NAT Gateway

 

Azure provides customers with the resources to establish public and private plane network connectivity. By placing resources in a virtual network with subnets each for different address ranges, an organization can secure inbound and outbound access to those resources. As resources are assigned to subnets, traffic can be contained within the virtual network. By providing inbound and outbound access only to the virtual network, resources eliminate their accessibility from the internet. This improves security but sometimes there is a need for resources to access targets on the internet. One way to provide internet access is with the use of a NAT Gateway.

Azure Network Address Translation (NAT) Gateway is a fully managed and highly resilient NAT service that provides outbound connectivity to the internet through the deployment of a NAT gateway resource. A NAT gateway can be used so that instances in a private subnet can connect to services outside the VPC, but external services cannot initiate a connection with those instances. A NAT gateway can be attached to multiple subnets within a virtual network to provide outbound connectivity to the internet.  Some benefits of NAT include the reuse of private IP addresses, enhancing of security for private networks by keeping internal addressing private from the external network, and connecting many hosts to the global Internet using a smaller number of public (external) IP address, thereby conserving IP address space.

If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets using the routes created for each address range. Gateways don’t need to be defined for Azure to route traffic between subnets.

The system default route specifies the 0.0.0.0/0 address prefix. If Azure’s default routes are not overridden, Azure routes traffic for any address not specified by an address range within a virtual network to the Internet. There's one exception to this routing. If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services doesn't traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. Azure's default system route for the 0.0.0.0/0 address prefix can be overridden with a custom route.

An Azure NAT Gateway in a subnet can provide outbound connectivity for all private resources in that subnet. This includes traffic from other subnets within the same virtual network but they must be associated. A NAT gateway can be attached to multiple subnets for outbound connectivity. It can be assigned up to 16 public IP addresses or a /28 size public IP prefix. It takes precedence over a load balancer with or without outbound rules. It becomes the next hop type for all internet destined traffic. A NAT gateway can't span beyond a single virtual network. It provides source network address translation (SNAT) for private instances within subnets of an Azure virtual network.