Azure NAT Gateway integration

Azure NAT Gateway is a fully managed, highly resilient service that can be associated with one or more subnets. It ensures that all outbound internet-facing traffic is routed through a network address translation (NAT) gateway. With Azure App Service, there are two important scenarios where you can use a NAT gateway.

The NAT gateway gives you a static, predictable public IP address for outbound internet-facing traffic. It also significantly increases the available source network address translation (SNAT) ports in scenarios where you have a high number of concurrent connections to the same public address/port combination.

Diagram that shows internet traffic flowing to a NAT gateway in an Azure virtual network.

Here are important considerations about Azure NAT Gateway integration:

  • Using a NAT gateway with App Service is dependent on virtual network integration, so it requires a supported pricing tier in an App Service plan.
  • When you're using a NAT gateway together with App Service, all traffic to Azure Storage must use private endpoints or service endpoints.
  • You can't use a NAT gateway together with App Service Environment v1 or v2.

For more information and pricing, see the Azure NAT Gateway overview.

Configure NAT gateway integration

To configure NAT gateway integration with App Service, first complete the following tasks:

  • Configure regional virtual network integration with your app, as described in Integrate your app with an Azure virtual network.
  • Ensure that Route All is enabled for your virtual network integration, so routes in your virtual network affect the internet-bound traffic.
  • Provision a NAT gateway with a public IP address and associate it with the subnet for virtual network integration.

Then, set up Azure NAT Gateway through the Azure portal:

  1. In the Azure portal, go to App Service > Networking. In the Outbound Traffic section, select Virtual network integration. Ensure that your app is integrated with a subnet and that Route All is enabled.

    Screenshot of the Route All option enabled for virtual network integration.

  2. On the Azure portal menu or from the home page, select Create a resource. The New window appears.

  3. Search for NAT gateway and select it from the list of results.

  4. Fill in the Basics information and choose the region where your app is located.

    Screenshot of the Basics tab on the page for creating a NAT gateway.

  5. On the Outbound IP tab, create a public IP address or select an existing one.

    Screenshot of the Outbound IP tab on the page for creating a NAT gateway.

  6. On the Subnet tab, select the subnet that you use for virtual network integration.

    Screenshot of the Subnet tab on the page for creating a NAT gateway.

  7. Fill in tags if needed, and then select Create. After the NAT gateway is provisioned, select Go to resource group, and then select the new NAT gateway. The Outbound IP pane shows the public IP address that your app will use for outbound internet-facing traffic.

    Screenshot of the Outbound IP pane for a NAT gateway in the Azure portal.

If you prefer to use the Azure CLI to configure your environment, these are the important commands. As a prerequisite, create an app with virtual network integration configured.

  1. Ensure that Route All is configured for your virtual network integration:

    az webapp config set --resource-group [myResourceGroup] --name [myWebApp] --vnet-route-all-enabled
  2. Create a public IP address and a NAT gateway:

    az network public-ip create --resource-group [myResourceGroup] --name myPublicIP --sku standard --allocation static
    az network nat gateway create --resource-group [myResourceGroup] --name myNATgateway --public-ip-addresses myPublicIP --idle-timeout 10
  3. Associate the NAT gateway with the subnet for virtual network integration:

    az network vnet subnet update --resource-group [myResourceGroup] --vnet-name [myVnet] --name [myIntegrationSubnet] --nat-gateway myNATgateway

Scale a NAT gateway

You can use the same NAT gateway across multiple subnets in the same virtual network. That approach allows you to use a NAT gateway across multiple apps and App Service plans.

Azure NAT Gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports), which allows up to 1 million available ports. Learn more in Azure NAT Gateway resource.

Next steps

For more information on Azure NAT Gateway, see the Azure NAT Gateway documentation.

For more information on virtual network integration, see the documentation about virtual network integration.