Has anyone ever mapped a NAT gateway behind a firewall in Azure where both were zone redundant?
The big picture is as follows:
We have an AKS cluster, spread across multiple zones for resiliency. Outbound traffic must be routed through the firewall, which is also deployed across multiple zones. In the past, we have run out of available ports for source NATing (SNAT port exhaustion). This is a known issue as the firewall always reserves fixed ranges per resource when NATing. Unfortunately, assigning additional public IPs does not solve the problem. The recommended way from Microsoft is to assign a NAT gateway to the FW, which then takes over the address translation instead of the FW. Since here the translation is done fully dynamically without reservation, the problem would be solved. In the same article, however, Microsoft restricts that this constellation is not possible with a multi-az deployment of the FW, since the NAT GW is "zonal". Consequently, only one (zonal) NAT GW can be assigned to the FW subnet. Thus, in the event of a zone failure, a single point of failure.
Apart from deploying a separate firewall with associated subnet + NAT GW for each zone, which the customer has already categorically ruled out, I don't know of any other option at the moment. Maybe one of you has deployed a multi-AZ cluster behind a firewall with NAT GW and can help me.