Azure provides customers with the resources to
establish public and private plane network connectivity. By placing resources in
a virtual network with subnets each for different address ranges, an organization
can secure inbound and outbound access to those resources. As resources are
assigned to subnets, traffic can be contained within the virtual network. By
providing inbound and outbound access only to the virtual network, resources eliminate
their accessibility from the internet. This improves security but sometimes
there is a need for resources to access targets on the internet. One way to
provide internet access is with the use of a NAT Gateway.
Azure Network Address Translation (NAT) Gateway
is a fully managed and highly resilient NAT service that provides outbound connectivity
to the internet through the deployment of a NAT gateway resource. A NAT
gateway can be used so that instances in a private subnet
can connect to services outside the VPC, but external services cannot initiate
a connection with those instances. A NAT gateway can be
attached to multiple subnets within a virtual network to provide outbound connectivity to the internet. Some benefits of NAT include the reuse
of private IP addresses, enhancing of security for private networks by
keeping internal addressing private from the external network, and connecting many
hosts to the global Internet using a smaller number of public (external) IP
address, thereby conserving IP address space.
If the virtual network address space has
multiple address ranges defined, Azure creates an individual route for each
address range. Azure automatically
routes traffic between subnets using the routes created for each address range. Gateways don’t need to be defined for Azure to
route traffic between subnets.
The system default route specifies the
0.0.0.0/0 address prefix. If Azure’s default routes are not overridden, Azure
routes traffic for any address not specified by an address range within a
virtual network to the Internet. There's one exception to this routing. If the
destination address is for one of Azure's services, Azure routes the traffic
directly to the service over Azure's backbone network, rather than routing the
traffic to the Internet. Traffic between Azure services doesn't traverse the
Internet, regardless of which Azure region the virtual network exists in, or
which Azure region an instance of the Azure service is deployed in. Azure's
default system route for the 0.0.0.0/0 address prefix can be overridden with a custom route.
An Azure NAT Gateway in a subnet can provide outbound
connectivity for all private resources in that subnet. This includes
traffic from other subnets within the same virtual network but they must be
associated. A NAT gateway can be attached to multiple subnets for outbound connectivity.
It can be assigned up to 16 public IP addresses or a /28 size public IP prefix.
It takes precedence over a load balancer with or without outbound rules. It becomes
the next hop type for all internet destined traffic. A NAT gateway can't span
beyond a single virtual network. It provides source network address translation
(SNAT) for private instances within subnets of an Azure virtual network.