Same region rounting to Storage Account from subnets with a NAT Gateway

NS97631-0872 21 Reputation points
2022-11-10T22:04:49.357+00:00

I am slightly confused after reviewing the docs and had a few routing questions regarding subnets using NAT gateways and how they access storage accounts in the same region.

Scenario: I have a vnet with subnets configured to use a NAT gateway for outbound traffic. I have no service or private endpoints configured for this vnet. I have multiple VMs deployed to subnets in the vnet and they access a storage account in the same region as the vnet.

  1. When the VMs access the storage account in the same region does this traffic go through the NAT gateway and subject to the data processing fee of the NAT gateway?
  2. If I want to make an IP network rule allowing only my subnets access to the storage account I understand you need service endpoints in the subnets as documented here. Despite using a NAT gateway I assume simply whitelisting the NAT gateway public IP wouldn't work in the same region?
  3. If the answer to 1 is yes and I am subject to the NAT gateway processing fee would traffic still go through the NAT gateway if I created service endpoints in the vnet for the storage account?
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,938 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,301 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,221 Reputation points
    2022-11-15T00:02:27.57+00:00

    @NS97631-0872 Thank you for reaching out to Microsoft Q&A. I understand that you are having questions regarding routing to storage account from subnets with a NAT gateway.

    Considering that you are accessing the Storage Account via the internet using its Public IP address, please correct me otherwise.
    Answering your questions-

    • When the VMs access the storage account in the same region does this traffic go through the NAT gateway and subject to the data processing fee of the NAT gateway? When you are using a NAT Gateway subnet, for the traffic to go over the internet, the traffic needs to access the NAT gateway so that it can get a Public IP address to traverse the internet. If not, it cannot have a Public IP address. Therefore, yes, it will traverse the NAT gateway and will be charged.
    • If I want to make an IP network rule allowing only my subnets access to the storage account, I understand you need service endpoints in the subnets as documented here. Despite using a NAT gateway I assume simply whitelisting the NAT gateway public IP wouldn't work in the same region?

    Since you will be accessing the Storage Account via the Internet using its Public IP, you should be able to acces sthe account by whitelisting the Public IP address of the NAT Gateway.

    • If the answer to 1 is yes and I am subject to the NAT gateway processing fee would traffic still go through the NAT gateway if I created service endpoints in the vnet for the storage account?

    If you create a Service Endpoint, you will reach the storage account using a private IP address and you no longer need to use the NAT gateway.

    Hope this answers your questions. Please do let us know if you have more questions and I will be glad to assist further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments No comments

0 additional answers

Sort by: Most helpful