Associating existing VMs to a newly created NAT gateway for static outbound IP

Question

Associating existing VMs to a newly created NAT gateway for static outbound IP

Reshma Nair 140

Hi,

A new requirement from our client side is, they need to whitelist the outbound IPs of our VMs in their firewall. For that I have created a NAT gateway with a Public IP associated in our play environment and added an existing subnet to it (The subnet contains our already existing 2 VMs(play host windows machines) with a standard Public IP which has a static allocation method). In order to test my new NAT configuration, I have created bastion and tried checking the outbound IP. But it is still showing the VMs public IP instead of the NAT public IP. Not able to figure out where I went wrong.

I am new to Azure and any helps would be grateful. Thanks in Advance.

Accepted answer

0 additional answers

Your answer

Answer 1

TP 125.8K Volunteer Moderator

Hi,

From your description it sounds like you still have public IP associated with your VM's network interface. You need to disassociate this so that the VM will use the NAT gateway on the VNet.

In the Azure portal, please navigate to your VM, Networking blade. Next click on the address next to NIC Public IP. This will take you to the public IP address associated with your network interface. Click Disassociate button and click Yes to confirm.

After making the above change, please connect to your VM using Bastion and verify that the public IP address matches the NAT gateway public IP now.

Please click Accept Answer if the above was useful. If you have questions or need additional assistance, please add a comment.

Thanks.

-TP

Reshma Nair 140 Reputation points

2023-05-31T12:28:20.9966667+00:00

I have dissociated the Public IP from VM and tried with bastion again(I tried to associate NAT IP but not able to do). As I am using core windows machines UI is very restricted, so I am checking IP via command. I am using ipconfig command(not sure the command is correct) and it is showing the same IP as before.
TP 125.8K Reputation points Volunteer Moderator

2023-05-31T12:51:02.08+00:00
If you have windows GUI, you can use Edge to browse to www.whatismyip.com If you don't have GUI, then you can use powershell command. From regular command prompt you can enter powershell.exe to get powershell prompt. Please try below command in powershell prompt inside your VM:

Invoke-WebRequest https://api.ipify.org?format=json -UseBasicParsing

In the output you should see something similar to Content: {"ip":"52.223.253.137"} where in this sample the public outbond ip is 52.223.253.137 which should be the ip address of your NAT gateway.

Please reply back with your results.
Reshma Nair 140 Reputation points

2023-05-31T13:07:02.0966667+00:00

Thank you so much for your help. I have tried the above command from powershell and I got my NAT IP in output content.
Reshma Nair 140 Reputation points

2023-05-31T13:18:03.0133333+00:00

I have one last question, when we dissociate the public IP address from VM, it is affecting the inbound connectivity. Which Ip we are using for inbound connectivity then?
TP 125.8K Reputation points Volunteer Moderator

2023-05-31T13:54:49.95+00:00

If you go back to the public IP you had assigned to the VM and click Associate and link it to your VM's network interface, next connect to VM using Bastion, run the powershell command, does it still show NAT gateway's public IP or does it change to VM's public IP?

Let me explain a bit. The way it's supposed to work is if you have NAT gateway on subnet AND ALSO an instance-level public IP assigned to VM, it will direct outbound traffic to Internet through NAT gateway, and only inbound sessions will flow through the VM's public IP. In other words, NAT gateway has priority for Internet-bound connections.

For example, say you have rule for inbound rule for port 3389 to your VM, and you connect to the VM's public IP over 3389 using Remote Desktop. The traffic for this session should flow using VM's public IP, but if the VM makes an outbound connection to Internet then the source IP should be NAT gateway's.

In the past I've seen this not work as it should so I have preference towards using another method for inbound traffic like load balancer. For you, you can give it a try and see if it works as documented.

If for some reason it doesn't give priority to NAT gateway then you may consider modifying your design.

What inbound service are you publishing on your VM? Port 443 web? something else? Will this service need to be load-balanced across multiple VMs in the future perhaps?

If above isn't clear please let me know. I have to travel soon so there may be delay in responding.
Reshma Nair 140 Reputation points

2023-05-31T14:06:32.9533333+00:00

After associating VM's public IP (nic), I have tested again. I connected via bastion and checked the outbound IP address of the VM. Now it is taking the NAT IP for outbound connection. So as you mentioned now it is working as per Azure documentation. So I can follow my existing configuration (nic) for inbound connectivity and NAT for internet connections.

Your answers helped me a lot to understand the overview of Azure networking (NAT gateway). Thanks again for your great help.

Share via

Associating existing VMs to a newly created NAT gateway for static outbound IP

0 additional answers

Your answer