Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Source network address translation (SNAT) is no longer required for private endpoint destined traffic passing through a network virtual appliance (NVA). You can now configure a tag on your NVA virtual machines to notify the Microsoft platform that you wish to opt into this feature. This means SNATing is no longer be necessary for private endpoint destined traffic traversing through your NVA.
Enabling this feature provides a more streamlined experience for guaranteeing symmetric routing without affecting nonprivate endpoint traffic. It also allows you to follow internal compliance standards where the source of traffic origination needs to be available during logging. This feature is available in all regions.
Note
Disabling SNAT for private endpoint traffic passing through a Network Virtual Appliance (NVA) causes a one-time reset of all long-running private endpoint connections established through the NVA. To minimize disruption, it's recommended to configure this feature during a maintenance window. This update will only affect traffic passing through your NVA; private endpoint traffic that bypasses the NVA won't be affected.
Prerequisites
- An active Azure account with a subscription. Create an account for free.
- A configured private endpoint in your subscription. For more information on how to create a private endpoint, see Create a private endpoint.
- A network virtual appliance (NVA) deployed in your subscription. For the example in this article, a virtual machine (VM) is used as the NVA. For more information on how to deploy a virtual machine, see Quickstart: Create a Windows virtual machine in the Azure portal.
- Understanding of how to add tags to Azure resources. For more information, see Use tags to organize your Azure resources.
Disable SNAT requirement for Private Endpoint traffic through NVA
The type of NVA you're using determines how to disable SNAT for private endpoint traffic passing through the NVA. For the virtual machine, you add a tag on the Network interface (NIC). On the virtual machine scale set you enable the tag on the virtual machine scale set instance.
Add Tag to your virtual machine NIC
Here we add the tag to the virtual machine's NIC.
Sign in to the Azure portal.
In the search bar at the top, search for and select virtual machines.
From the list of virtual machines, select your virtual machine.
In the left navigation pane under Settings, select Networking, then select Network settings.
Under the Network Interface section, select on the NIC name. Now you are in the Network interface pane.
In the left navigation pane under Overview, select Tags.
Add a new tag with the following details:
Field Value Name disableSnatOnPL
Value true
Select Apply to save the tag.
Select the Overview section, then select Refresh to see the updated tags.
Note
The tag is case-sensitive. Ensure you enter it exactly as shown.
Add Tag to your Virtual Machine Scale Sets
Here we add the tag to the virtual machine scale set instance.
Sign in to the Azure portal.
In the search bar at the top, search and select virtual machine scale sets.
From the list of scale sets, select your virtual machine scale set.
In the left navigation pane under Overview, select Tags.
Add a new tag with the following details:
Field Value Name disableSnatOnPL
Value true
Select Apply to save the tag.
Select the Overview section, then select Refresh to see the updated tags.
Note
The tag is case-sensitive. Ensure you enter it exactly as shown.
Validate the Tag
Verify the tag is present in the virtual machine's NIC settings or virtual machine scale set settings.
- Navigate to the Tags service in the Azure portal.
- In the Filter by field, type
disableSnatOnPL
. - Select the tag from the list. Here you see all resources with the tag.
- Select the resource to view the tag details.
To learn more, see View resources by tag.