commonly lead to SNAT port exhaustion,
142
142
143
143
### <aname="preallocatedports"></a>Ephemeral port preallocation for port masquerading SNAT (PAT)
144
144
145
-
Azure uses an algorithm to determine the number of preallocated SNAT ports available based on the size of the backend pool when using port masquerading SNAT ([PAT](#pat)). SNAT ports are ephemeral ports available for a particular public IP source address.
145
+
Azure uses an algorithm to determine the number of preallocated SNAT ports available based on the size of the backend pool when using port masquerading SNAT ([PAT](#pat)). SNAT ports are ephemeral ports available for a particular public IP source address. For each Public IP address associated with a load balancer there are 64,000 ports available as SNAT ports for each IP transport protocol.
146
146
147
147
The same number of SNAT ports are preallocated for UDP and TCP respectively and consumed independently per IP transport protocol. However, the SNAT port usage is different depending on whether the flow is UDP or TCP.
148
148
@@ -194,6 +194,9 @@ If you know that you're initiating many outbound TCP or UDP connections to the s
194
194
195
195
If you are having trouble understanding the outbound connection behavior, you can use IP stack statistics (netstat). Or it can be helpful to observe connection behaviors by using packet captures. You can perform these packet captures in the guest OS of your instance or use [Network Watcher for packet capture](../network-watcher/network-watcher-packet-capture-manage-portal.md).
196
196
197
+
#### <aname ="manualsnat"></a>Manually allocate SNAT ports to maximize SNAT ports per VM
198
+
As defined in [preallocated ports](#preallocatedports), the load balancer will automatically allocate ports based on the number of VMs in the backend. By default this is done conservatively to ensure scalability. If you know the maximum number of VMs you will have in the backend you can manually allocate SNAT ports by configuring this in each outbound rule. For example, if you know you will have a maximum of 10 VMs you can allocate 6,400 SNAT ports per VM rather than the default 1,024.
199
+
197
200
#### <aname="connectionreuse"></a>Modify the application to reuse connections
198
201
You can reduce demand for ephemeral ports that are used for SNAT by reusing connections in your application. This is especially true for protocols like HTTP/1.1, where connection reuse is the default. And other protocols that use HTTP as their transport (for example, REST) can benefit in turn.
0 commit comments