1.3 Design and Implement VNet Connectivity and Routing
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is an Azure NAT Gateway?
An Azure NAT Gateway is a managed Azure service that provides outbound (egress) internet connectivity for resources inside an Azure Virtual Network (VNet).
Key idea (very important for the exam):
👉 NAT Gateway is used ONLY for outbound traffic, not inbound traffic.
It allows private resources (like virtual machines or containers that do not have public IP addresses) to connect securely and predictably to the internet.
2. Why Do We Need a NAT Gateway?
By default, when Azure resources access the internet:
- Azure may use shared, unpredictable public IP addresses
- Outbound IP addresses can change
- Some services on the internet may block traffic because IPs are unknown or frequently changing
A NAT Gateway solves these problems by:
- Providing fixed public IP addresses
- Supporting high-scale outbound connections
- Improving security and control
3. Key Characteristics of Azure NAT Gateway (Exam Critical)
Before learning use cases, understand these features clearly:
a. Outbound Only
- NAT Gateway does NOT support inbound connections
- Inbound traffic still requires:
- Public IP
- Load Balancer
- Application Gateway
- Azure Firewall
b. Works at Subnet Level
- NAT Gateway is attached to a subnet
- All resources in that subnet use the NAT Gateway automatically
c. Uses Public IP or Public IP Prefix
- You must associate:
- One or more Public IP addresses, or
- A Public IP Prefix
This gives static outbound IP addresses
d. Highly Scalable
- Supports millions of concurrent outbound connections
- Ideal for large applications
4. Appropriate Use Cases for an Azure NAT Gateway
This section is very important for AZ-700 exam questions.
Use Case 1: When You Need a Fixed (Static) Outbound IP Address
Scenario:
Your Azure application must connect to:
- External APIs
- SaaS services
- Partner systems
- On-premises firewalls
These external systems often require IP allow-listing (only trusted IPs are allowed).
Problem Without NAT Gateway:
- Azure uses dynamic outbound IPs
- IP addresses can change
- External services may block access
Why NAT Gateway is the Right Choice:
- Provides static outbound public IP
- Makes IP allow-listing possible
- Prevents connection failures
📌 Exam Tip:
If the question mentions “allow-listed IPs”, “static outbound IP”, or “external firewall rules” → NAT Gateway
Use Case 2: Secure Internet Access for Private Subnet Resources
Scenario:
You have:
- Virtual Machines
- Containers
- Azure Kubernetes Service (AKS) nodes
These resources:
- Do not have public IP addresses
- Are deployed in private subnets
They still need to:
- Download updates
- Access external APIs
- Reach Azure services on the internet
Why NAT Gateway is Needed:
- Enables outbound internet access
- Keeps resources private
- No inbound exposure to the internet
📌 Exam Tip:
If resources must stay private but still need internet access, choose NAT Gateway
Use Case 3: High-Scale Outbound Connectivity
Scenario:
Applications that create:
- Many outbound connections
- Short-lived connections
- High traffic volume
Examples in IT environments:
- Microservices
- API-based applications
- AKS clusters
- Data processing workloads
Problem Without NAT Gateway:
- SNAT port exhaustion
- Connection failures
- Poor performance
Why NAT Gateway is Ideal:
- Supports up to 64,000 SNAT ports per public IP
- Automatically scales
- Designed for enterprise-level traffic
📌 Exam Tip:
If the question mentions “SNAT port exhaustion” or “high outbound traffic” → NAT Gateway
Use Case 4: Centralized and Predictable Outbound Routing
Scenario:
An organization wants:
- Controlled outbound internet access
- Predictable routing behavior
- Consistent outbound IP addresses
Why NAT Gateway Fits:
- Centralizes outbound internet traffic
- Simplifies network design
- Works well with:
- User-Defined Routes (UDRs)
- Azure Firewall
- Hub-and-spoke architectures
📌 Important:
NAT Gateway does not replace Azure Firewall
It only handles address translation for outbound traffic
Use Case 5: Azure Kubernetes Service (AKS) Outbound Connectivity
Scenario:
AKS nodes need:
- Internet access
- Stable outbound IPs
- High outbound performance
Why NAT Gateway is Recommended:
- Fully supported for AKS
- Prevents SNAT issues
- Allows outbound IP control
📌 Exam Tip:
AKS + outbound traffic + IP control → NAT Gateway
5. When NOT to Use a NAT Gateway (Very Important for Exam)
Understanding limitations helps eliminate wrong answers.
❌ Do NOT Use NAT Gateway When:
| Requirement | Reason |
|---|---|
| Inbound internet access | NAT Gateway is outbound-only |
| Traffic inspection or filtering | Use Azure Firewall or NVA |
| Load balancing inbound traffic | Use Load Balancer or App Gateway |
| VPN or ExpressRoute | NAT Gateway does not replace gateways |
📌 Exam Tip:
If inbound access or security inspection is required → NAT Gateway is NOT the answer
6. NAT Gateway vs Other Azure Networking Options (Exam Comparison)
| Feature | NAT Gateway | Public IP on VM | Azure Firewall |
|---|---|---|---|
| Outbound internet | ✅ | ✅ | ✅ |
| Inbound internet | ❌ | ✅ | ❌ |
| Static outbound IP | ✅ | ❌ (not scalable) | ✅ |
| Traffic filtering | ❌ | ❌ | ✅ |
| High scalability | ✅ | ❌ | ✅ |
7. Key Exam Points to Remember (Quick Revision)
- NAT Gateway is outbound only
- Used for static outbound IP
- Attached to a subnet
- Supports high outbound traffic
- Common with AKS and private subnets
- Does not replace Azure Firewall
- No inbound connections allowed
8. One-Line Exam Summary
Use Azure NAT Gateway when Azure resources in a private subnet need secure, scalable, and predictable outbound internet connectivity using static public IP addresses.
