Can I Redirect traffic from spoke network directly to NAT Gateway without having an NVA?

Question

Hi,
Is it possible to have a hub and spoke architecture where all the spoke traffic is sent to Hub via route table in which NAT Gateway can receive the traffic from spoke directly without having an Azure Firewall or NVA? I believe it's not possible however I would like to get confirmation on this.

Answer 1

Hi @Gokul Dev,it looks like you want to know if you can route traffic directly from a spoke network to a NAT Gateway in a hub-and-spoke architecture without having an Azure Firewall or Network Virtual Appliance (NVA). Here’s the scoop:

In a typical hub-and-spoke architecture, traffic from the spokes usually gets routed to a common hub, where services like NAT Gateways and firewalls can handle that traffic. As of now, a NAT Gateway can't receive traffic directly from the spokes without the involvement of some routing mechanism like an NVA or a firewall. So, generally, you'll need some form of intermediary infrastructure to facilitate this routing to ensure that outbound internet traffic is handled properly and securely.

To summarize:

• You cannot redirect spoke traffic to a NAT Gateway directly without incorporating an NVA or Azure Firewall.
• The recommended practice is to route all traffic through an NVA or firewall before it reaches the NAT Gateway.

If you still have questions or need more details,let us know.

References:

• What is Azure Virtual Network NAT
• Frequently asked questions for Azure NAT Gateway
• Tutorial: Use a NAT gateway with a hub and spoke network

Note: This content was drafted with the help of an AI system.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please 'Accept the answer' and kindly upvote it. If you have extra questions about this answer, please click "Comment".