ALthough VM has got public IP , while this VM subnet associating with NAT not giving any warning

sns 9,231 Reputation points
2022-11-16T10:33:05.527+00:00

I have created VM in subnet01, and I created NAC. this VM has public IP
but while associating this subnet01 with NAC, it is allowing to save and update instead of giving warning error like public IP wont take.
Why it is allowing, Please suggest what needs to be done
260894-aftresavingnoerror.png260883-publicip-subnet01.png

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,289 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,391 Reputation points Microsoft Employee
    2022-11-16T10:59:05.8+00:00

    Hello @sns ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know why there is noi warning when associating a subnet to NAT gateway when the VM already has a Public IP assigned.

    NAT gateway, Load balancer and instance-level public IPs are flow direction aware. NAT gateway can coexist in the same virtual network as Load balancer and IL PIPs to provide outbound and inbound connectivity seamlessly. Inbound traffic through Load balancer or IL PIPs is translated separately from outbound traffic through NAT gateway.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#coexistence-of-outbound-and-inbound-connectivity

    So, even if you have an instance level Public IP associated to a VM within the subnet, you can associate a NAT gateway to the same subnet. When both Instance level Public IP and NAT gateway exists for a VM within the subnet, VM will use NAT gateway for outbound. And instance-level public IP for inbound.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#nat-and-vm-with-an-instance-level-public-ip

    260923-image.png

    Hence, you can use both NAT gateway and VM Public IP for their respective traffic flows. Or can only use NAT gateway and remove the instance level Public IP from the VM for better security.

    If you use only Public IP for the VM, Azure will use that public IP for all outbound flows, which is not secure as it is not recommended to open a virtual network to the Internet by default using the zero trust network security principle.
    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

    NAT gateway is the recommended approach to have explicit outbound connectivity.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful