Managed NAT Gateway

Whilst AKS customers are able to route egress traffic through an Azure Load Balancer, there are limitations on the amount of outbound flows of traffic that is possible.

Azure NAT Gateway allows up to 64,512 outbound UDP and TCP traffic flows per IP address with a maximum of 16 IP addresses.

This article will show you how to create an AKS cluster with a Managed NAT Gateway for egress traffic.

Before you begin

To use Managed NAT gateway, you must have the following:

  • The latest version of the Azure CLI
  • Kubernetes version 1.20.x or above

Create an AKS cluster with a Managed NAT Gateway

To create an AKS cluster with a new Managed NAT Gateway, use --outbound-type managedNATGateway as well as --nat-gateway-managed-outbound-ip-count and --nat-gateway-idle-timeout when running az aks create. The following example creates a myresourcegroup resource group, then creates a natcluster AKS cluster in myresourcegroup with a Managed NAT Gateway, two outbound IPs, and an idle timeout of 4 minutes.

az group create --name myresourcegroup --location southcentralus
az aks create \
    --resource-group myResourceGroup \
    --name natcluster \
    --node-count 3 \
    --outbound-type managedNATGateway \
    --nat-gateway-managed-outbound-ip-count 2 \
    --nat-gateway-idle-timeout 4

Important

If no value the outbound IP address is specified, the default value is one.

Update the number of outbound IP addresses

To update the outbound IP address or idle timeout, use --nat-gateway-managed-outbound-ip-count or --nat-gateway-idle-timeout when running az aks update. For example:

az aks update \ 
    --resource-group myresourcegroup \
    --name natcluster\
    --nat-gateway-managed-outbound-ip-count 5

Create an AKS cluster with a user-assigned NAT Gateway

To create an AKS cluster with a user-assigned NAT Gateway, use --outbound-type userAssignedNATGateway when running az aks create. This configuration requires bring-your-own networking (via Kubenet or Azure CNI) and that the NAT Gateway is preconfigured on the subnet. The following commands create the required resources for this scenario. Make sure to run them all in the same session so that the values stored to variables are still available for the az aks create command.

  1. Create the resource group:

    az group create --name myresourcegroup \
        --location southcentralus
    
  2. Create a managed identity for network permissions and store the ID to $IDENTITY_ID for later use:

    IDENTITY_ID=$(az identity create \
        --resource-group myresourcegroup \
        --name natclusterid \
        --location southcentralus \
        --query id \
        --output tsv)
    
  3. Create a public IP for the NAT gateway:

    az network public-ip create \
        --resource-group myresourcegroup \
        --name mynatgatewaypip \
        --location southcentralus \
        --sku standard
    
  4. Create the NAT gateway:

    az network nat gateway create \
        --resource-group myresourcegroup \
        --name mynatgateway \
        --location southcentralus \
        --public-ip-addresses mynatgatewaypip
    
  5. Create a virtual network:

    az network vnet create \
        --resource-group myresourcegroup \
        --name myvnet \
        --location southcentralus \
        --address-prefixes 172.16.0.0/20 
    
  6. Create a subnet in the virtual network using the NAT gateway and store the ID to $SUBNET_ID for later use:

    SUBNET_ID=$(az network vnet subnet create \
        --resource-group myresourcegroup \
        --vnet-name myvnet \
        --name natcluster \
        --address-prefixes 172.16.0.0/22 \
        --nat-gateway mynatgateway \
        --query id \
        --output tsv)
    
  7. Create an AKS cluster using the subnet with the NAT gateway and the managed identity:

    az aks create \
        --resource-group myresourcegroup \
        --name natcluster \
        --location southcentralus \
        --network-plugin azure \
        --vnet-subnet-id $SUBNET_ID \
        --outbound-type userAssignedNATGateway \
        --enable-managed-identity \
        --assign-identity $IDENTITY_ID
    

Next Steps