About using NAT Gateway in Azure Hub-spoke network environment

ryosk25 521 Reputation points
2022-05-16T07:32:39.563+00:00

We are operating an Azure infrastructure environment.

The current network configuration is Hub-spoke network.
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

Therefore, in order to fix the public IP address of the Azure environment,
I am considering implementing a NAT Gateway.

When implementing NAT Gateway in the Hub-spoke network, I am aware of adding Nat Gateway to the hub network. Is this correct?
Or should it be added to the Spoke network?

We would like to set it according to best practices.
If you are an expert, I would be grateful if you could tell me.

Besides Nat Gateway, how to associate a public IP address with his NIC in an Azure VM,
I think there is a way to fix the public IP address in Azure Firewall.
About use cases and advantages and disadvantages in such cases
I would be very happy if you could give us your opinion.

Thank you very much.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,178 questions
0 comments
Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee
    2022-05-17T18:13:21.417+00:00

    Hello @ryosk25 , Thank you for reaching out.

    As per the documentation here Virtual Network NAT simplifies outbound Internet connectivity for virtual network. When configured on a subnet, all outbound connectivity uses the Virtual Network NAT's static public IP addresses. A NAT gateway can’t span multiple virtual networks. You can associate multiple subnets in a VNET to Nat Gateway. So as per this FAQ NAT gateway can only be used by a virtual network that the NAT gateway is directly connected to and cannot traverse multiple virtual networks. In a scenario in which virtual network A is peered with virtual network B and NAT gateway is directly associated with virtual network A, virtual network B cannot use NAT gateway to direct outbound traffic. Virtual network B will need its own NAT gateway to make outbound connections. My recommendation in this scenario will be to deploy NAT Gateway to the VNET which requires outbound connectivity to internet.

    You can go through this documentation for information on other options for outbound internet connectivity. You can also use Azure Firewall for outbound connectivity as shown in architecture link you shared above, and you can deploy a Azure Firewall with multiple public IP addresses.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest