Quickstart: Create a NAT gateway using the Azure CLI

This quickstart shows you how to use the Azure Virtual Network NAT service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

If you don't have an Azure subscription, create an Azure free account before you begin.


Launch Azure Cloud Shell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to https://shell.azure.com.

When Cloud Shell opens, verify that Bash is selected for your environment. Subsequent sessions will use Azure CLI in a Bash environment, Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press Enter to run it.

Sign in to Azure

Cloud Shell is automatically authenticated under the initial account signed-in with. Use the following script to sign in using a different subscription, replacing <Subscription ID> with your Azure Subscription ID. If you don't have an Azure subscription, create an Azure free account before you begin.

subscription="<subscriptionId>" # add subscription here

az account set -s $subscription # ...or use 'az login'

For more information, see set active subscription or log in interactively

Set parameter values to create resources

Set the parameter values for use in creating the required resources. The $RANDOM function is used to create unique object names.

# Variable block
let "randomIdentifier=$RANDOM*$RANDOM"
location="East US"

echo "Using resource group $resourceGroup with login: $login, password: $password..."

Create a resource group

Create a resource group with az group create. An Azure resource group is a logical container into which Azure resources are deployed and managed.

# Create a resource group
echo "Creating $resourceGroup in $location..."
az group create --name $resourceGroup --location "$location" --tags $tag

Create the NAT gateway

In this section we create the NAT gateway and supporting resources.

Create public IP address

To access the Internet, you need one or more public IP addresses for the NAT gateway. Use az network public-ip create to create a public IP address resource.

# Create public IP address
echo "Creating $publicIP"
az network public-ip create --resource-group $resourceGroup --location "$location" --name $publicIp --sku $sku --allocation-method $allocationMethod --zone $zone

Create NAT gateway resource

Create a global Azure NAT gateway with az network nat gateway create. The result of this command will create a gateway resource that uses the public IP address defined in the previous step. The idle timeout is set to 10 minutes.

# Create NAT gateway resource
echo "Creating $natGateway using $publicIp" 
az network nat gateway create --resource-group $resourceGroup --name $natGateway --public-ip-addresses $publicIp --idle-timeout 10

Create virtual network

Create a virtual network with a subnet with az network vnet create. The IP address space for the virtual network is The subnet within the virtual network is

# Create virtual network
echo "Creating $vNet using $addressPrefix"
az network vnet create --resource-group $resourceGroup --location "$location" --name $vNet --address-prefix $addressPrefix --subnet-name $subnet --subnet-prefix $subnetPrefix

Create bastion host subnet

Create an Azure Bastion host to access the virtual machine.

Use az network vnet subnet create to create an Azure Bastion subnet.

# Create bastion subnet
echo "Creating $bastionSubnet in $vNet"
az network vnet subnet create --resource-group $resourceGroup --name $bastionSubnet --vnet-name $vNet --address-prefixes $addressPrefixBastion

Create public IP address for the bastion host

Create a public IP address for the bastion host with az network public-ip create.

# Create a public IP address for the bastion host
echo "Creating $bastionPublicIp"
az network public-ip create --resource-group $resourceGroup --name $bastionPublicIp --sku $sku --zone $zone

Create the bastion host

Use az network bastion create to create the bastion host.

# Create the bastion host
echo "Creating $bastionHost using $bastionPublicIp"
az network bastion create --resource-group $resourceGroup --name $bastionHost --public-ip-address $bastionPublicIp --vnet-name $vNet --location "$location"

Configure NAT service for source subnet

Configure the source subnet in virtual network to use a specific NAT gateway resource with az network vnet subnet update. This command will activate the NAT service on the specified subnet.

# Configure NAT service for source subnet
echo "Creating $natGateway for $subnet"
az network vnet subnet update --resource-group $resourceGroup --vnet-name $vNet --name $subnet --nat-gateway $natGateway

All outbound traffic to Internet destinations is now using the NAT gateway. It's not necessary to configure a UDR.

Create virtual machine

Create a virtual machine to test the NAT gateway to verify the public IP address of the outbound connection.

Create the virtual machine with az vm create.

# Create virtual machine
echo "Creating $vm"
az vm create --name $vm --resource-group $resourceGroup --admin-username $login --admin-password $password --image $image --public-ip-address "" --subnet $subnet --vnet-name $vNet --public-ip-sku $sku

Wait for the virtual machine creation to complete before moving on to the next section.

Test NAT gateway

In this section, we'll test the NAT gateway. We'll first discover the public IP of the NAT gateway. We'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

  1. Sign in to the Azure portal

  2. Find the public IP address for the NAT gateway on the Overview screen. Select All services in the left-hand menu, select All resources, and then select myPublicIP.

  3. Make note of the public IP address:

    Discover public IP address of NAT gateway

  4. Select All services in the left-hand menu, select All resources, and then from the resources list, select myVM that is located in the myResourceGroupNAT resource group.

  5. On the Overview page, select Connect, then Bastion.

  6. Select the blue Use Bastion button.

  7. Enter the username and password entered during VM creation.

  8. Open Internet Explorer on myTestVM.

  9. Enter https://whatsmyip.com in the address bar.

  10. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

    Internet Explorer showing external outbound IP

Clean up resources

If you're not going to continue to use this application, delete the virtual network, virtual machine, and NAT gateway with the following CLI command:

  az group delete \
    --name $resourceGroup

Next steps

For more information on Azure Virtual Network NAT, see: