Quickstart: Create a NAT gateway using the Azure CLI

In this quickstart, learn how to create a NAT gateway by using the Azure CLI. The NAT Gateway service provides outbound connectivity for virtual machines in Azure.

Diagram of resources created in nat gateway quickstart.

If you don't have an Azure subscription, create an Azure free account before you begin.


Create a resource group

Create a resource group with az group create. An Azure resource group is a logical container into which Azure resources are deployed and managed.

az group create \
    --name test-rg \
    --location eastus2

Create the NAT gateway

In this section, create the NAT gateway and supporting resources.

Create public IP address

To access the Internet, you need one or more public IP addresses for the NAT gateway. Use az network public-ip create to create a public IP address resource.

az network public-ip create \
    --resource-group test-rg \
    --name public-ip-nat \
    --sku Standard \
    --location eastus2 \
    --zone 1 2 3

Create NAT gateway resource

Create an Azure NAT gateway with az network nat gateway create. The result of this command creates a gateway resource that uses the public IP address defined in the previous step. The idle timeout is set to 10 minutes.

az network nat gateway create \
    --resource-group test-rg \
    --name nat-gateway \
    --public-ip-addresses public-ip-nat \
    --idle-timeout 10

Create virtual network

Create a virtual network with a subnet with az network vnet create. The IP address space for the virtual network is The subnet within the virtual network is

az network vnet create \
    --name vnet-1 \
    --resource-group test-rg \
    --address-prefix \
    --subnet-name subnet-1 \

Create bastion host subnet

Create an Azure Bastion host to access the virtual machine.

Use az network vnet subnet create to create an Azure Bastion subnet.

az network vnet subnet create \
    --name AzureBastionSubnet \
    --resource-group test-rg \
    --vnet-name vnet-1 \

Create public IP address for the bastion host

Create a public IP address for the bastion host with az network public-ip create.

az network public-ip create \
    --resource-group test-rg \
    --name public-ip \
    --sku Standard \
    --location eastus2 \
    --zone 1 2 3

Create the bastion host

Use az network bastion create to create the bastion host.

Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource once you've finished using it. For more information about Azure Bastion, see Azure Bastion.

az network bastion create \
    --name bastion \
    --public-ip-address public-ip \
    --resource-group test-rg \
    --vnet-name vnet-1 \
    --location eastus2

The bastion host can take several minutes to deploy. Wait for the bastion host to deploy before moving on to the next section.

Configure NAT service for source subnet

Configure the source subnet in virtual network to use a specific NAT gateway resource with az network vnet subnet update. This command activates the NAT service on the specified subnet.

az network vnet subnet update \
    --name subnet-1 \
    --resource-group test-rg \
    --vnet-name vnet-1 \
    --nat-gateway nat-gateway

All outbound traffic to Internet destinations is now using the NAT gateway. It's not necessary to configure a UDR.

Create virtual machine

Create a virtual machine to test the NAT gateway to verify the public IP address of the outbound connection.

Create the virtual machine with az vm create.

az vm create \
    --resource-group test-rg \
    --name vm-1 \
    --image Ubuntu2204 \
    --public-ip-address "" \
    --vnet-name vnet-1 \
    --subnet subnet-1 \
    --admin-username azureuser \
    --authentication-type password

Wait for the virtual machine creation to complete before moving on to the next section.

Test NAT gateway

In this section, you test the NAT gateway. You first discover the public IP of the NAT gateway. You then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter Public IP. Select Public IP addresses in the search results.

  3. Select public-ip-nat.

  4. Make note of the public IP address:

    Discover public IP address of NAT gateway

  5. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  6. Select vm-1.

  7. On the Overview page, select Connect, then select the Bastion tab.

  8. Select Use Bastion.

  9. Enter the username and password entered during VM creation. Select Connect.

  10. In the bash prompt, enter the following command:

    curl ifconfig.me
  11. Verify the IP address returned by the command matches the public IP address of the NAT gateway.

    azureuser@vm-1:~$ curl ifconfig.me

Clean up resources

If you're not going to continue to use this application, delete the virtual network, virtual machine, and NAT gateway with the following CLI command:

  az group delete \
    --name test-rg

Next steps

For more information on Azure NAT Gateway, see: