1.3 Design and Implement VNet Connectivity and Routing
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is a NAT Gateway?
A NAT Gateway in Azure is a managed networking service that provides outbound internet connectivity for resources inside a Virtual Network (VNet).
- NAT stands for Network Address Translation
- It allows private IP addresses inside a subnet to access the public internet
- It does not allow inbound internet connections
Key idea for the exam:
NAT Gateway is used only for outbound traffic
2. Why Do We Need a NAT Gateway?
By default, Azure provides outbound internet access using Azure-managed outbound IP addresses.
However, this default behavior has limitations:
- Outbound IP addresses can change
- Difficult to control or whitelist IPs on external systems
- No guaranteed scalability or performance
NAT Gateway solves these problems by:
- Providing static public IP addresses
- Giving predictable outbound connectivity
- Supporting high-scale outbound traffic
3. Where Is NAT Gateway Used?
A NAT Gateway is:
- Associated with one or more subnets
- Used by all resources inside those subnets
Typical Azure resources using NAT Gateway:
- Virtual Machines
- Virtual Machine Scale Sets
- Azure Kubernetes Service (AKS) nodes
- App services integrated with VNets
4. How NAT Gateway Works (Simple Flow)
- A resource in a subnet has a private IP address
- The resource sends traffic to the internet
- NAT Gateway:
- Replaces the private IP with a public IP
- Tracks the connection
- Internet responses return through the NAT Gateway
- Traffic is sent back to the correct private resource
Important:
- NAT Gateway does not inspect traffic
- It only performs address translation
5. NAT Gateway Architecture Components
5.1 NAT Gateway Resource
This is the Azure service that manages outbound traffic.
5.2 Subnet Association
- NAT Gateway must be associated with a subnet
- All outbound traffic from that subnet uses the NAT Gateway
5.3 Public IP Address or Prefix
- NAT Gateway requires:
- At least one Public IP address, OR
- A Public IP Prefix
6. Public IP vs Public IP Prefix (Exam Important)
Public IP Address
- Single static outbound IP
- Suitable for low or medium outbound traffic
Public IP Prefix
- A block of multiple public IPs
- Used for:
- High-scale outbound connections
- Large workloads
- Azure automatically selects IPs from the prefix
Exam tip:
For high outbound scale, use a Public IP Prefix
7. NAT Gateway Key Characteristics
7.1 Outbound Only
- No inbound traffic allowed
- Cannot be used as a firewall
- Cannot accept internet-initiated connections
7.2 Fully Managed
- No configuration inside virtual machines
- No software installation required
7.3 Zone-Resilient
- NAT Gateway is automatically highly available
- No manual availability configuration required
7.4 Regional Resource
- NAT Gateway works within a single Azure region
8. NAT Gateway vs Other Outbound Options (Very Important for AZ-700)
| Method | Static IP | Scalable | Exam Use Case |
|---|---|---|---|
| Default outbound | No | Limited | Not recommended |
| Azure Load Balancer (Outbound rules) | Yes | Complex | Older method |
| Azure Firewall | Yes | Yes | Security + filtering |
| NAT Gateway | Yes | Yes | Best for outbound-only traffic |
Exam takeaway:
If the requirement is outbound internet access only, choose NAT Gateway
9. NAT Gateway and Route Tables
- NAT Gateway does NOT require User-Defined Routes (UDRs)
- Azure automatically routes:
0.0.0.0/0outbound traffic through NAT Gateway
- You cannot override NAT Gateway routing using UDRs
10. NAT Gateway and Network Security Groups (NSGs)
- NAT Gateway does not replace NSGs
- NSGs still control:
- Allowed outbound ports
- Allowed destination addresses
- NAT Gateway only handles IP translation
11. NAT Gateway and Azure Firewall
Key difference:
- NAT Gateway → Connectivity
- Azure Firewall → Security and inspection
| Feature | NAT Gateway | Azure Firewall |
|---|---|---|
| Outbound traffic | Yes | Yes |
| Inbound traffic | No | Yes |
| Traffic filtering | No | Yes |
| Logging | Limited | Advanced |
| Cost | Lower | Higher |
Exam scenario:
- If traffic must be inspected, choose Azure Firewall
- If only outbound access is needed, choose NAT Gateway
12. Limitations of NAT Gateway (Exam Relevant)
- Cannot be attached to:
- Gateway subnet
- Azure Bastion subnet
- Cannot provide inbound connectivity
- Works only at subnet level, not individual VM level
13. Steps to Implement a NAT Gateway (High-Level)
- Create a Public IP or Public IP Prefix
- Create a NAT Gateway
- Associate the Public IP or Prefix with the NAT Gateway
- Associate the NAT Gateway with a subnet
- All resources in that subnet now use NAT Gateway for outbound traffic
14. Common Exam Scenarios
Scenario 1:
Virtual machines must access the internet using a fixed IP address
Correct answer: NAT Gateway
Scenario 2:
External systems require IP whitelisting
Correct answer: NAT Gateway with Public IP Prefix
Scenario 3:
Outbound traffic must be inspected and logged
Correct answer: Azure Firewall (not NAT Gateway)
15. Key Exam Points to Remember
- NAT Gateway is outbound only
- Associated at subnet level
- Requires Public IP or IP Prefix
- Provides static, scalable outbound IP
- No inbound connectivity
- No traffic inspection
- Fully managed and highly available
16. One-Line Exam Summary
Azure NAT Gateway provides scalable, static outbound internet connectivity for private resources in a subnet without allowing inbound connections.
