3.1 Azure Load Balancer and Traffic Manager
📘Microsoft Azure Networking Solutions (AZ-700)
1. What are Inbound NAT Rules?
Inbound NAT rules are a feature of Azure Load Balancer that let you direct specific inbound traffic from the internet (or other networks) to a specific virtual machine (VM) inside your Azure network.
- NAT stands for Network Address Translation.
- Inbound NAT rules let external clients connect to a specific port on a VM, rather than to all VMs behind the load balancer.
Example in IT environment:
- You have a web server VM on port 80 and an RDP server on port 3389.
- You want to allow remote admin access (RDP) to that VM but not to all VMs.
- Inbound NAT rules allow you to map a public port to a private VM port safely.
2. How Inbound NAT Rules Work
Inbound NAT rules map a public IP and port to a private IP and port:
| Public IP/Port | Private IP/Port | Purpose |
|---|---|---|
| 20.30.40.50 : 5000 | 10.0.0.4 : 3389 | RDP access to VM1 |
| 20.30.40.50 : 5001 | 10.0.0.5 : 3389 | RDP access to VM2 |
| 20.30.40.50 : 8080 | 10.0.0.6 : 80 | Web server traffic |
- Public IP – The IP your clients or administrators use.
- Frontend port – The port exposed publicly.
- Backend IP – The VM inside your VNet.
- Backend port – The port the VM listens on.
Essentially, inbound NAT rules redirect traffic from a public port to a specific VM and port in your internal network.
3. When to Use Inbound NAT Rules
Inbound NAT rules are used when:
- You need to access VMs individually behind a load balancer.
- Example: Admins need RDP or SSH access to each VM.
- You have multiple VMs using the same service but want unique access ports.
- Example: Two Windows VMs for RDP, each mapped to a different public port.
- You do not want to open ports to the whole subnet for security reasons.
4. Creating Inbound NAT Rules in Azure
You can create inbound NAT rules using the Azure Portal, Azure CLI, PowerShell, or ARM templates.
Step-by-Step (Azure Portal)
- Go to your Load Balancer:
- Navigate to the Azure Load Balancer in your subscription.
- Select NAT Rules:
- In the load balancer menu, click Inbound NAT rules.
- Add a New Rule:
- Click + Add.
- Fill in the following fields:
| Field | Description |
|---|---|
| Name | Unique name for the rule |
| Frontend IP | Public IP of the load balancer |
| Protocol | TCP or UDP |
| Frontend Port | Port number exposed publicly (e.g., 5000) |
| Backend Port | Port on the VM that receives traffic (e.g., 3389 for RDP) |
| Target VM | Select the VM in the backend pool |
| Enable Floating IP | Usually No for inbound NAT rules unless using Direct Server Return |
- Save the rule:
- Once saved, traffic sent to the frontend IP and port will be directed to the backend VM and port.
5. Important Exam Points
- Inbound NAT rules are per VM, not per service.
- You cannot map multiple public ports to a single backend port unless you create multiple rules.
- Public IP requirement:
- Inbound NAT rules require a public frontend IP or a Standard SKU Load Balancer frontend.
- Integration with Load Balancer:
- Inbound NAT rules do not load balance traffic; they simply forward traffic to a VM.
- Load balancing is done using load balancing rules, which is different from NAT rules.
- Supported protocols: TCP and UDP.
- Most common exam example: TCP for RDP (3389) or SSH (22).
- Floating IP:
- Usually disabled for NAT rules. Only enabled in scenarios like Direct Server Return (rare for exams).
- Security:
- Use Network Security Groups (NSGs) to allow only required IPs/ports.
- Inbound NAT rules alone do not secure the VM.
6. Example Scenario
Suppose you have a Standard Azure Load Balancer with a public IP: 40.112.10.20.
You have two VMs:
- VM1 – 10.0.0.4 (Windows, RDP)
- VM2 – 10.0.0.5 (Windows, RDP)
You want to allow admin access to both using a single public IP:
| NAT Rule Name | Public Port | VM IP | VM Port | Protocol |
|---|---|---|---|---|
| RDP-VM1 | 5000 | 10.0.0.4 | 3389 | TCP |
| RDP-VM2 | 5001 | 10.0.0.5 | 3389 | TCP |
Result:
- Admins connect via
40.112.10.20:5000→ VM1 - Admins connect via
40.112.10.20:5001→ VM2
This ensures secure, targeted access without exposing all VMs directly.
7. Tips for Exam
- Remember the difference between NAT rules and load balancing rules:
- NAT rules → single VM port mapping
- Load balancing rules → distribute traffic across multiple VMs
- Always associate NAT rules with a frontend IP configuration.
- Use unique frontend ports when mapping multiple VMs to the same backend port.
- Know how to create NAT rules in Portal, CLI, and PowerShell for exam scenarios.
✅ Summary:
Inbound NAT rules allow you to map a public port to a specific VM and port, giving secure, targeted access to VMs behind a load balancer. They are essential for administrative access (RDP/SSH) and need careful configuration with frontend IPs, NSGs, and correct ports.
