Merge pull request #219201 from aimee-littleton/patch-111

Court72 · web-flow · commit a5f6d4837c69 · 2022-11-21T15:40:00.000-07:00
NAT GW FAQ Updates
diff --git a/articles/virtual-network/nat-gateway/faq.yml b/articles/virtual-network/nat-gateway/faq.yml
@@ -9,46 +9,64 @@ summary: |
   Here are some answers to common questions about using Azure Virtual Network NAT.
 
 sections:
-  - name: Single section - ignored
+  - name: Outbound connectivity with NAT gateway
     questions:
-      - question: Is the Virtual Network NAT gateway public IP address static?  
+      - question: How can I use NAT gateway to connect outbound in a setup where load balancer outbound rules or virtual machine public IPs are being used?
         answer: |
-          Yes. When Virtual Network NAT is configured on a subnet, all outbound connectivity uses your specified static public IP address(es).  
+          NAT gateway will automatically be used to connect outbound to the internet as soon as it is associated with a public IP address or prefix and a subnet. NAT gateway will be used to connect outbound over load balancer or instance-level public IP addresses on virtual machines.
+     
+      - question: Is there a drop in packets when a virtual network configured with Load balancer outbound rules switches to NAT gateway after being configured to a subnet?
+        answer: |
+          No, there will be no drop in packets. Existing connections with Load balancer will continue to work until those connections officially close. After NAT gateway is added to the subnet of the virtual network, all new connections will then use NAT gateway for making outbound connections. 
+     
+      - question: Can NAT gateway be used to connect inbound?
+        answer: |
+          NAT gateway provides outbound connectivity from a virtual network. Return traffic in direct response to an outbound flow can also pass through NAT gateway. No inbound traffic directly from the internet can pass through NAT gateway.
+      
+      - question: Can a VNet NAT gateway public IP connect directly to a private IP address over the internet?
+        answer: |
+          No. A public IP address of NAT gateway cannot connect directly to a private IP over the internet. 
+      
+      - question: If multiple public IP addresses are assigned to a NAT gateway, is traffic flow disrupted when one of the IP addresses is removed?
+        answer: |
+          Any active connections associated with a public IP address will terminate upon the public IP address being removed. If the NAT gateway resource has multiple public IPs, new traffic will be redistributed among the assigned IPs. It's advised that if you decide to remove one of the public IP addresses from the NAT gateway resource, use a maintenance window for the removal.
+  
+  - name: NAT gateway configurations
+    questions:  
+      - question: Is the NAT gateway public IP address static?  
+        answer: |
+          Yes. When NAT gateway is configured on a subnet, all outbound connectivity uses your specified static public IP address(es).  
 
-      - question: What is the maximum number of public IP addresses that can be used by Virtual Network NAT gateway?
+      - question: What is the maximum number of public IP addresses that can be used by NAT gateway?
         answer: |
-          The Virtual Network NAT gateway resource can use up to 16 public IP addresses. The Virtual Network NAT can use any combination of public IP addresses and public IP address prefixes totaling to 16 addresses. The maximum prefix size that can be used by Virtual Network NAT is /28 (16 addresses). Other public IP prefix sizes that can be used by VNet NAT gateway include:
+          The NAT gateway resource can use up to 16 public IP addresses. The NAT gateway can use any combination of public IP addresses and public IP address prefixes totaling to 16 addresses. The maximum prefix size that can be used by NAT gateway is /28 (16 addresses). Other public IP prefix sizes that can be used by NAT gateway include:
           /29 (8 addresses), 
           /30 (4 addresses), 
           /31 (2 addresses).  
 
-      - question: How can I use custom IP prefixes (BYOIP) with Virtual Network NAT gateway?
+      - question: How can I use custom IP prefixes (BYOIP) with NAT gateway?
         answer: |
           You can use public IP prefixes and addresses derived from custom IP prefixes (BYOIP) with your NAT gateway resource. See [Custom IP address prefix (BYOIP)](../ip-services/custom-ip-address-prefix.md) to learn more. 
       
       - question: Can a zone-redundant public IP address be attached to a NAT gateway? 
         answer: |
           A zone-redundant public IP address can be attached to a "no zone" NAT gateway only. A NAT gateway designated to a specific zone must be attached to a public IP address from the same zone.      
       
-      - question: Can public IPs of an existing Virtual Network NAT gateway be changed? 
+      - question: Can public IPs of an existing NAT gateway be changed? 
         answer: |
-          No, an existing IP attached to the Virtual Network NAT can't be changed. A different IP can be attached to Virtual Network NAT by creating a new public IP address.  Associate the new public IP address with the NAT gateway resource.  Disassociate the old IP address.
+          No, the address of an existing public IP can't be changed. A different or additional IP can be added to NAT gateway.  Associate either an existing or newly created public IP address to the NAT gateway resource.  Disassociate the old IP address. See [add or remove a public IP address](/azure/virtual-network/nat-gateway/manage-nat-gateway?tabs=manage-nat-portal#add-or-remove-a-public-ip-address) for guidance.
 
-      - question: If multiple public IP addresses are assigned to a NAT gateway, is traffic flow disrupted when one of the IP addresses is removed?
+      - question: If multiple public IP addresses are assigned to a NAT gateway resource, which public IPs will be used by my subnet resources?
         answer: |
-          No. If the Virtual Network NAT gateway resource has multiple public IPs, it will load balance traffic between the assigned IPs. Removing one of the IPs won't cause any downtime. It's advised that if you decide to remove one of the public IP addresses from the NAT gateway resource, use a maintenance window for the removal.
-
-      - question: If multiple public IP addresses are assigned to a VNet NAT gateway resource, which public IPs will be used by my subnet resources?
-        answer: |
-          Any of your subnet resources can use any of the public IP addresses configured to your Virtual Network NAT gateway resource for outbound connectivity. Each time a new outbound connection is made through Virtual Network NAT, the outbound public IP may be different. 
+          Any of your subnet resources can use any of the public IP addresses configured to your NAT gateway resource for outbound connectivity. Each time a new outbound connection is made through NAT gateway, the outbound public IP is selected at random. 
       
-      - question: Can a VNet NAT gateway public IP connect directly to a private IP address over the internet?
+      - question: Can the address of a public IP be known before the IP address is created and attached to NAT gateway?
         answer: |
-          No. A public IP address of NAT gateway cannot connect directly to a private IP over the internet. 
+          No, you cannot know the address of a newly created public IP before the public IP is created and deployed.
       
       - question: If NAT gateway has multiple public IP addresses, can one of those IPs be assigned to a specific VM to use explicitly for going outbound?
         answer: |
-          No. Explicit IP assignment to specific VM instances in a NAT gateway configured subnet cannot be done.
+          No. Explicit IP assignment to specific VM instances in a NAT gateway configured subnet is not supported.
       
       - question: Are basic SKU resources (Basic Load Balancer and Basic public IP addresses) compatible with VNet NAT gateway?
         answer: |
@@ -58,67 +76,69 @@ sections:
           To upgrade a basic load balancer to standard, see [Upgrade Azure Public Load Balancer](../../load-balancer/upgrade-basic-standard.md)
           To upgrade a basic public IP to standard, see [Upgrade a public IP address](../ip-services/public-ip-upgrade-portal.md)
       
-      - question: Can Virtual Network NAT gateway be attached to multiple virtual networks?  
+      - question: Can NAT gateway be attached to multiple virtual networks?  
         answer: |
-          No. Virtual Network NAT cannot be attached to multiple virtual networks.  
+          No. NAT gateway cannot be attached to multiple virtual networks.  
 
-      - question: Can Virtual Network NAT gateway be attached to multiple subnets? 
+      - question: Can NAT gateway be attached to multiple subnets? 
         answer: |
-          Yes. Virtual Network NAT can be associated with multiple subnets within a virtual network. It isn't required to be associated with all subnets within a virtual network. Each subnet within a virtual network can be configured with its own Virtual Network NAT. 
-
+          Yes. NAT gateway can be associated with multiple subnets within a virtual network. It isn't required to be associated with all subnets within a virtual network. Each subnet within a virtual network can be configured with its own Virtual Network NAT. 
+      
       - question: Can Virtual Network NAT gateway be associated with a gateway subnet? 
         answer: |
-          No. Virtual Network NAT can't be associated with a [gateway](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub) subnet.
+          No. NAT gateway can't be associated with a [gateway](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub) subnet.
           
-      - question: Can multiple Virtual Network NAT gateways be attached to a single subnet?
+      - question: Can multiple NAT gateways be attached to a single subnet?
         answer: |
           No. NAT gateway operates based on the properties of the subnet it is attached to, and so multiple NAT gateways cannot be attached to a single subnet.
 
       - question: How does Virtual Network NAT gateway work with availability zones?   
         answer: |
-          Virtual Network NAT can be zonal or placed in "no zone".  
+          Virtual Network NAT can be zonal or placed in "no zone". See [NAT gateway and availability zones](/azure/virtual-network/nat-gateway/nat-availability-zones) for more information. 
 
           A "no zone" NAT gateway is placed into a zone for you by Azure and does not give a guarantee of redundancy.
 
           A zonal NAT gateway is associated to a specific zone by the user when the NAT gateway is created.
           
           After NAT gateway is deployed and placed in "no zone" or a specific zone, the zone selection cannot be changed.
 
+      - question: Can NAT gateway be moved from a region/subscription/resource group to another?
+        answer: |
+          No. NAT gateway cannot be moved across subscriptions, regions, or resource groups. A new NAT gateway must be created for the other subscription, region, or resource group.
+      
       - question: How does NAT gateway work with virtual networks that are peered to one another?
         answer: |
           NAT gateway can only be used by a virtual network that the NAT gateway is directly connected to and cannot traverse multiple virtual networks. 
 
           In a scenario in which virtual network A is peered with virtual network B and NAT gateway is directly associated with virtual network A, virtual network B cannot use NAT gateway to direct outbound traffic. Virtual network B will need its own NAT gateway to make outbound connections. 
       
-      - question: How can I obtain logs for my Virtual Network NAT gateway resource?  
+      - question: How can I obtain logs for my NAT gateway resource?  
         answer: |
           Network security groups (NSG) flow logs can be used to monitor traffic flow from a resource in a subnet/virtual network using NAT gateway to go outbound.
           
           Use Azure Security Center and follow the network protection recommendations to help secure your Azure network resources. Enable network security group flow logs and send the logs to an Azure Storage account for auditing. You can also send the flow logs to a Log Analytics workspace and then use Traffic Analytics to provide insights into traffic patterns in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity, identify hot spots and security threats, understand traffic flow patterns, and pinpoint network misconfigurations.
       
-      - question: How do I delete a Virtual Network NAT gateway resource?
-        answer: |
-          To delete a Virtual Network NAT gateway resource, the resource must first be disassociated from the subnet. Once the NAT gateway resource is disassociated from all subnets, it can be deleted.
-      
-      - question: Is there a drop in packets when a virtual network configured with Load balancer outbound rules switches to NAT gateway after being configured to a subnet?
+      - question: How do I delete a NAT gateway resource?
         answer: |
-          No, there will be no drop in packets. Existing connections with Load balancer will continue to work until those connections officially close. After NAT gateway is added to the subnet of the virtual network, all new connections will then use NAT gateway for making outbound connections. 
+          To delete a NAT gateway resource, the resource must first be disassociated from the subnet. Once the NAT gateway resource is disassociated from all subnets, it can be deleted. See [remove a NAT gateway from an existing subnet and delete the resource](/azure/virtual-network/nat-gateway/manage-nat-gateway?tabs=manage-nat-portal#remove-a-nat-gateway-from-an-existing-subnet-and-delete-the-resource) for step-by-step guidance.
       
-      - question: Can I use Virtual Network NAT gateway with Azure App Services? 
+  - name: NAT gateway integration with other Azure services
+    questions:  
+      - question: Can I use NAT gateway with Azure App Services? 
         answer: |
           Yes. NAT gateway can be used with Azure App Services in order to allow applications to direct outbound traffic to the internet from a virtual network. To use this integration between NAT gateway and Azure App Services, regional virtual network integration must be enabled. For guidance on how to enable virtual network integration with NAT gateway, see [Virtual Network NAT gateway integration](../../app-service/networking/nat-gateway-integration.md).
       
-      - question: Can I use Virtual Network NAT gateway with Azure Kubernetes Service? 
+      - question: Can I use NAT gateway with Azure Kubernetes Service? 
         answer: |
-          Yes. For more information about Virtual Network NAT integration with Azure Kubernetes Service, see [Managed NAT Gateway (preview)](../../aks/nat-gateway.md).
+          Yes. For more information about NAT gateway integration with Azure Kubernetes Service, see [Managed NAT Gateway (preview)](../../aks/nat-gateway.md).
 
-      - question: Can I use Virtual Network NAT gateway with Azure Firewall?
+      - question: Can I use NAT gateway with Azure Firewall?
         answer: |
           Yes. NAT gateway can be used with Azure Firewall unless Azure Firewall is zone-redundant. Because NAT gateway is a zonal resource, it cannot be associated with an Azure Firewall that spans multiple zones. For more information about Virtual Network NAT integration with Azure Firewall, see [Scale SNAT ports with Azure NAT Gateway](../../firewall/integrate-with-nat-gateway.md).
 
-      - question: Can I use Virtual Network NAT gateway with Virtual Network service endpoints or Private Link?
+      - question: Can I use NAT gateway with Virtual Network service endpoints or Private Link?
         answer: | 
-           Yes. The addition of a Virtual Network NAT Gateway to a subnet with service endpoints does not affect the endpoints. [Virtual Network service endpoints](../virtual-network-service-endpoints-overview.md) enable a more specific route for the destination Azure service traffic they represent. Traffic for the service endpoint will continue to be routed toward the service and won't go via the NAT Gateway. Private Link is recommended over service endpoints when connecting to Azure PaaS services directly from your Azure network.
+           Yes. The addition of a NAT Gateway to a subnet with service endpoints does not affect the endpoints. [Virtual Network service endpoints](../virtual-network-service-endpoints-overview.md) enable a more specific route for the destination Azure service traffic they represent. Traffic for the service endpoint will continue to be routed toward the service and won't go via the NAT Gateway. Private Link is recommended over service endpoints when connecting to Azure PaaS services directly from your Azure network.
 
 additionalContent: |
 
