Edit

Share via


How to Guide: Disable SNAT requirement for Azure private endpoint traffic through NVA

Source network address translation (SNAT) is no longer required for private endpoint destined traffic passing through a network virtual appliance (NVA). You can now configure a tag on your NVA virtual machines to notify the Microsoft platform that you wish to opt into this feature. This means SNATing is no longer be necessary for private endpoint destined traffic traversing through your NVA.

Enabling this feature provides a more streamlined experience for guaranteeing symmetric routing without affecting nonprivate endpoint traffic. It also allows you to follow internal compliance standards where the source of traffic origination needs to be available during logging. This feature is available in all regions.

Note

Disabling SNAT for private endpoint traffic passing through a Network Virtual Appliance (NVA) causes a one-time reset of all long-running private endpoint connections established through the NVA. To minimize disruption, it's recommended to configure this feature during a maintenance window. This update will only affect traffic passing through your NVA; private endpoint traffic that bypasses the NVA won't be affected.

Prerequisites

Disable SNAT requirement for Private Endpoint traffic through NVA

The type of NVA you're using determines how to disable SNAT for private endpoint traffic passing through the NVA. For the virtual machine, you add a tag on the Network interface (NIC). On the virtual machine scale set you enable the tag on the virtual machine scale set instance.

Add Tag to your virtual machine NIC

Here we add the tag to the virtual machine's NIC.

  1. Sign in to the Azure portal.

  2. In the search bar at the top, search for and select virtual machines.

  3. From the list of virtual machines, select your virtual machine.

  4. In the left navigation pane under Settings, select Networking, then select Network settings.

  5. Under the Network Interface section, select on the NIC name. Now you are in the Network interface pane.

  6. In the left navigation pane under Overview, select Tags.

  7. Add a new tag with the following details:

    Field Value
    Name disableSnatOnPL
    Value true
  8. Select Apply to save the tag.

  9. Select the Overview section, then select Refresh to see the updated tags.

Note

The tag is case-sensitive. Ensure you enter it exactly as shown.

Add Tag to your Virtual Machine Scale Sets

Here we add the tag to the virtual machine scale set instance.

  1. Sign in to the Azure portal.

  2. In the search bar at the top, search and select virtual machine scale sets.

  3. From the list of scale sets, select your virtual machine scale set.

  4. In the left navigation pane under Overview, select Tags.

  5. Add a new tag with the following details:

    Field Value
    Name disableSnatOnPL
    Value true
  6. Select Apply to save the tag.

  7. Select the Overview section, then select Refresh to see the updated tags.

Note

The tag is case-sensitive. Ensure you enter it exactly as shown.

Validate the Tag

Verify the tag is present in the virtual machine's NIC settings or virtual machine scale set settings.

  1. Navigate to the Tags service in the Azure portal.
  2. In the Filter by field, type disableSnatOnPL.
  3. Select the tag from the list. Here you see all resources with the tag.
  4. Select the resource to view the tag details.

To learn more, see View resources by tag.

Next Step