Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure NAT Gateway is a fully managed Network Address Translation (NAT) service that enables outbound internet connectivity for resources in private subnets. NAT Gateway blocks all unsolicited inbound connections and masks private IP addresses behind static public IPs, providing a secure-by-default outbound connectivity model.
This article provides security recommendations for Azure NAT Gateway. For an overview of Azure's network security services and how they work together, see What is Azure network security?.
The security recommendations in this article implement Zero Trust principles: "Verify explicitly", "Use least privilege access", and "Assume breach". For comprehensive Zero Trust guidance, see the Zero Trust Guidance Center.
Network security
Azure NAT Gateway follows a Zero Trust network security model, blocking unsolicited inbound traffic by design. Only return traffic from active outbound connections passes through the gateway.
Associate NAT Gateway with private subnets: Enable private subnets to remove default outbound access and require explicit outbound connectivity through NAT Gateway. This prevents resources from using unpredictable default outbound IP addresses. For more information, see Design virtual networks with Azure NAT Gateway.
Scale public IP addresses for SNAT port availability: Assign multiple public IP addresses or a public IP prefix to your NAT Gateway to increase the available SNAT port inventory and reduce the risk of SNAT port exhaustion. Each public IP address provides 64,512 SNAT ports. For more information, see Azure NAT Gateway resource.
Use predictable outbound IPs for firewall allowlisting: Assign a public IP prefix to NAT Gateway to provide a contiguous, predictable set of outbound IP addresses. Configure destination firewall rules based on this known IP range. For more information, see What is Azure NAT Gateway?.
Integrate with Azure Firewall for traffic inspection: Deploy NAT Gateway on the Azure Firewall subnet in a hub-and-spoke topology to combine outbound SNAT scalability with centralized traffic inspection and threat protection. For firewall-specific hardening guidance, see Secure your Azure Firewall deployment. For more information, see Tutorial: Integrate NAT gateway with Azure Firewall in a hub-and-spoke network.
Use Private Link to reduce internet exposure: Connect to Azure PaaS services through Azure Private Link instead of routing through NAT Gateway. This reduces outbound internet traffic, frees SNAT ports, and eliminates public internet exposure for Azure service communication. For more information, see Design virtual networks with Azure NAT Gateway.
Restrict NAT Gateway subnet scope: Associate NAT Gateway only with subnets that require outbound internet access. Subnets hosting internal-only workloads should not have a NAT Gateway association. For more information, see Azure NAT Gateway resource.
For related network-layer security guidance, see Secure your Virtual Network deployment and Secure your Azure Load Balancer deployment.
Identity and access management
Control who can create, modify, and delete NAT Gateway resources using Azure role-based access control.
Assign least-privilege roles for NAT Gateway management: Use the Network Contributor built-in role for users who need to manage NAT Gateway resources, rather than granting broader roles like Contributor. For more information, see Azure built-in roles for Networking.
Apply resource locks to prevent accidental deletion: Set a Delete lock on production NAT Gateway resources to prevent accidental removal, which would immediately disrupt outbound connectivity for all associated subnets. For more information, see Lock your Azure resources to protect your infrastructure.
Data protection
Azure NAT Gateway operates at the network layer and does not inspect, store, or process customer data content.
Use NAT Gateway for outbound IP masking: NAT Gateway replaces private source IP addresses and ports with its public IP and translated SNAT ports, hiding internal network topology from external destinations. For more information, see Azure NAT Gateway SNAT.
Implement end-to-end encryption for sensitive traffic: Because NAT Gateway operates at Layer 4, configure TLS encryption at the application layer for all sensitive outbound communication passing through the gateway. For more information, see Azure data security and encryption best practices.
Logging and monitoring
Monitor NAT Gateway health and traffic patterns to detect SNAT exhaustion, connectivity failures, and unusual outbound activity.
Enable flow logs for outbound traffic auditing (StandardV2): Configure NAT Gateway flow logs through diagnostic settings to capture source and destination IPs, translated NAT IPs, packet counts, and dropped packet data. Use flow logs for compliance auditing, forensic analysis, and anomaly detection. For more information, see Monitor NAT gateway with flow logs.
Configure SNAT exhaustion alerts: Create Azure Monitor alerts when the SNAT Connection Count metric shows failed connections greater than zero. Failed SNAT connections indicate port exhaustion, which causes outbound connectivity failures. For more information, see NAT Gateway metrics and alerts.
Monitor datapath availability: Set up alerts when Datapath Availability drops below 90% over a 15-minute window, which indicates NAT Gateway infrastructure degradation. For more information, see NAT Gateway metrics and alerts.
Alert on connection count limits: Configure alerts when Total SNAT Connection Count approaches 1.6 million (80% of the 2-million maximum) to proactively prevent connectivity degradation. For more information, see NAT Gateway metrics and alerts.
Use Network Insights dashboards: Deploy the pre-configured NAT Gateway Network Insights dashboard in Azure Monitor for a visual overview of metrics, traffic patterns, and health status. For more information, see Monitor NAT gateway.
Configure resource health alerts: Set up Azure Resource Health alerts to receive notifications when NAT Gateway enters a degraded or unavailable state. For more information, see Resource health for NAT gateway.
Compliance and governance
Enforce consistent security configurations across NAT Gateway deployments using policy and governance controls.
Audit availability zone configuration with Azure Policy: Use the built-in policy definition "[Preview]: NAT gateway should be Zone Aligned" to audit or deny NAT Gateway deployments that don't have exactly one entry in their zones array. Relevant NAT Gateway resilience policies are typically Preview; review the policy version and effects before enforcing them in production. For zone-redundant outbound connectivity, deploy the StandardV2 SKU (zone-redundant by default) rather than relying only on policy. For more information, see Azure Policy built-in definitions for Azure networking services.
Monitor resource health history: Review the 30-day resource health history for NAT Gateway resources to identify patterns of degradation or availability issues that may indicate underlying infrastructure problems. For more information, see Resource health for NAT gateway.
Backup and recovery
Azure NAT Gateway is a fully managed service with built-in resilience, but design choices affect availability during zone or region failures.
Deploy StandardV2 for zone redundancy: Use the StandardV2 SKU, which is zone-redundant by default. When an availability zone failure occurs, new connections automatically flow from the remaining healthy zones with no manual intervention. For more information, see Design virtual networks with Azure NAT Gateway.
Plan for regional resiliency: NAT Gateway is a regional resource and doesn't provide native multi-region capabilities or automatic failover between regions. For multi-region architectures, deploy independent NAT Gateway instances in each region and use zone-redundant or multi-region application architecture for workload resilience. For more information, see Reliability in Azure NAT Gateway.