Merge pull request #176777 from anavinahar/patch-271

Update nat-overview.md

Author: GitHubber17

articles/virtual-network/nat-gateway/nat-overview.md

@@ -14,87 +14,51 @@ ms.author: allensu
 ---
 # What is Virtual Network NAT?
 
-Virtual Network NAT (network address translation) simplifies outbound-only Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses.  Outbound connectivity is possible without load balancer or public IP addresses directly attached to virtual machines. NAT is fully managed and highly resilient.
+Virtual Network NAT is a fully managed and highly resilient Network Address Translation (NAT) service. VNet NAT simplifies outbound Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses the VNet NAT's static public IP addresses. 
 
 :::image type="content" source="./media/nat-overview/flow-map.png" alt-text="Figure shows a NAT receiving traffic from internal subnets and directing it to a public IP (PIP) and an IP prefix.":::
 
 *Figure: Virtual Network NAT*
-## Static IP addresses for outbound-only
 
-Outbound connectivity can be defined for each subnet with NAT.  Multiple subnets within the same virtual network can have different NATs. A subnet is configured by specifying which NAT gateway resource to use. All UDP and TCP outbound flows from any virtual machine instance will use NAT. 
+## VNet NAT benefits
 
-NAT is compatible with standard SKU public IP address resources or public IP prefix resources or a combination of both.  You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT will groom all traffic to the range of IP addresses of the prefix.  Any IP filtering of your deployments is now easy.
+### Security
+With NAT, individual VMs (or other compute resources) do not need public IP addresses and can remain fully private. Such resources without a public IP address can still reach external sources outside the VNet. You can also associate a Public IP Prefix to ensure that a contiguous set of IPs will be used for outbound. Destination firewall rules can be then configured based on this predictable IP list.
 
-All outbound traffic for the subnet is processed by NAT automatically without any customer configuration.  User-defined routes aren't necessary. NAT takes precedence over other outbound scenarios and replaces the default Internet destination of a subnet.
+### Resiliency 
+NAT is a fully managed and distributed service. It doesn't depend on any individual compute instances such as VMs or a single physical gateway device. It leverages software defined networking making it highly resilient. 
 
-## On-demand SNAT with multiple IP addresses for scale
+### Scalability
+NAT can be associated to a subnet and can be used by all compute resources in that subnet. Further, all subnets in a VNet can leverage the same resource. When associated to a Public Ip Prefix, it will automatically scale to the number of IP addresses needed for outbound.
 
-NAT uses "port network address translation" (PNAT or PAT) and is recommended for most workloads. Dynamic or divergent workloads can be easily accommodated with on-demand outbound flow allocation. Extensive pre-planning, pre-allocation, and ultimately overprovisioning of outbound resources is avoided. SNAT port resources are shared and available across all subnets using a specific NAT gateway resource and are provided when needed.
+### Performance
+NAT will not impact the network bandwidth of your compute resources since it is a software defined networking service. Learn more about [NAT gateway's performance](nat-gateway-resource.md#performance).
 
-A public IP address attached to NAT provides up to 64,000 concurrent flows for UDP and TCP respectively. 
 
-A NAT gateway resource can use a:
+## VNet NAT basics
 
-* Public IP
-* Public IP prefix
-
-Both types can be associated to a NAT gateway.
-
-Use a single IP address and scale up to 16 IP addresses.
-
-Subnets in a virtual network are associated with a NAT gateway to enable outbound connections.  A NAT gateway will use all IP addresses associated with the resource for the connections.
-
-NAT gateway allows flows to be created from the virtual network to the Internet. Return traffic from the Internet is only allowed in response to an active flow.
-
-Unlike load balancer outbound SNAT, NAT gateway has no restrictions on which private IP of a virtual machine instance can make outbound connections.  Primary and secondary IPs can create outbound connections with NAT.
-
-## Coexistence of inbound and outbound
-
-NAT is compatible with the following standard SKU resources:
-
-- Load balancer
-- Public IP address
-- Public IP prefix
-
-When used together with NAT, these resources provide inbound Internet connectivity to your subnet(s). NAT provides all outbound Internet connectivity from your subnet(s).
-
-NAT and compatible Standard SKU features are aware of the direction the flow was started. Inbound and outbound scenarios can coexist. These scenarios will receive the correct network address translations because these features are aware of the flow direction. 
-
-:::image type="content" source="./media/nat-overview/flow-direction4.png" alt-text="Figure shows a NAT gateway that supports outbound traffic to the internet from a virtual network.":::
-
-*Figure: Virtual Network NAT flow direction*
-## Fully managed, highly resilient
+NAT can be created in a specific Availability Zone and has redundancy built in within the specified zone. NAT is non zonal by default. When creating [availability zones](../../availability-zones/az-overview.md) scenarios, NAT can be isolated in a specific zone. This is known as a zonal deployment.
 
 NAT is fully scaled out from the start. There's no ramp up or scale-out operation required.  Azure manages the operation of NAT for you.  NAT always has multiple fault domains and can sustain multiple failures without service outage.
-## TCP Reset for unrecognized flows
 
-The private side of NAT sends TCP Reset packets for attempts to communicate on a TCP connection that doesn't exist. One example is connections that have reached idle timeout. The next packet received will return a TCP Reset to the private IP address to signal and force connection closure.
+* Outbound connectivity can be defined for each subnet with NAT.  Multiple subnets within the same virtual network can have different NATs. A subnet is configured by specifying which NAT gateway resource to use.  All outbound traffic for the subnet is processed by NAT automatically without any customer configuration.  User-defined routes aren't necessary. NAT takes precedence over other outbound scenarios and replaces the default Internet destination of a subnet.
+* NAT supports TCP and UDP protocols only. ICMP is not supported.
+* A NAT gateway resource can use a:
 
-The public side of NAT doesn't generate TCP Reset packets or any other traffic.  Only traffic produced by the customer's virtual network is emitted.
-
-## Configurable TCP idle timeout
-
-A default TCP idle timeout of 4 minutes is used and can be increased to up to 120 minutes. Any activity on a flow can also reset the idle timer, including TCP keepalives.
-
-## Non-zonal or zonal with availability zones
-
-NAT is non zonal by default. When creating [availability zones](../../availability-zones/az-overview.md) scenarios, NAT can be isolated in a specific zone. This is known as a zonal deployment.
-
-:::image type="content" source="./media/nat-overview/az-directions.png" alt-text="Figure shows three zonal stacks, each of which contains a NAT gateway and a subnet.":::
-
-*Figure: Virtual Network NAT with availability zones*
+  * Public IP
+  * Public IP prefix
+* NAT is compatible with Standard SKU public IP address or public IP prefix resources or a combination of both. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. NAT will groom all traffic to the range of IP addresses of the prefix. Basic resources, such as Basic Load Balancer or Basic Public IP aren't compatible with NAT.  Basic resources must be placed on a subnet associated to a NAT Gateway.
+* NAT cannot be associated to an IPv6 Public IP address or IPv6 Public IP Prefix. However, it can be associated to a dual stack subnet.
+* NAT allows flows to be created from the virtual network to the services outside your VNet. Return traffic from the Internet is only allowed in response to an active flow. Services outside your VNet cannot initiate a connection to instances.
+* NAT can't span multiple virtual networks.
+* NAT cannot be deployed in a [Gateway Subnet](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub)
+* The private side of NAT (virtual machine instances or other compute resources) sends TCP Reset packets for attempts to communicate on a TCP connection that doesn't exist. One example is connections that have reached idle timeout. The next packet received will return a TCP Reset to the private IP address to signal and force connection closure. The public side of NAT doesn't generate TCP Reset packets or any other traffic.  Only traffic produced by the customer's virtual network is emitted.
+* A default TCP idle timeout of 4 minutes is used and can be increased to up to 120 minutes. Any activity on a flow can also reset the idle timer, including TCP keepalives.
 
 ## Pricing and SLA
 
 For pricing details, see [Virtual Network pricing](https://azure.microsoft.com/pricing/details/virtual-network). NAT data path is at least 99.9% available.
 
-## Limitations
-
-* NAT is compatible with standard SKU public IP, public IP prefix, and load balancer resources. Basic resources, such as Basic Load Balancer or Basic Public IP aren't compatible with NAT.  Basic resources must be placed on a subnet associated to a NAT Gateway.
-* NAT cannot be associated to an IPv6 sPublic IP address or IPv6 Public IP Prefix t. However, it can be associated to a dual stack subnet.
-* NAT can't span multiple virtual networks.
-* NAT cannot be deployed in a [Gateway Subnet](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub)
-
 ## Next steps
 
 * Learn [how to get better outbound connectivity using an Azure NAT Gateway](https://www.youtube.com/watch?v=2Ng_uM0ZaB4).

articles/virtual-network/nat-gateway/troubleshoot-nat.md

@@ -173,7 +173,7 @@ _**Solution:**_
 
 ### IPv6 coexistence
 
-[Virtual Network NAT](nat-overview.md) supports IPv4 UDP and TCP protocols and deployment on a [subnet with an IPv6 prefix isn't supported](nat-overview.md#limitations).
+[Virtual Network NAT](nat-overview.md) supports IPv4 UDP and TCP protocols and deployment on a subnet with an IPv6 prefix isn't supported.
 
 _**Solution:**_ Deploy NAT gateway on a subnet without IPv6 prefix.
 
@@ -196,4 +196,4 @@ If you are still having trouble, open a support case for further troubleshooting
 * Learn about [Virtual Network NAT](nat-overview.md)
 * Learn about [NAT gateway resource](nat-gateway-resource.md)
 * Learn about [metrics and alerts for NAT gateway resources](nat-metrics.md).
-* [Tell us what to build next for Virtual Network NAT in UserVoice](https://aka.ms/natuservoice).
+* [Tell us what to build next for Virtual Network NAT in UserVoice](https://aka.ms/natuservoice).