Virtual Network NAT gateway integration

NAT gateway is a fully managed, highly resilient service, which can be associated with one or more subnets and ensures that all outbound Internet-facing traffic will be routed through the gateway. With App Service, there are two important scenarios that you can use NAT gateway for.

The NAT gateway gives you a static predictable public IP for outbound Internet-facing traffic. It also significantly increases the available SNAT ports in scenarios where you have a high number of concurrent connections to the same public address/port combination.

For more information and pricing. Go to the NAT gateway overview.

Note

• Using NAT gateway with App Service is dependent on virtual network integration, and therefore a supported App Service plan pricing tier is required.
• When using NAT gateway together with App Service, all traffic to Azure Storage must be using private endpoint or service endpoint.
• NAT gateway cannot be used together with App Service Environment v1 or v2.

Configuring NAT gateway integration

To configure NAT gateway integration with App Service, you need to complete the following steps:

• Configure regional virtual network integration with your app as described in Integrate your app with an Azure virtual network
• Ensure Route All is enabled for your virtual network integration so the Internet bound traffic will be affected by routes in your virtual network.
• Provision a NAT gateway with a public IP and associate it with the virtual network integration subnet.

Set up NAT gateway through the portal:

1. Go to the Networking UI in the App Service portal and select virtual network integration in the Outbound Traffic section. Ensure that your app is integrated with a subnet and Route All has been enabled.
2. On the Azure portal menu or from the Home page, select Create a resource. The New window appears.
3. Search for "NAT gateway" and select it from the list of results.
4. Fill in the Basics information and pick the region where your app is located.
5. In the Outbound IP tab, create a new or select an existing public IP.
6. In the Subnet tab, select the subnet used for virtual network integration.
7. Fill in tags if needed and Create the NAT gateway. After the NAT gateway is provisioned, click on the Go to resource group and select the new NAT gateway. You can see the public IP that your app will use for outbound Internet-facing traffic in the Outbound IP blade.

If you prefer using CLI to configure your environment, these are the important commands. As a prerequisite, you should create an app with virtual network integration configured.

Ensure Route All is configured for your virtual network integration:

az webapp config set --resource-group [myResourceGroup] --name [myWebApp] --vnet-route-all-enabled

Create Public IP and NAT gateway:

az network public-ip create --resource-group [myResourceGroup] --name myPublicIP --sku standard --allocation static

az network nat gateway create --resource-group [myResourceGroup] --name myNATgateway --public-ip-addresses myPublicIP --idle-timeout 10

Associate the NAT gateway with the virtual network integration subnet:

az network vnet subnet update --resource-group [myResourceGroup] --vnet-name [myVnet] --name [myIntegrationSubnet] --nat-gateway myNATgateway

Scaling NAT gateway

The same NAT gateway can be used across multiple subnets in the same Virtual Network allowing a NAT gateway to be used across multiple apps and App Service plans.

NAT gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports) allowing up to 1M available ports. Learn more in the Scaling section of NAT gateway.

Next steps

For more information on the NAT gateway, see NAT gateway documentation.

For more information on virtual network integration, see Virtual network integration documentation.