Skip to main content

NAT and IP Address Management in Azure

In Azure networking, managing IP addresses and understanding NAT (Network Address Translation) are essential for building secure and scalable architectures. This document explains Public IP, Private IP, SNAT, DNAT, and NAT Gateway from the perspective of implementation using Azure resources.

Types of IP Addresses

Public IP Address

An IP address that is directly accessible from the internet. In Azure, it is managed as a Public IP Address resource.

  • SKU: There are Basic and Standard SKUs, but Standard SKU is currently recommended (supports Availability Zones, secure by default).
  • Allocation Method: There are Static and Dynamic methods, but Standard SKU supports Static only.

Private IP Address

An IP address valid only within an Azure Virtual Network (VNet). It is assigned to VMs, Load Balancer frontends, etc.

  • Allocation: Automatically assigned from the subnet's CIDR range (DHCP).
  • Static Allocation: If necessary, a specific IP can be statically assigned in the network interface (NIC) settings.

Types of NAT (Network Address Translation)

SNAT (Source Network Address Translation)

A technology that translates the source IP address when communicating from an internal network (Private IP) to an external network (internet, etc.). In Azure, this relates to "outbound connectivity".

SNAT Implementation Methods in Azure

  1. Azure NAT Gateway (Recommended)

    • By associating it with a subnet, all outbound traffic from that subnet goes through a specific Public IP.
    • Minimizes the risk of SNAT Port Exhaustion.

  2. Load Balancer Outbound Rules

    • Explicitly define outbound rules using a Standard Load Balancer.

  3. Default Outbound Access (Not Recommended)

    • Uses an IP automatically assigned by Azure when no explicit configuration exists, but is not recommended for security and reliability reasons.

DNAT (Destination Network Address Translation)

A technology that translates the destination IP address (usually a Public IP) to an internal Private IP when communicating from an external network to an internal network. In Azure, this relates to "inbound connectivity".

DNAT Implementation Methods in Azure

  1. Azure Firewall

    • Forwards access to the Firewall's Public IP to the Private IP and port of a specific backend VM or service.

  2. Azure Load Balancer (Inbound NAT Rules)

    • Forwards access to a specific port on the Load Balancer's frontend IP to a specific backend VM port (e.g., forwarding SSH access on LB port 50001 to VM1 port 22).

Implementing Azure NAT Gateway

Azure NAT Gateway is the most recommended method for outbound connectivity.

Features

  • Fully Managed: Scaling and redundancy are automatically managed.
  • Zone Redundant: Supports Availability Zones.
  • Static IP: You can fix the source IP for outbound traffic (useful for allow-listing).

Overview of Construction Steps

  1. Create Public IP Prefix or Public IP Address

    • Create a Standard SKU Public IP.

  2. Create NAT Gateway Resource

    • Associate the created Public IP.
    • Adjust idle timeout settings, etc. (default is 4 minutes).

  3. Associate with Subnet

    • Select the created NAT Gateway in the settings of the target subnet within the VNet.
    • This automatically routes internet traffic for resources in that subnet (VMs, AKS nodes, etc.) through the NAT Gateway.

Practical Configuration Example (Bicep)

Below is an example of Bicep code to create a NAT Gateway and associate it with a subnet.

// Public IP for NAT Gateway
resource natPublicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = {
  name: 'pip-nat-gateway-prod'
  location: resourceGroup().location
  sku: {
    name: 'Standard'
  }
  properties: {
    publicIPAllocationMethod: 'Static'
  }
}

// NAT Gateway
resource natGateway 'Microsoft.Network/natGateways@2023-04-01' = {
  name: 'ng-prod-01'
  location: resourceGroup().location
  sku: {
    name: 'Standard'
  }
  properties: {
    publicIpAddresses: [
      {
        id: natPublicIP.id
      }
    ]
    idleTimeoutInMinutes: 4
  }
}

// Virtual Network & Subnet Association
resource vnet 'Microsoft.Network/virtualNetworks@2023-04-01' = {
  name: 'vnet-prod-01'
  location: resourceGroup().location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets: [
      {
        name: 'snet-app'
        properties: {
          addressPrefix: '10.0.1.0/24'
          natGateway: {
            id: natGateway.id
          }
        }
      }
    ]
  }
}

Summary

  • Public IP / Private IP: For external exposure and internal communication. Standard SKU is the baseline.
  • SNAT: Communication from internal to external. Azure NAT Gateway is the best practice.
  • DNAT: Communication from external to internal. Controlled by Azure Firewall or Load Balancer.

By choosing the appropriate NAT configuration, you can prevent SNAT port exhaustion and build a secure and highly available network.