Skip to main content

Azure NAT Gateway

Table of Contents

Introduction #

Azure virtual machines can reach the internet even when they do not have a public IP address assigned directly to the VM. Azure provides default outbound internet access for resources that need it, unless outbound connectivity is handled by a public IP, firewall, load balancer, or another explicit outbound option.

That default behavior is convenient, but it does not give you much control over which public IP address your traffic uses. Azure NAT Gateway solves that problem by giving one or more subnets a predictable outbound source IP address.

Why Use a NAT Gateway? #

Imagine a group of application servers in an Azure subnet that need to connect to an external API. The API only allows traffic from approved public IP addresses.

You could assign static public IP addresses to each server, but that does not scale well:

  • Every new server needs another public IP address.
  • The external API allowlist must be updated every time servers are added or removed.
  • Static public IP addresses add extra cost and operational overhead.

With Azure NAT Gateway, the subnet uses the gateway’s public IP address for outbound internet traffic. You can add or remove application servers while the external service continues to see the same source IP address.

This pattern is also useful for Azure Virtual Desktop session hosts when external applications or online services use source IP addresses for licensing or access control.

What NAT Gateway Is Not #

NAT Gateway is not a security filtering service. It controls outbound source network address translation, but it does not provide the inspection, filtering, and policy features of a firewall.

If you need stronger control over what users or workloads can access on the internet, consider Azure Firewall or another security service.

How SNAT Works #

Azure NAT Gateway uses source network address translation, or SNAT.

When a VM opens a connection to a public website, the network flow includes:

  • Destination IP address
  • Destination port, such as 80 or 443
  • Source IP address
  • Source port

The VM starts with a private source IP address. NAT Gateway changes the outbound packet so the destination IP and port stay the same, but the source IP and source port are translated to the gateway’s public IP address and an available port.

The gateway tracks that mapping. When return traffic comes back, NAT Gateway uses the mapping to send the response to the correct private resource.

Planning Notes #

Keep these points in mind when planning Azure NAT Gateway:

  • A NAT Gateway can be associated with one or more subnets.
  • A subnet can only be associated with one NAT Gateway.
  • NAT Gateway public IP addresses must be Standard SKU and static.
  • Basic public IP addresses and Basic load balancers are not compatible with NAT Gateway.
  • If a subnet has Basic resources, upgrade them to Standard or move them to another subnet.
  • NAT Gateway should be in the same region as the virtual network subnets it will attach to.
  • You can use a public IP address or a public IP prefix for outbound connectivity.

Portal Deployment Flow #

To create a NAT Gateway in the Azure portal:

  1. Search for NAT Gateway from Create a resource.
  2. Select the NAT Gateway resource and choose Create.
  3. Create or select a resource group.
  4. Give the NAT Gateway a name.
  5. Choose the same region as the virtual network that contains your target subnets.
  6. Select an availability zone if you need zone-specific placement, or leave it blank for Azure-managed placement.
  7. Leave the idle timeout at the default unless your workload needs a different value.
  8. Add an outbound public IP address or public IP prefix.
  9. Create a new Standard static public IP address if you do not already have one available.
  10. Select the virtual network and one or more compatible subnets.
  11. Add tags if needed.
  12. Review the configuration and create the resource.

After deployment, the resource group will contain the NAT Gateway and the public IP address assigned to it.

Attach an Existing Subnet #

You can also attach an existing subnet to a NAT Gateway after the gateway has been created:

  1. Open the virtual network in the Azure portal.
  2. Go to Subnets.
  3. Select the subnet you want to update.
  4. Change the NAT Gateway setting from None to the NAT Gateway you created.
  5. Save the subnet configuration.

Once the change applies, new outbound internet connections from that subnet should use the NAT Gateway public IP address. If you are testing from a browser, close and reopen the browser so it starts a new connection.

Quick Check #

Before attaching the subnet, a VM without a public IP may show a default Azure outbound public IP when you visit an IP-checking site.

After attaching the subnet to NAT Gateway and opening a new connection, the same test should show the NAT Gateway public IP address instead.

Summary #

Azure NAT Gateway is a clean way to standardize outbound internet traffic for resources in a subnet. It is especially useful when external services need to allowlist a stable public IP address, while your Azure workload still scales up and down behind the scenes.