Here are some answers to common questions about using Azure NAT Gateway.
NAT gateway basics
What is Azure NAT Gateway?
Azure NAT Gateway is a fully managed, highly resilient outbound connectivity solution for Azure virtual networks. Attach NAT gateway to subnets within a virtual network and to at least one static public IP address to achieve secure and scalable outbound connectivity.
What is the pricing for Azure NAT Gateway?
What are the known limits of Azure NAT Gateway?
Can NAT gateway be used across subscriptions?
No, a NAT gateway resource can't be used with more than one subscription at a time. For step by step guidance, see Create and configure NAT gateway after region move.
Can NAT gateway be moved from a region/subscription/resource group to another?
No. NAT gateway can't be moved across subscriptions, regions, or resource groups. A new NAT gateway must be created for the other subscription, region, or resource group.
Can NAT gateway be used to connect inbound?
NAT gateway provides outbound connectivity from a virtual network. Return traffic in direct response to an outbound flow can also pass through NAT gateway. No inbound traffic directly from the internet can pass through NAT gateway.
How can I obtain logs for my NAT gateway resource?
Network security groups (NSG) flow logs can be used to monitor traffic flow from a resource in a subnet/virtual network using NAT gateway to go outbound.
Use Azure Security Center and follow the network protection recommendations to help secure your Azure network resources. Enable network security group flow logs and send the logs to an Azure Storage account for auditing. You can also send the flow logs to a Log Analytics workspace and then use Traffic Analytics to provide insights into traffic patterns in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity, identify hot spots and security threats, understand traffic flow patterns, and pinpoint network misconfigurations.
How do I delete a NAT gateway resource?
To delete a NAT gateway resource, the resource must first be disassociated from the subnet. Once the NAT gateway resource is disassociated from all subnets, it can be deleted. See remove a NAT gateway from an existing subnet and delete the resource for step-by-step guidance.
Outbound connectivity with NAT gateway
How can I use NAT gateway to connect outbound in a setup where I'm currently using a different service for outbound?
NAT gateway automatically connects outbound to the internet after being attached to a public IP address or prefix and a subnet. NAT gateway takes priority over Load balancer with outbound rules, instance-level public IP addresses on virtual machines, and Azure Firewall for outbound connectivity.
Are connections disrupted after attaching NAT gateway to a subnet where a different service is currently used for outbound connectivity?
No, there's no disruption in connections. Existing connections with the previous outbound service (Load balancer, Azure Firewall, instance-level public IP addresses) continues to work until those connections close. After NAT gateway is added to the subnet of the virtual network, all new connections use NAT gateway for making outbound connections.
Can a NAT gateway public IP connect directly to a private IP address over the internet?
No. A public IP address of NAT gateway can't connect directly to a private IP over the internet.
If multiple public IP addresses are assigned to a NAT gateway, is traffic flow disrupted when one of the IP addresses is removed?
Any active connections associated with a public IP address terminate upon the public IP address being removed. If the NAT gateway resource has multiple public IPs, new traffic is distributed among the assigned IPs.
What is the difference between SNAT Connection Count and Total SNAT Connection Count metrics for NAT gateway?
How can I see SNAT port usage on NAT gateway?
There's no SNAT port usage metric for NAT gateway. Use the SNAT Connection Count and Total SNAT Connection Count metrics to help you evaluate the SNATing capacity of your NAT gateway.
What happens to NAT gateway if I force tunnel 0.0.0.0/0 (internet) traffic to an NVA, VPN Gateway or ExpressRoute?
NAT gateway uses a subnet’s system default internet path to route traffic to the internet. Traffic doesn't pass through NAT gateway if a UDR is created to direct 0.0.0.0/0 traffic to next hop type NVA or a virtual network gateway.
What configuration must I make on the subnet route table to connect outbound with NAT gateway?
No configuration on the subnet route table is required in order to start connecting outbound with NAT gateway. When NAT gateway is assigned to a subnet, NAT gateway becomes the next hop type for all internet destined traffic. Traffic can start connecting outbound to the internet as soon as NAT gateway is assigned to a subnet and at least one public IP address.
NAT gateway configurations
Can NAT gateway be deployed without a public IP address or subnet?
Yes, NAT gateway can be deployed without a public IP address or prefix and subnet. However, it's not operational until you attach at least one public IP address or prefix and a subnet.
Is the NAT gateway public IP address static?
Yes. Public IP addresses on your NAT gateway are fixed and don't change.
How many public IP addresses can be attached to NAT gateway?
NAT gateway can use up to 16 public IP addresses. NAT gateway can use any combination of public IP addresses and public IP prefixes totaling to 16 addresses. NAT gateway can support the following prefix sizes: /28 (16 addresses), /29 (8 addresses), /30 (4 addresses), and /31 (2 addresses).
How can I use custom IP prefixes (BYOIP) with NAT gateway?
You can use public IP prefixes and addresses derived from custom IP prefixes (BYOIP) with your NAT gateway. See Custom IP address prefix (BYOIP) to learn more.
Can an IPv6 public IP address be used with NAT gateway?
No, NAT gateway doesn't support IPv6 public IP addresses. You can however have a dual-stack configuration with NAT gateway and Load balancer to provide IPv4 and IPv6 outbound connectivity. See configure dual stack outbound connectivity with a NAT gateway and a public Load balancer for more information.
Can public IP addresses with routing preference "internet" be used with NAT gateway?
No, NAT gateway doesn't support public IP addresses with routing preference "internet". To see a list of Azure services that do support routing configuration type "internet" on public IPs, see supported services for routing over the public internet.
Can public IP addresses with DDoS protection enabled be used with NAT gateway?
No, NAT gateway doesn't support public IP addresses with DDoS protection enabled. See DDoS limitations for more information.
Can public IPs of an existing NAT gateway be changed?
No, the address of an existing public IP can't be changed. If you need to change the public IP address on your NAT gateway, see add or remove a public IP address for guidance.
If multiple public IP addresses are assigned to a NAT gateway, which public IPs does my subnet resources use?
Your subnet resources can use any of the public IP addresses attached to your NAT gateway for outbound connectivity. Each time a new outbound connection is made through NAT gateway, the outbound public IP is selected at random.
Can I assign one of my NAT gateway public IP addresses to a specific VM or subnet to use exclusively for connecting outbound?
No. IP assignment to specific subnets or VM instances in a NAT gateway configured subnet isn't supported.
Can NAT gateway be attached to multiple virtual networks?
No. NAT gateway can't be attached to multiple virtual networks.
Can NAT gateway be attached to multiple subnets?
Yes. NAT gateway can be associated with up to 800 subnets in a virtual network. It isn't required to be associated with all subnets within a virtual network.
Can NAT gateway be attached to a gateway subnet?
No. NAT gateway can't be associated with a gateway subnet.
Can multiple NAT gateways be attached to a single subnet?
No. NAT gateway operates based on the properties of the subnet, and so multiple NAT gateways can't be attached to a single subnet.
Does NAT gateway work in a hub and spoke network architecture?
Traffic from the spoke VNets can be routed to the centralized hub VNet through an NVA or Azure Firewall. NAT gateway can then provide outbound connectivity for all spoke virtual networks from the centralized hub network. To set up NAT gateway in a hub and spoke architecture with NVAs, see use NAT gateway in a hub and spoke network. To use NAT gateway with Azure Firewall in a hub and spoke setup, see integrate NAT gateway with Azure Firewall.
How does NAT gateway work with availability zones?
NAT gateway can be zonal or placed in "no zone". For more information, see NAT gateway and availability zones.
A "no zone" NAT gateway is placed into a zone for you by Azure.
A zonal NAT gateway is associated to a specific zone by the user when the NAT gateway is created.
The zonal configuration of NAT gateway can't be changed after deployment.
Can a zone-redundant public IP address be attached to a NAT gateway?
A zone-redundant public IP address can be attached to a "no zone" NAT gateway only. A NAT gateway designated to a specific zone must be attached to a public IP address from the same zone.
NAT gateway and basic SKU resources
Are basic SKU resources (Basic Load Balancer and Basic public IP addresses) compatible with NAT gateway?
No. NAT gateway is compatible with standard SKU resources. Learn more from NAT gateway basics You can upgrade your basic Load balancer and basic public IP address to standard in order to work with NAT gateway.
To upgrade a basic Load balancer to standard, see Upgrade Azure Public Load Balancer. To upgrade a basic public IP to standard, see Upgrade a public IP address. To upgrade a basic public IP with an attached VM to standard, see Upgrade a basic public IP address with an attached VM.
Connection timeouts and timers
What is the idle timeout for NAT gateway?
For TCP connections, the idle timeout timer defaults to 4 minutes and is configurable up to 120 minutes. If you need to maintain long connection flows, use TCP keepalives instead of extending the idle timeout timer. TCP keepalives maintain active connections for a longer period.
The UDP idle timeout timer is set to 4 minutes and isn't configurable.
What is the SNAT port reuse behavior of NAT gateway?
When a TCP/UDP connection is closed, the port is placed in a cool down period before it can be reused to connect to the same destination endpoint. For more information, see SNAT port reuse timers. Connections going to a different destination can use a SNAT port right away. For more information, see SNAT with NAT gateway.
NAT gateway integration with other Azure services
Can I use NAT gateway with Azure App Services?
Yes. NAT gateway can be used with Azure App Services in order to allow applications to direct outbound traffic to the internet from a virtual network. To use this integration between NAT gateway and Azure App Services, regional virtual network integration must be enabled. For guidance on how to enable virtual network integration with NAT gateway, see NAT gateway integration.
Can I use NAT gateway with Azure Kubernetes Service?
Yes. For more information about NAT gateway integration with Azure Kubernetes Service, see Managed NAT Gateway.
Can I use NAT gateway with Azure Firewall?
Yes. NAT gateway can be used with Azure Firewall. Azure Firewall when used with NAT gateway should be in a zonal configuration. NAT gateway works with a zone redundant firewall, but it’s not a recommended deployment at this time. For more information about NAT gateway integration with Azure Firewall, see Scale SNAT ports with Azure NAT Gateway.
Can I use NAT gateway with Virtual Network service endpoints or Private Link?
Yes. The addition of a NAT gateway to a subnet with service endpoints doesn't affect the endpoints. Virtual Network service endpoints enable a more specific route for the destination Azure service traffic they represent. Traffic for the service endpoint traverses the Azure backbone instead of the internet. Private Link is recommended over service endpoints when connecting to Azure PaaS services directly from your Azure network.
If your question is not listed above, please send feedback about this page with your question. This will create a GitHub issue for the product team to ensure all of our valued customer questions are answered.