Azure: Assign a NAT-Gateway to an Multi Zone Firewall Deployment

Markus 21 Reputation points
2022-12-07T14:12:59.33+00:00

Has anyone ever mapped a NAT gateway behind a firewall in Azure where both were zone redundant?
The big picture is as follows:
We have an AKS cluster, spread across multiple zones for resiliency. Outbound traffic must be routed through the firewall, which is also deployed across multiple zones. In the past, we have run out of available ports for source NATing (SNAT port exhaustion). This is a known issue as the firewall always reserves fixed ranges per resource when NATing. Unfortunately, assigning additional public IPs does not solve the problem. The recommended way from Microsoft is to assign a NAT gateway to the FW, which then takes over the address translation instead of the FW. Since here the translation is done fully dynamically without reservation, the problem would be solved. In the same article, however, Microsoft restricts that this constellation is not possible with a multi-az deployment of the FW, since the NAT GW is "zonal". Consequently, only one (zonal) NAT GW can be assigned to the FW subnet. Thus, in the event of a zone failure, a single point of failure.
Apart from deploying a separate firewall with associated subnet + NAT GW for each zone, which the customer has already categorically ruled out, I don't know of any other option at the moment. Maybe one of you has deployed a multi-AZ cluster behind a firewall with NAT GW and can help me.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
786 questions
0 comments No comments
{count} votes

Accepted answer
  1. msrini-MSFT 9,291 Reputation points Microsoft Employee
    2022-12-08T12:12:34.617+00:00

    Hi,

    Each instance of Azure firewall can provide 1248 SNAT ports. So by default if you have 1 IP and 2 instances of Azure firewall you get 2496 SNAT ports. If you can deploy 5 IPs then you can support 2496*5 = 12480 SNAT ports. Its mentioned that you can have upto 250 IP address to Azure Firewall.

    Reference : https://learn.microsoft.com/en-us/azure/firewall/integrate-with-nat-gateway

    Regards,
    Karthik Srinivas

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator
    2022-12-08T00:19:39.107+00:00

    @Markus ,
    Thank you for reaching out.

    As stated in the documentation you have shared above using Azure Virtual Network NAT is currently incompatible with Azure Firewall if you have deployed your Azure Firewall across multiple availability zones.
    You can create a feedback item regarding this request on our feedback portal so the team can priorities this request.

    I understand you tried adding additional IPs which did not solve your problem, but as documented here If your firewall is running into SNAT port exhaustion, you should add at least five public IP address. This increases the number of SNAT ports available. Can you please validate if adding 5 or more IP addresses resolves the issue? Thank you!

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.