Azure Networking - #12 - Azure NAT Gateway

Thanks for the feedback Kafka!
Let me know if you have an suggestions for other videos you would like us to do

Hey Lynne I not positive that it does.
The LB does not have a VM directly under it.
Subnet A has the LB and also 2 VMs 1 with a PIP and the other using the nat gateway.
One of the advantages of the LB is that you should not have a pip and LB for the same VM
If it is intended to have the VM with the pip also behind the LB I’d say that the doc is wrong

Happy to help, and thanks for the feedback!

Thanks for the feedback Len. Can you give me more info on that?
Is it the music I picked, the volume level or that there is anything playing at all, or something else?

@@AzureAcademy good music and volume. You have very good voice timbre, which helps to concentrate on the topic i don't think any background sound is necessary (only in my opinion) Once again great training as always! thank you again!!!

Great, thanks for the additional feedback!

Thank you

No, in Azure all VMs get a private IP address by default, and when those VMs send traffic to the internet they are issued a SNAT public ip that cN change over time. The purpose of the NAT Gateway is to give an entire subnet of VMs a SNAT public ip that does not change so it is only for outbound communication from Azure to the internet.
Example:
The random public IP address your VM hosting FTP would get is 100.65.18.4 in the new connection started tomorrow the IP address would be 52.16.20.125. The NAT gateway would give you the same public ip every time of
52.18.16.202
Now when anyone from any cloud or any other service anywhere in the world wants to talk to your SFTP server they would use that IP address

If you have a firewall before the internet then it is your NAT. All traffic goes through the firewall and you can allow/deny what you want.
You can add and NSG with outbound rules but you don’t add that to the NAT Gateway, you add it to hell the subnet

Not currently...however it never hurts to provide that feedback...who knows, they might do it.
The only was to avoid that VPN overlap I know of today is planning...

+Martial bertrand as far as I know there are no plans to make Nat Gateway work on the private IP address range...but you never know 😏
Stay tuned for our upcoming video on Azure Virtual WAN for a different way to approach this

Thanks for letting me know. In the description under the video, or a pop up card in the video?
Oh, and which one was broken?

Awesome! If you have any suggestions for new videos please let me know.

So in your example...did you build an
ASE (App Service Environment)

Azure Academy not ASE, it is in a premium plan P1V2. We deployed java app and one of the service this app calls required to have a static outbound IP for whitelisting. All example I saw on NAT Gateway are explained using VM but i thought it would still work because we can go VNet integration. Will NAT works only private IP to public IP? Sorry not a networking guy.

understood. I have not run into this example before...The NAT Gateway will take all of the VMs on a given subnet and have them all use the same outbound Public IP Address without the need of a firewall or load balancer.
I have not used the App Service Premium plan P1V2 you mentioned...so I am not sure. However I can say that in general App Services get their IP addresses from the App Service Plan...which is a cloud based Web Server.
Since that is an Azure PaaS I do not think it will work with the NAT Gateway...but the way you can test it.
Build a VM on the same subnet that the App service is on. BE SURE TO NOT BUILD A PUBLIC IP ADDRESS FOR THE VM.
If you do then it will use that and not the NAT Gateway.
Then find out how to get your App Service public IP
and compare that to the VMs public IP from an internet source like whatismyipaddress.com/
If they are the same...then it is working.
If not then NAT Gateway doesn't support the App Service in that way.

+dinesh ranga that’s on the list...stay tuned!

If the 8 VMs are behind the NAT Gateway or the Azure Firewall then they have a single front end IP already.
You do not need a NAT Gateway AND an Azure Firewall in the same flow.

Hi Dean, thank you so much for your response. Would like to confirm. I have 4vms in Prod(Spoke1 ) Environment, and 4 vms in Non-prod(Spoke 2). Would it be best practice for if I will NAT (1) all of the VMs in one NAT gateway IP or (2) per Spoke to NAT GW or (3) per Subnet to NAT GW? This is for the outbound Smtp traffic only. thanks

the purpose Is to provide a single public IP for outgoing traffic. You can have multiple subnets behind a single NAT Gateway as well...however, SMTP is outgoing mail server...why would you want a single outgoing IP for this?
All VMs have outbound internet without the NAT Gateway...is there some application server they are communicating with that you want to have 1 specific IP to talk to?

Hi Dean, thanks for your time again and appreciate it much. I believe yes. SMTP provider needs a Public IP which a NAT gateway IP is bind for their whitelisting in smtp relay. my servers only have priv IP for security purpose. Yes, plan to NAT servers subnet for each Spokes in a NAT gateway IPs(1 for spoke1 and 1 for spoke2).
My other concern is if I’m going to route all of my servers outbound traffic to FW via UDR(0.0.0.0/0 to FW Private-IP), will it affect my servers outgoing traffic on NAT gateway via smtp? Since as I know Azure FW currently does not support outbound smtp traffic.

The NAT Gateway is not needed and will not do you any good if you want to use a firewall.
The NAT Gateway works but directing all your outbound INTERNET traffic to the NAT Gateway’s dedicated public IP.
When you use a firewall, you have to set ups custom route to send your traffic to the firewall, in the case of the internet traffic it is the 0.0.0.0/0 route, like you said.
This means that the NAT Gateway will not be able to help you. And there is no point to have a NAT Gateway in front of Firewall, because the firewall also has a dedicated public IP.
The Firewall’s public IP will be your dedicated outbound public IP for SMTP traffic that you can whitelist.
The firewall doesnt have to specifically support port 25 traffic (but it does by the way 😎) because you are sending port 25 outbound to the internet. The App service on the internet side will only care that it allows port 25 from a public IP address.
Example:
ip=18.247.65.9 port=25 Allow=$true
Does that make sense to you?
If you know of something specific in the firewall docs that directly says port 25 CANNOT be used, processed or passed through the firewall I would like to see it
☺️

Excellent question Silviu. You are basically correct. The FW IP will be your NAT'd IP. The difference is cost and management. The NatGateway cost is a lot less than the FW because it takes less compute.
FW cost = $1.25 per hour + $0.016 per GB
NatGW = $0.045 per hour + $0.045 per GB
The other side is management. NatGW management is connect it to a subnet
FW has multiple rule sets, and now you can use the FW Manager and FW Policy
So they both have their place, pick the right tool for your workload.

@@AzureAcademy I assumed that the price difference will be an important factor. But I guess that the Route Table rules take precedence over the NatGW.

I believe you are correct on the routing

Nat Gateway is not in internal / private vnet to vnet NAT...yet. Who knows how it will improve over time

Thanks for pointing this out. You are correct, however I have heard it both ways.
I have also been corrected by the NAT Gateway product owner and wanted to share what he said with everyone,
"In NAT there are two fundamental notions.
SNAT and DNAT. source and destination address rewrite and more specifically, the SNAT in azure in this case is port masquerading source network address translation.
Secure NAT is a bad backronym."
sorry for that...and thanks jerewrig12345 for the correction as well.

No. NAT Gateway has to do with traffic going out of the vnet, APP Gateway has to do with traffic coming into the vnet

Thanks for the answer! I'm asking because accordint to Azure documentation one cannot deploy any other resource of this kind if you have an APP Gateway deployed, we are trying to find a solution to have a static public ip in order to connect to outside application servers (for the ip to be whitelisted) and we thought that NAT gateway could work.

No, NAT Gateway is for your VMs to have a single IP address to get out from.
You have a single ip for clients over the internet to get to your VMs in Azure
You need an Azure Public IP address.
If you have multiple computers in Azure
They can either all get their own public ip
Or
If they are part of the same app the. It depends on what network layer the traffic is...
Layers 7 is for port 80 and 443 traffic...which would use either APP Gateway or Azure Front Door
All other traffic would use the Azure Load Balancer

All subnets in Azure are private
However if you have a public IP address on a resource in that subnet you have opened public access to that subnet is some way
Does that help

@@AzureAcademy Make sense. Thanks for the reply.

👍👍

+US World public is where there is inbound internet access into the subnet. Private is where inbound internet access is not allowed. All Azure subnet are private but

+US World it’s the VMs is the subnet that are public or private. If a VM has a public IP then the VM is accessible from the internet…

So did you put an Azure load balancer in front of the WVD VMs & give that load balancer a public IP? Load balancers and public ip are to allow and control traffic flow INBOUND, into the VM...the WVD service should be the only way in...this is better security the a public IP. You also cannot force the WVD traffic to use your public IP. As far as the NAT Gateway...this allows a single public ip for all the VMs in a subnet to get out to the internet...but I don’t know if doing that will be able to force all the WVD traffic to the NAT Gateway. What is the purpose of this test?

@@AzureAcademy Hiya, all i want it outbound internet traffic from WVD hosts to go out an appear from a known IP i can whitelist. Like in your example. I dont want to control inbound traffic to WVD. Once they have connected via the remote desktop client. I want them to fire up a browser and appear from a fixed IP i can add to my MFA whitelist, so teams / onedrive, or going to office.com doesnt give an MFA prompt.

I think its failing because i have a VPN gateway with a basic public IP SKU on the same subnet

oh I see for the outbound traffic from the VM...I believe that should work, although it hasn't been tested to my knowledge...

Yeah, the NAT Gateway wants there to only be standard Public IPs 👍

can you provide more details Hari?
What would you want it to do?
How is it behaving that isn't as you would expect or want?

@@AzureAcademy Hi , so when i tie NAT gateway to a subnet which lets say has a Virtual Machine tied to it , then all the outbound calls from the virtual machine will go through the NAT gateways Public IP .
When you try to achieve the same using webapps it just dosent work . Let me explain .
In Azure Webapps we have a feature called VNET integration which allows us to tie webapps to a subnet . When we do vnet integ of a webapp to a subnet and attatch a NAT gateway to that subnet , still the outbound calls from the webapp happens thought the list of Public IP that the webapp has , while techinally since we have NAT gateway tied i was hoping it would flow through nat gateway PIP as it happens with VM's

understood...I will have to look into this further, but sounds like a good feature request from the product teams.

public subnets is not a correct term in Azure.
All IP addressed assigned to resources in an Azure subnet have private IPs (RFC 1918)
you can give a resource a public IP address that will allow inbound access from the internet to the resource on the Azure subnet.
With the NAT Gateway, this is meant to be used for a static outbound IP address for the VMs instead of the normal SNAT which will change over time WITHOUT using a public IP address.
The Nat Gateway is also subnet wide.
So all the resources in a subnet can share that outbound NAT'd IP.
I hope that clears it up for you 👍

@@AzureAcademy Thanks for the reply. Also I just read Azure doc, by default all vms in Azure has outbound connection (Private or Public) so basically private or public subnet is not there in Azure as it is not dependent on subnet bit on resource. Thanks again for the help.

correct...EVERY Azure VM is given a Public IP from the SNAT to get out to the internet but this IP will change over time,
The Nat Gateway is a way to have all the VMs in the subnet use the same IP...and it won't change.
and correct...there is no such concept as public or private subnet.
there are public and private IP Addresses and a VM can have both.

@@AzureAcademy Thanks for clearing that up. I didn't know that...

anytime

Great suggestion...thanks @Erwin

@@AzureAcademy sure thing mate :)

👍