This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 46%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
So we have situation that I'm struggling to find a solution for. Here is a description of the enviroment:
We have group of web servers behind an Azure load balancer, port 80 and 443. When you hit the load balancers public IPs, you get web pages served, everything is fine.
Initially, we were using the default setup where the VMs behind the load balancer only had a private IP association. For outbound access, they used the SNAT of the load balancer.
This present some problems. Disclaimer: I cant disclose what we do, but our web servers do a massive amount of outbound internet connectivity. The single IP SNAT was causing alot of issues with out upstreams (some false positive rate limiting), and we are also getting dangerously close to the SNAT limits.
There was even an Azure doc we found that saus if your VM does alot of outbound connections, best practice is to scrap the SNAT, and instead associate a public IP to the NIC - which is what we did.
However, this has had one consequence. Users on the internet can hit the load balancer on port 80, BUT... they can also directly hit the public IP we associated to each VM.
I've tried literally every combination I can think of in the network secuity group currently assigned to th VMs NIC, but nothing seems to work. I've tried adding DENY rules where the dest IP is the IP of the NIC - no effect. I tried add rules that only allow access form the AzureLoadBalancer service tag - this doesn't work either, it breaks all access including traffic to the load balancer IP.
Is there something I'm missing here? It seems if my VM is behind a LB and I also have public IPs associated to the NICs of the VMs, then there is no way to jusy allow access to the LB IP - I have to allow port 80 everywhere.
Hi,
Simple solution to your problem is to create NAT Gateway (New feature) where you can assign multiple Public IP address for SNAT and remove the Public IP from the VM.
Reference: https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway-resource
Regards,
Msrini