Frequently asked questions for Azure NAT Gateway

Azure NAT Gateway is a fully managed, highly resilient outbound connectivity solution for Azure virtual networks. Attach NAT gateway to subnets within a virtual network and to at least one static public IP address to achieve secure and scalable outbound connectivity.

See Azure NAT Gateway pricing.

See Azure NAT Gateway limits.

No, a NAT gateway resource can't be used with more than one subscription at a time. For step by step guidance, see Create and configure NAT gateway after region move.

No. NAT gateway can't be moved across subscriptions, regions, or resource groups. A new NAT gateway must be created for the other subscription, region, or resource group.

NAT gateway provides outbound connectivity from a virtual network. Return traffic in direct response to an outbound flow can also pass through NAT gateway. No inbound traffic directly from the internet can pass through NAT gateway.

Network security groups (NSG) flow logs can be used to monitor traffic flow from a resource in a subnet/virtual network using NAT gateway to go outbound.

Use Azure Security Center and follow the network protection recommendations to help secure your Azure network resources. Enable network security group flow logs and send the logs to an Azure Storage account for auditing. You can also send the flow logs to a Log Analytics workspace and then use Traffic Analytics to provide insights into traffic patterns in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity, identify hot spots and security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

To delete a NAT gateway resource, the resource must first be disassociated from the subnet. Once the NAT gateway resource is disassociated from all subnets, it can be deleted. See remove a NAT gateway from an existing subnet and delete the resource for step-by-step guidance.

NAT gateway automatically connects outbound to the internet after being attached to a public IP address or prefix and a subnet. NAT gateway takes priority over Load balancer with outbound rules, instance-level public IP addresses on virtual machines, and Azure Firewall for outbound connectivity.

No, there's no disruption in connections. Existing connections with the previous outbound service (Load balancer, Azure Firewall, instance-level public IP addresses) continues to work until those connections close. After NAT gateway is added to the subnet of the virtual network, all new connections use NAT gateway for making outbound connections.

No. A public IP address of NAT gateway can't connect directly to a private IP over the internet.

Any active connections associated with a public IP address terminate upon the public IP address being removed. If the NAT gateway resource has multiple public IPs, new traffic is distributed among the assigned IPs.

The SNAT Connection Count metric shows the number of new SNAT connections made per second. The Total SNAT Connection Count metric shows the total amount of active connection on NAT gateway.

There's no SNAT port usage metric for NAT gateway. Use the SNAT Connection Count and Total SNAT Connection Count metrics to help you evaluate the SNATing capacity of your NAT gateway.

NAT gateway uses a subnet’s system default internet path to route traffic to the internet. Traffic doesn't pass through NAT gateway if a UDR is created to direct 0.0.0.0/0 traffic to next hop type NVA or a virtual network gateway.

No configuration on the subnet route table is required in order to start connecting outbound with NAT gateway. When NAT gateway is assigned to a subnet, NAT gateway becomes the next hop type for all internet destined traffic. Traffic can start connecting outbound to the internet as soon as NAT gateway is assigned to a subnet and at least one public IP address.

Yes, NAT gateway can be deployed without a public IP address or prefix and subnet. However, it's not operational until you attach at least one public IP address or prefix and a subnet.

Yes. Public IP addresses on your NAT gateway are fixed and don't change.

NAT gateway can use up to 16 public IP addresses. NAT gateway can use any combination of public IP addresses and public IP prefixes totaling to 16 addresses. NAT gateway can support the following prefix sizes: /28 (16 addresses), /29 (8 addresses), /30 (4 addresses), and /31 (2 addresses).

You can use public IP prefixes and addresses derived from custom IP prefixes (BYOIP) with your NAT gateway. See Custom IP address prefix (BYOIP) to learn more.

No, NAT gateway doesn't support IPv6 public IP addresses. You can however have a dual-stack configuration with NAT gateway and Load balancer to provide IPv4 and IPv6 outbound connectivity. See configure dual stack outbound connectivity with a NAT gateway and a public Load balancer for more information.

No, NAT gateway doesn't support public IP addresses with routing preference "internet". To see a list of Azure services that do support routing configuration type "internet" on public IPs, see supported services for routing over the public internet.

No, NAT gateway doesn't support public IP addresses with DDoS protection enabled. See DDoS limitations for more information.

No, the address of an existing public IP can't be changed. If you need to change the public IP address on your NAT gateway, see add or remove a public IP address for guidance.

Your subnet resources can use any of the public IP addresses attached to your NAT gateway for outbound connectivity. Each time a new outbound connection is made through NAT gateway, the outbound public IP is selected at random.

No. IP assignment to specific subnets or VM instances in a NAT gateway configured subnet isn't supported.

No. NAT gateway can't be attached to multiple virtual networks.

Yes. NAT gateway can be associated with up to 800 subnets in a virtual network. It isn't required to be associated with all subnets within a virtual network.

No. NAT gateway can't be associated with a gateway subnet.

No. NAT gateway operates based on the properties of the subnet, and so multiple NAT gateways can't be attached to a single subnet.

Traffic from the spoke VNets can be routed to the centralized hub VNet through an NVA or Azure Firewall. NAT gateway can then provide outbound connectivity for all spoke virtual networks from the centralized hub network. To set up NAT gateway in a hub and spoke architecture with NVAs, see use NAT gateway in a hub and spoke network. To use NAT gateway with Azure Firewall in a hub and spoke setup, see integrate NAT gateway with Azure Firewall.

NAT gateway can be zonal or placed in "no zone". For more information, see NAT gateway and availability zones.

A "no zone" NAT gateway is placed into a zone for you by Azure.

A zonal NAT gateway is associated to a specific zone by the user when the NAT gateway is created.

The zonal configuration of NAT gateway can't be changed after deployment.

A zone-redundant public IP address can be attached to a "no zone" NAT gateway only. A NAT gateway designated to a specific zone must be attached to a public IP address from the same zone.

No. NAT gateway is compatible with standard SKU resources. Learn more from NAT gateway basics You can upgrade your basic Load balancer and basic public IP address to standard in order to work with NAT gateway.

To upgrade a basic Load balancer to standard, see Upgrade Azure Public Load Balancer. To upgrade a basic public IP to standard, see Upgrade a public IP address. To upgrade a basic public IP with an attached VM to standard, see Upgrade a basic public IP address with an attached VM.

For TCP connections, the idle timeout timer defaults to 4 minutes and is configurable up to 120 minutes. If you need to maintain long connection flows, use TCP keepalives instead of extending the idle timeout timer. TCP keepalives maintain active connections for a longer period.

The UDP idle timeout timer is set to 4 minutes and isn't configurable.

When a TCP/UDP connection is closed, the port is placed in a cool down period before it can be reused to connect to the same destination endpoint. For more information, see SNAT port reuse timers. Connections going to a different destination can use a SNAT port right away. For more information, see SNAT with NAT gateway.

Yes. NAT gateway can be used with Azure App Services in order to allow applications to direct outbound traffic to the internet from a virtual network. To use this integration between NAT gateway and Azure App Services, regional virtual network integration must be enabled. For guidance on how to enable virtual network integration with NAT gateway, see NAT gateway integration.

Yes. For more information about NAT gateway integration with Azure Kubernetes Service, see Managed NAT Gateway.

Yes. NAT gateway can be used with Azure Firewall. Azure Firewall when used with NAT gateway should be in a zonal configuration. NAT gateway works with a zone redundant firewall, but it’s not a recommended deployment at this time. For more information about NAT gateway integration with Azure Firewall, see Scale SNAT ports with Azure NAT Gateway.

Yes. The addition of a NAT gateway to a subnet with service endpoints doesn't affect the endpoints. Virtual Network service endpoints enable a more specific route for the destination Azure service traffic they represent. Traffic for the service endpoint traverses the Azure backbone instead of the internet. Private Link is recommended over service endpoints when connecting to Azure PaaS services directly from your Azure network.

Next steps

If your question is not listed above, please send feedback about this page with your question. This will create a GitHub issue for the product team to ensure all of our valued customer questions are answered.