How to deploy App Service and NAT Gateway zone redundantly

Andreas Crona 0 Reputation points
2023-10-06T08:17:24.9933333+00:00

Hello

We want to deploy an App Service Plan (multi-tenant elastic premium), injected to a VNet subnet with route all outbound (and private endpoints for incoming, no public access), in a zone redundant way, together with NAT Gateway for the many outbound connections from the ASP (as guide in link 1 below).

But, for overall zone redundancy of the total solution the NAT Gateway also needs to be deployed zone redundantly.

How do you go about doing that?

The zone redundant ASP is injected to a specific subnet.

For the NAT Gateway to be deployed zone redundantly it needs to be deployed in three instances, each pegged to a specific zone, and each connected to a specific subnet to create "zone redundant stacks" (as guide in link 2 below).

Is there a way to deploy the ASP, the NAT GWs and the subnets so that we get total solution zone redundancy? Or do we need additional components such as ILBs, NVAs, route tables etc? If so, how? (We don't want to switch over to App Service Environment just for this reason, which we assume would solve the problem as we would get dedicated zonal VM hosts for the ASP in the subnets)

  1. https://learn.microsoft.com/en-us/azure/app-service/overview-nat-gateway-integration
  2. https://learn.microsoft.com/en-us/azure/nat-gateway/nat-availability-zones
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,326 questions
Azure NAT Gateway
Azure NAT Gateway
NAT Gateway is a fully managed service that securely routes internet traffic from a private virtual network with enterprise-grade performance and low latency.
27 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. MojiTMJ 685 Reputation points
    2023-10-06T09:05:56.0266667+00:00

    Hello Andreas,

    Thank you for your inquiry on Microsoft Q&A.

    To attain a zone-redundant deployment of Azure App Service and NAT Gateway, consider the following steps:

    1. Begin by establishing an Azure Virtual Network (VNet) comprising three subnets, each associated with a specific availability zone. Ensure that zone redundancy is enabled for the VNet.
    2. Create an App Service plan within your VNet, selecting the multi-tenant elastic premium pricing tier. This plan will serve as the hosting environment for your App Service application.
    3. Deploy your App Service application to the newly created App Service plan. This ensures that your application is hosted in a zone-redundant manner.
    4. Deploy a NAT gateway instance in each of the availability zones (typically three instances for full redundancy). Configure these NAT gateways to share the same public IP address prefix.
    5. Adjust the subnet configurations to direct all outbound traffic through the NAT gateways. This step guarantees that all outbound traffic from your App Service app is routed through the zone-redundant NAT gateways.

    Additional Information:

    • Consider utilizing a Traffic Manager profile to uniformly distribute incoming traffic across the NAT gateways in each availability zone. This load balancing ensures high availability and optimal performance.
    • Implement an Azure Load Balancer to distribute incoming traffic to your App Service application. This enhances scalability and provides fault tolerance.
    • To fortify security against malicious traffic, you can deploy Azure Firewall, adding an additional layer of protection.

    Regarding additional components such as Internal Load Balancers (ILBs), Network Virtual Appliances (NVAs), and route tables, these are typically not mandatory for achieving zone redundancy in this scenario. However, it's advisable to assess their necessity based on your specific networking and security requirements.

    As for App Service Environment, it does offer zone redundancy but comes at a higher cost compared to the approach outlined above. Ensure you consider your budget and specific deployment needs when deciding between the two options.

    Additionally, it's crucial to keep in mind:

    • While zone redundancy significantly reduces downtime risks, it doesn't guarantee 100% availability.
    • Pay careful attention to configuring route tables and Network Security Groups (NSGs) to ensure proper traffic flow for your application.
    • If you employ ILBs or NVAs, make sure they are configured in a zone-redundant manner to maintain high availability of your networking and routing infrastructure.

    For more detailed information and guidance, refer to the following resources:

    Note: If you found this response helpful, please acknowledge it to help others facing similar challenges.

    Best of luck with your deployment!

    0 comments No comments

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more