This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Service Fabric managed clusters have external facing IPs that allows external clients to access the resources of the cluster. However, in some scenarios, it may be preferable to provide internet access to these resources without exposing them directly to the internet. NAT gateways enable this function.
If your cluster has resources that need to receive inbound traffic from the internet but also has private resources that need to be protected, a NAT gateway can help. Additionally, if you have applications that need to make connections outside of the cluster to access secrets, storage, and other private resources, a NAT gateway can help.
Here are some of the benefits of using a NAT gateway for your managed cluster:
The following diagram depicts a cluster with a primary and secondary node type where each node type has their own subnet. The secondary node type is placed behind a NAT gateway, and all its outgoing traffic is routed through the gateway. When traffic originates from the secondary node type, the public IP address is that of the NAT gateway. Because all outgoing requests are routed through the NAT gateway, you can implement additional NSG rules, which improve security and prevents external services from discovering internal services.
The following scenarios are supported use cases for NAT gateways on Service Fabric managed clusters:
For your scenario, make sure you follow the steps to configure your managed cluster's network properly.
The following steps describe how to attach a NAT gateway to your virtual network subnets.
Follow the steps in the Azure NAT Gateway quickstart to create a NAT gateway.
Provide the Service Fabric resource provider permission to modify the NAT gateway's settings using role assignment. Follow the first two steps in Bring your own virtual network section of the Configure managed cluster network settings article, injecting your NAT gateway's information into subnet parameters.
Now, you're ready to attach the NAT gateway to your virtual network's subnet. You can use an ARM template, the Azure CLI, Azure PowerShell, or the Azure portal.
Modify and deploy the following ARM template to introduce the NAT gateway into your subnet's properties:
{
"apiVersion": "[variables('networkApiVersion')]",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('vnetName')]",
"location": "[resourcegroup().location]",
"dependsOn": [
"[parameters('natGatewayId'))]"
],
"properties": {
"subnets": [
{
"name": "[parameters('subnetName')]",
"properties": {
"addressPrefix": "[parameters('subnetAddressPrefix')]",
"natGateway": {
"id": "[parameters('natGatewayId'))]"
}
}
}
]
}
}
Modify and run the following Azure CLI command with your information:
az network vnet subnet update --resource-group myResourceGroup --vnet-name mvVNet --name mySubnet --nat-gateway myNATGateway
Place the virtual network into a variable
$net = @{
Name = `myVNet`
ResourceGroupName = 'myResourceGroup'
}
$vnet = Get-AzVirtualNetwork @net
Place the NAT gateway into a variable
$nat = @{
Name = 'myNATgateway'
ResourceGroupName = 'myResourceGroup'
}
$natGateway = Get-AzNatGateway @nat
Set the subnet configuration
$subnet = @{
Name = 'mySubnet'
VirtualNetwork = $vnet
NatGateway = $natGateway
AddressPrefix = '10.0.2.0/24'
}
Set-AzVirtualNetworkSubnetConfig @subnet
Save the configuration to the virtual network
$vnet | Set-AzVirtualNetwork
On the Azure portal, navigate to your virtual network resource.
Under Settings, select Subnets.
Select the subnet you want to associate with your NAT gateway.
Open the NAT gateway dropdown and select your NAT gateway.
Click Save.
The following steps describe how to attach a NAT gateway to your virtual network subnets.
Note
This scenario is only supported via ARM template.
Follow the steps in the Azure NAT Gateway quickstart to create a NAT gateway.
Provide the Service Fabric resource provider permission to modify the NAT gateway's settings using role assignment. Follow the first two steps in Bring your own virtual network section of the Configure managed cluster network settings article, injecting your NAT gateway's information into subnet parameters.
Add the following property to your deployment to attach the NAT gateway to your dedicated subnet:
{
"apiVersion": "2023-03-01-preview",
"type": "Microsoft.ServiceFabric/managedclusters/nodetypes",
"name": "[concat(parameters('clusterName'), '/', parameters('nodeTypeName'))]",
"location": "[parameters('clusterLocation')]",
"properties": {
...
"isPrimary": false,
"natGatewayId": "[variables('natID')]",
"frontendConfigurations": [...],
...
}
Training
Module
Introduction to Azure NAT Gateway - Training
Evaluate whether Microsoft Azure NAT Gateway is appropriate for resolving issues such as connection timeouts and delays connecting to the internet.
Certification
Microsoft Certified: Azure Network Engineer Associate - Certifications
Demonstrate the design, implementation, and maintenance of Azure networking infrastructure, load balancing traffic, network routing, and more.
Documentation
Networking patterns for Azure Service Fabric - Azure Service Fabric
Describes common networking patterns for Service Fabric and how to create a cluster by using Azure networking features.
Azure Service Fabric networking best practices - Azure Service Fabric
Rules and design considerations for managing network connectivity using Azure Service Fabric.