You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/nat-gateway/nat-gateway-resource.md
+17-19Lines changed: 17 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,17 +47,17 @@ Private Link uses the private IP addresses of your virtual machines or other com
47
47
48
48
### Connect to the internet with NAT gateway
49
49
50
-
NAT gateway is recommended for all production workloads where you need to connect to a public endpoint over the internet. When NAT gateway is configured to subnets, all previous outbound configurations, such as Load balancer or instance-level public IPs (IL PIPs) are superseded by NAT gateway. Outbound initiated and return traffic go through NAT gateway. There is no down time on outbound connectivity after adding NAT gateway to a subnet with existing outbound configurations. Inbound traffic directly from the internet doesn't pass through NAT gateway.
50
+
NAT gateway is recommended for all production workloads where you need to connect to a public endpoint over the internet. When NAT gateway is configured to subnets, all previous outbound configurations, such as Load balancer or instance-level public IPs (IL PIPs) are superseded by NAT gateway. Outbound initiated and return traffic go through NAT gateway. There's no down time on outbound connectivity after adding NAT gateway to a subnet with existing outbound configurations.
51
51
52
52
### Coexistence of outbound and inbound connectivity
53
53
54
-
NAT gateway, Load balancer and instance-level public IPs are flow direction aware. This means NAT gateway can coexist in the same virtual network as Load balancer and IL PIPs to provide outbound and inbound connectivity seamlessly. Inbound traffic through Load balancer or IL PIPs are translated separately from outbound traffic through NAT gateway.
54
+
NAT gateway, Load balancer and instance-level public IPs are flow direction aware. NAT gateway can coexist in the same virtual network as Load balancer and IL PIPs to provide outbound and inbound connectivity seamlessly. Inbound traffic through Load balancer or IL PIPs is translated separately from outbound traffic through NAT gateway.
55
55
56
56
The following scenarios are examples of how to ensure coexistence of Load balancer or instance level public IPs for inbound with NAT gateway for outbound.
57
57
58
58
#### NAT and VM with an instance-level public IP
59
59
60
-
:::image type="content" source="./media/nat-overview/flow-direction2.png" alt-text="Diagram that depicts a NAT gateway resource that consumes all IP addresses for a public IP prefix and directs that traffic to and from two subnets of VMs and a virtual machine scale set.":::
60
+
:::image type="content" source="./media/nat-overview/flow-direction2.png" alt-text="Diagram that depicts a NAT gateway resource that consumes all IP addresses for a public IP prefix and directs that traffic to and from two subnets that contain VMs and a virtual machine scale set.":::
61
61
62
62
*Figure: Virtual Network NAT and VM with an instance level public IP*
63
63
@@ -106,7 +106,7 @@ For guides on how to enable NSG flow logs, see [Enabling NSG Flow Logs](../../ne
106
106
107
107
Each NAT gateway can provide up to 50 Gbps of throughput. This data throughput includes data processed both outbound and inbound through a NAT gateway resource. You can split your deployments into multiple subnets and assign each subnet or group of subnets a NAT gateway to scale out.
108
108
109
-
NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. NAT gateway can process 1M packets per second and scale up to 5M packets per second.
109
+
NAT gateway can support up to 50,000 concurrent connections per public IP address **to the same destination endpoint** over the internet for TCP and UDP. NAT gateway can process 1M packets per second and scale up to 5M packets per second.
110
110
111
111
Review the following section for details and the [troubleshooting article](./troubleshoot-nat.md) for specific problem resolution guidance.
112
112
@@ -135,33 +135,33 @@ NAT gateway interacts with IP and IP transport headers of UDP and TCP flows. NAT
135
135
136
136
Source Network Address Translation (SNAT) rewrites the source of a flow to originate from a different IP address and/or port. Typically, SNAT is used when a private network needs to connect to a public host over the internet. SNAT allows multiple VM instances within the private VNet to use the same single Public IP address or set of IP addresses (prefix) to connect to the internet.
137
137
138
-
NAT gateway SNATs the private IP address and source port of a virtual machine (or other compute resource) to a static public IP address before going outbound to the internet from a virtual network. When making connections to the same destination endpoint, a different source port is used for the connection so that connections can be distinguished from one another. SNAT port exhaustion occurs when a source endpoint has run out of available SNAT ports to differentiate between new connections.
138
+
NAT gateway SNATs the private IP address and port of a virtual machine to a static public IP address and SNAT port before going outbound to the internet from a virtual network. Each new connection to the same destination endpoint uses a different SNAT port so that connections can be distinguished from one another. SNAT port exhaustion occurs when a source endpoint has run out of available SNAT ports to differentiate between new connections.
139
139
140
140
### Example SNAT flows for NAT gateway
141
141
142
142
The following example flows explain the basic concept of SNAT and how it works with NAT gateway.
143
143
144
-
In the table below the VM is making connections to destination IP 65.52.0.1 from the following source tuples (IPs and ports):
144
+
In the table below the VM makes connections to destination IP 65.52.0.1 from the following source tuples (IPs and ports):
145
145
146
146
| Flow | Source tuple | Destination tuple |
147
147
|:---:|:---:|:---:|
148
148
| 1 | 192.168.0.16:4283 | 65.52.0.1:80 |
149
149
| 2 | 192.168.0.16:4284 | 65.52.0.1:80 |
150
150
| 3 | 192.168.0.17.5768 | 65.52.0.1:80 |
151
151
152
-
When NAT gateway is configured with public IP address 65.52.1.1, the source IPs are SNAT'd into NAT gateway's public IP address as shown below:
152
+
When NAT gateway is configured with public IP address 65.52.1.1, the source IPs are SNAT'd into NAT gateway's public IP address and a SNAT port as shown below:
The source IP address and port of each flow is SNAT'd to the public IP address 65.52.1.1 (source tuple after SNAT) and to a different port for each new connection going to the same destination endpoint. The act of NAT gateway replacing all of the source ports and IPs with the public IP and port before connecting to the internet is known as *IP masquerading* or *port masquerading*. Multiple private sources are masqueraded behind a public IP.
160
+
"IP masquerading" or "port masquerading" is the act of replacing the private IP and port with the public IP and port before connecting to the internet. Multiple private resources can be masqueraded behind the same public IP of NAT gateway.
161
161
162
162
### NAT gateway dynamically allocates SNAT ports
163
163
164
-
NAT gateway dynamically allocates SNAT ports across a subnet's resources (ie virtual machines). SNAT port inventory is made available by attaching public IP addresses to NAT gateway. All available SNAT ports in inventory can be used by any virtual machine on subnets configured with NAT gateway:
164
+
NAT gateway dynamically allocates SNAT ports across a subnet's private resources such as virtual machines. SNAT port inventory is made available by attaching public IP addresses to NAT gateway. All available SNAT portscan be used on-demand by any virtual machine in subnets configured with NAT gateway:
165
165
166
166
:::image type="content" source="./media/nat-overview/lb-vnnat-chart.png" alt-text="Diagram that depicts the inventory of all available SNAT ports used by any VM on subnets configured with NAT.":::
167
167
@@ -177,15 +177,13 @@ After a SNAT port is released, it's available for use by any VM on subnets confi
177
177
178
178
### Source (SNAT) port reuse
179
179
180
-
NAT gateway selects a port at random out of the available inventory of ports to make new outbound connections. If NAT gateway doesn't find any available SNAT ports, then it will reuse a SNAT port. A port can be reused so long as there is no existing connection going to the same destination IP and port.
181
-
182
-
The following illustrates this concept as an additional flow to the preceding set, with a VM flowing to a new destination IP 65.52.0.2.
180
+
NAT gateway selects a port at random out of the available inventory of ports to make new outbound connections. If NAT gateway doesn't find any available SNAT ports, then it will reuse a SNAT port. A SNAT port can be reused when connecting to a different destination IP and port as shown below with this extra flow.
183
181
184
182
| Flow | Source tuple | Destination tuple |
185
183
|:---:|:---:|:---:|
186
184
| 4 | 192.168.0.16:4285 | 65.52.0.2:80 |
187
185
188
-
A NAT gateway will translate flow 4 to a source port that may already be in use for other destinations as well (see flow 1 from table above). See [Scale NAT gateway](#scalability) for more discussion on correctly sizing your IP address provisioning.
186
+
A NAT gateway will translate flow 4 to a SNAT port that may already be in use for other destinations as well (see flow 1 from table above). See [Scale NAT gateway](#scalability) for more discussion on correctly sizing your IP address provisioning.
@@ -203,11 +201,11 @@ The following table provides information about when a TCP port becomes available
203
201
204
202
| Timer | Description | Value |
205
203
|---|---|---|
206
-
| TCP FIN | After a connection is closed by a TCP FIN packet, a 65second timer is activated that holds down the SNAT port. The SNAT port will be available for reuse after the timer ends. | 65 seconds |
207
-
| TCP RST | After a connection is closed by a TCP RST packet (reset), a 20second timer is activated that holds down the SNAT port. When the timer ends, the port is available for reuse. | 20 seconds |
208
-
| TCP half open | During connection establishment where one connection endpoint is waiting for acknowledgment from the other endpoint, a 25second timer is activated. If no traffic is detected, the connection will close. Once the connection has closed, the source port is available for reuse to the same destination endpoint. | 25 seconds |
204
+
| TCP FIN | After a connection is closed by a TCP FIN packet, a 65-second timer is activated that holds down the SNAT port. The SNAT port will be available for reuse after the timer ends. | 65 seconds |
205
+
| TCP RST | After a connection is closed by a TCP RST packet (reset), a 20-second timer is activated that holds down the SNAT port. When the timer ends, the port is available for reuse. | 20 seconds |
206
+
| TCP half open | During connection establishment where one connection endpoint is waiting for acknowledgment from the other endpoint, a 25-second timer is activated. If no traffic is detected, the connection will close. Once the connection has closed, the source port is available for reuse to the same destination endpoint. | 25 seconds |
209
207
210
-
For UDP traffic, after a connection has closed, the port will be in hold down for 65 seconds before it is available for reuse.
208
+
For UDP traffic, after a connection has closed, the port will be in hold down for 65 seconds before it's available for reuse.
211
209
212
210
### Idle Timeout Timers
213
211
@@ -227,7 +225,7 @@ Design recommendations for configuring timers:
227
225
228
226
- TCP keepalives can be used to provide a pattern of refreshing long idle connections and endpoint liveness detection. TCP keepalives appear as duplicate ACKs to the endpoints, are low overhead, and invisible to the application layer.
229
227
230
-
- Because UDP idle timeout timers are not configurable, UDP keepalives should be used to ensure that the idle timeout value isn't reached and that the connection is maintained. Unlike TCP connections, a UDP keepalive enabled on one side of the connection only applies to traffic flow in one direction. UDP keepalives must be enabled on both sides of the traffic flow in order to keep the traffic flow alive.
228
+
- Because UDP idle timeout timers aren't configurable, UDP keepalives should be used to ensure that the idle timeout value isn't reached, and that the connection is maintained. Unlike TCP connections, a UDP keepalive enabled on one side of the connection only applies to traffic flow in one direction. UDP keepalives must be enabled on both sides of the traffic flow in order to keep the traffic flow alive.
231
229
232
230
## Limitations
233
231
@@ -237,7 +235,7 @@ Design recommendations for configuring timers:
237
235
238
236
- To upgrade a basic public IP address to standard, see [Upgrade a public IP address](../ip-services/public-ip-upgrade-portal.md)
239
237
240
-
- NAT gateway does not support ICMP
238
+
- NAT gateway doesn't support ICMP
241
239
242
240
- IP fragmentation isn't available for NAT gateway.
0 commit comments