Do I need to use Azure NAT Gateway for outbound internet access for Azure Container Apps or Azure Database for PostgreSQL?

Alberto Dasilvon 40 Reputation points
2024-05-31T16:22:41.7766667+00:00

Hi everyone,

I would like to ask whether I need to use Azure NAT Gateway for outbound access to the internet?

Insight:

I have Hub and Spoke network topology implemented, in the Hub VNET there is an Azure Firewall and Azure VPN Gateway.

I've setup Azure Containers Apps with VNET integration as well as Azure Database for PostgreSQL Flexible Server in the Spoke VNET. I can see that container within Azure Container Apps has got default outbound access, using curl or ping. However do I need to attach Azure NAT Gateway in the Hub VNET, configure route table and firewall policy?

I've read that "On September 30th, 2025, default outbound access for new deployments will be retired. It is recommended to use an explicit form of outbound connectivity instead, like NAT gateway"

Does the default outbound access to the internet would be sufficient for the Azure Container Apps container and Azure Database for PostgreSQL?

Thank you!

Azure Database for PostgreSQL
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
310 questions
Azure NAT Gateway
Azure NAT Gateway
NAT Gateway is a fully managed service that securely routes internet traffic from a private virtual network with enterprise-grade performance and low latency.
25 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 38,051 Reputation points Microsoft Employee
    2024-06-03T06:26:50.5+00:00

    @Alberto Dasilvon ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I see you are referring to the Azure Update : Default outbound access for VMs in Azure will be retired.

    • The above announcement is for Virtual Machines
    • Not for PaaS Services that are integrated into a VNET.

    Default outbound access document is for Virtual Machines residing in a VNET.

    For other PaaS Service, you should check their Networking requirements to understand how they provide inbound and outbound access.

    In your case,

    #1 Azure Container Apps

    • I see Azure Container Apps supporting NAT gateway for Workload profiles Environment type
    • And the advantage of this feature is to have a fixed, non changing "Outbound public IP" for your PaaS Service.
    • If you don't have a NAT, still you will be able to make outbound connections but you will not have control over which IP would be used.

    See : Azure Container Apps support for NAT Gateway

    User's image

    • You can also use Azure Firewall, but the intention here is to restrict/limit access to internet (control which sites should be reachable) rather than merely providing outbound IP.

    #2 Azure Database for PostgreSQL

    -

    I don't see any documents claiming NAT Gateway support for a VNET Integrated Azure Database for PostgreSQL - Flexible Server

    • Moreover, I don't think this DB service is capable of making outbound calls on it's own in the first place, unlike Azure Container Apps
    • I am not an expert on PostgreSQL - Flexible Server but are you sure this service is making outbound internet calls currently?
    • The entire document Networking overview for Azure Database for PostgreSQL - talks about connecting to the DB and I am afraid I don't see any line stating outbound connectivity

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sina Salam 5,546 Reputation points
    2024-05-31T23:02:40.14+00:00

    Hello Alberto Dasilvon,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you are asking if you need to use Azure NAT Gateway for outbound internet access for Azure Container Apps or Azure Database for PostgreSQL.

    Solution

    No, you do not need to use Azure NAT Gateway for outbound internet access for Azure Container Apps or Azure Database for PostgreSQL for some reasons, but there are certain scenarios where it might be beneficial.

    1. NAT Gateway is optional and mainly used for consistent IP addresses and handling large-scale outbound connections.
    2. NAT Gateway is generally not required for typical use cases but can be useful for specific scenarios involving integration with other services or compliance needs.

    In many cases, Azure's default outbound access solutions will be sufficient, but implementing a NAT Gateway can provide additional control and flexibility depending on your specific requirements.

    Finally

    In your scenario, the use of an Azure NAT Gateway for outbound access to the internet can be beneficial and is recommended given the planned retirement of default outbound access.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    1 person found this answer helpful.
    0 comments No comments