Update NAT Gateway management documentation#128286
Update NAT Gateway management documentation#128286malaikanazim wants to merge 1 commit intoMicrosoftDocs:mainfrom
Conversation
Added note about NAT Gateway's outbound connectivity precedence and behavior for existing connections.
prmerger-automator
bot
requested review from
AbdullahBell,
asudbring and
cherylmc
|
@malaikanazim : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
Learn Build status updates of commit 1fd3f4d: ❌ Validation status: errorsPlease follow instructions here which may help to resolve issue. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
|
Trying a close/reopen to clear the validation error. |
|
Learn Build status updates of commit 1fd3f4d: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Learn Build status updates of commit 1fd3f4d: ✅ Validation status: passed
For more details, please refer to the build report. |
There was a problem hiding this comment.
Pull request overview
Adds documentation clarifying how NAT Gateway affects outbound connectivity selection for new vs. existing connections.
Changes:
- Added a NOTE describing NAT Gateway precedence for outbound connectivity.
- Documented that existing connections keep their original outbound path until re-established.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - Add or remove a public IP address or public IP prefix. | ||
|
|
||
| > [!NOTE] | ||
| > Associating a NAT Gateway with a subnet makes it the preferred outbound connectivity method for all new connections. NAT Gateway takes precedence over other explicit outbound configurations, including load balancer outbound rules, firewalls, and instance‑level public IP addresses. |
There was a problem hiding this comment.
The statement “takes precedence over … firewalls” is ambiguous and could be interpreted as bypassing firewall policy. Consider clarifying that this is about SNAT/outbound path selection (e.g., source IP/egress) and does not imply skipping enforcement by network virtual appliances or Azure Firewall if traffic is still routed through them.
| > Associating a NAT Gateway with a subnet makes it the preferred outbound connectivity method for all new connections. NAT Gateway takes precedence over other explicit outbound configurations, including load balancer outbound rules, firewalls, and instance‑level public IP addresses. | |
| > Associating a NAT Gateway with a subnet makes it the preferred outbound connectivity method for all new outbound connections from that subnet. NAT Gateway takes precedence for outbound path and source IP (SNAT) selection over other explicit outbound configurations, such as load balancer outbound rules and instance‑level public IP addresses. This behavior does **not** bypass Azure Firewall or other network virtual appliances; traffic is still inspected and filtered if your routing sends it through them. |
|
Can you review the proposed changes? Important: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
Added note about NAT Gateway's outbound connectivity precedence and behavior for existing connections.