This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 68%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
We need to modify the outbound rule of standard load balancer(we cannot use NAT gateway). What is the best practices to set the values for
2nd once can be still calculated or can be modified gradually as we scale up the nodes but don't know how to choose or calculate the first one.
Any suggestions please..
Kind Regards,
Tanul
Can you share the rationale on why you cannot use NAT gateway. One of the reasons it exists as an option is for precisely this reason.
@AirGordon If I have to use NAT gateway then I need to tag that to subnet as well. Now I have to contact networking team who manages that subnet. We need lot of approvals which will take time. I have to create the infra by tomorrow eod. If NAT gateway would be working only at AKS and standard load balancer level then I would have created that by now. Any change at subnet level needs lot of discussion and approval
@Andrei Barbu If possible could you please guide me on this one as well. Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
@Tanul Checking in to see if the answer below helped.
If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.
Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you. This can be beneficial to other community members for remediation for similar issues.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 80%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E0%3C/text%3E%3C/svg%3E)
Hello,
To prevent SNAT port exhaustion in AKS standard load balancer:
Hi @Tanul
Thanks for reaching Microsoft Q&A.
Regarding your question:
Azure Load Balancer has the following idle timeout range:
By default, it's set to 4 minutes. If a period of inactivity is longer than the timeout value, there's no guarantee that the TCP or HTTP session is maintained between the client and your cloud service.
When the connection is closed, your client application may receive the following error message: "The underlying connection was closed: A connection that was expected to be kept alive was closed by the server."
A common practice is to use a TCP keep-alive. This practice keeps the connection active for a longer period. With keep-alive enabled, packets are sent during periods of inactivity on the connection. Keep-alive packets ensure the idle timeout value isn't reached and the connection is maintained for a long period.
The setting works for inbound connections only. To avoid losing the connection, configure the TCP keep-alive with an interval less than the idle timeout setting or increase the idle timeout value. To support these scenarios, support for a configurable idle timeout has been added.
Follow our documentation -> https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#configure-the-load-balancer-idle-timeout
The following examples show how the number of outbound ports and IP addresses are affected by the values you set:
64,000 ports per IP / 1,000 ports per node * 2 IPs = 128 nodes.64,000 ports per IP / 1,000 ports per node * 7 IPs = 448 nodes.64,000 ports per IP / 4,000 ports per node * 2 IPs = 32 nodes.64,000 ports per IP / 4,000 ports per node * 7 IPs = 112 nodes.Hope this helps. Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Have you tried with a virtual network NAT?
EDIT: it still requires a NAT GW under the hood