Manage inbound NAT rules for Azure Load Balancer

An inbound NAT rule is used to forward traffic from a load balancer frontend to one or more instances in the backend pool.

There are two types of inbound NAT rule:

• Inbound NAT rule V1 for VMs - Targets a single machine in the backend pool of the load balancer

• Inbound NAT rule V2 for VMs and VMSS- Targets multiple virtual machines in the backend pool of the load balancer

In this article, you learn how to add and remove an inbound NAT rule for both types. You learn how to change the frontend port allocation in a multiple instance inbound NAT rule. You can choose from the Azure portal, PowerShell, or CLI examples.

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

• A public load balancer in your subscription. For more information on creating an Azure Load Balancer, see Quickstart: Create a public load balancer to load balance VMs using the Azure portal. The load balancer name for the examples in this article is myLoadBalancer.
• If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

Inbound NAT rule V1 for VMs

Choose this option to configure a rule for a single VM. Select Azure portal, PowerShell, or CLI for instructions.

Portal

In this example, you create an inbound NAT rule to forward port 500 to backend port 443.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

3. Select myLoadBalancer or your load balancer.

4. In the load balancer page, select Inbound NAT rules in Settings.

5. Select + Add in Inbound NAT rules to add the rule.

   

6. Enter or select the following information in Add inbound NAT rule.

   Setting	Value
   Name	Enter myInboundNATrule.
   Type	Select Azure Virtual Machine.
   Target virtual machine	Select the virtual machine that you wish to forward the port to. In this example, it's myVM1.
   Network IP configuration	Select the IP configuration of the virtual machine. In this example, it's ipconfig1(10.1.0.4).
   Frontend IP address	Select myFrontend.
   Frontend Port	Enter 500.
   Service Tag	Leave the default of Custom.
   Backend port	Enter 443.
   Protocol	Select TCP.

7. Leave the rest of the settings at the defaults and select Add.

   

PowerShell

Use Get-AzLoadBalancer to place the load balancer information into a variable.

Use Add-AzLoadBalancerInboundNatRuleConfig to create the inbound NAT rule.

To save the configuration to the load balancer, use Set-AzLoadBalancer.

Use Get-AzLoadBalancerInboundNatRuleConfig to place the newly created inbound NAT rule information into a variable.

Use Get-AzNetworkInterface to place the network interface information into a variable.

Use Set-AzNetworkInterfaceIpConfig to add the newly created inbound NAT rule to the IP configuration of the network interface.

To save the configuration to the network interface, use Set-AzNetworkInterface.

## Place the load balancer information into a variable for later use. ##
$slb = @{
    ResourceGroupName = 'myResourceGroup'
    Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb

## Create the single virtual machine inbound NAT rule. ##
$rule = @{
    Name = 'myInboundNATrule'
    Protocol = 'Tcp'
    FrontendIpConfiguration = $lb.FrontendIpConfigurations[0]
    FrontendPort = '500'
    BackendPort = '443'
}
$lb | Add-AzLoadBalancerInboundNatRuleConfig @rule

$lb | Set-AzLoadBalancer

## Add the inbound NAT rule to a virtual machine 

$NatRule = @{                                                                                       
    Name = 'MyInboundNATrule'
    LoadBalancer = $lb
}

$NatRuleConfig = Get-AzLoadBalancerInboundNatRuleConfig @NatRule 

$NetworkInterface = @{                                                                                           
     ResourceGroupName = 'myResourceGroup'
     Name = 'MyNIC'
 }

 $NIC = Get-AzNetworkInterface @NetworkInterface
 
 $IPconfig = @{                                                                                       
    Name = 'Ipconfig'
    LoadBalancerInboundNatRule = $NatRuleConfig
}

$NIC | Set-AzNetworkInterfaceIpConfig @IPconfig

$NIC | Set-AzNetworkInterface  

CLI

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

In this example, you will create an inbound NAT rule to forward port 500 to backend port 443. You will then attach the inbound NAT rule to a VM's NIC

Use az network lb inbound-nat-rule create to create the NAT rule.

Use az network nic ip-config inbound-nat-rule add to add the inbound NAT rule to a VM's NIC

    az network lb inbound-nat-rule create \
        --backend-port 443 \
        --lb-name myLoadBalancer \
        --name myInboundNATrule \
        --protocol Tcp \
        --resource-group myResourceGroup \
        --frontend-ip-name myFrontend \
        --frontend-port 500

    az network nic ip-config inbound-nat-rule add \
        --resource-group myResourceGroup \
        --nic-name MyNic \
        --ip-config-name MyIpConfig \
        --inbound-nat-rule MyNatRule \
        --lb-name myLoadBalancer

Inbound NAT rule V2 for VM and VMSS

Choose this option to configure a rule with a range of ports to a backend pool of virtual machines. Select Azure portal, PowerShell, or CLI for instructions.

Portal

In this example, you create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter Maximum number of machines in backend pool with a value of 500. This setting limits the backend pool to 500 virtual machines.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

3. Select myLoadBalancer or your load balancer.

4. In the load balancer page, select Inbound NAT rules in Settings.

5. Select + Add in Inbound NAT rules to add the rule.

   

6. Enter or select the following information in Add inbound NAT rule.

   Setting	Value
   Name	Enter myInboundNATrule.
   Type	Select Backend pool.
   Target backend pool	Select your backend pool. In this example, it's myBackendPool.
   Frontend IP address	Select your frontend IP address. In this example, it's myFrontend.
   Frontend port range start	Enter 500.
   Maximum number of machines in backend pool	Enter 500.
   Backend port	Enter 443.
   Protocol	Select TCP.

7. Leave the rest at the defaults and select Add.

   

PowerShell

In this example, you create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter -FrontendPortRangeEnd with a value of 1000. This setting limits the backend pool to 500 virtual machines.

Use Get-AzLoadBalancer to place the load balancer information into a variable.

Use Add-AzLoadBalancerInboundNatRuleConfig to create the inbound NAT rule.

To save the configuration to the load balancer, use Set-AzLoadBalancer

## Place the load balancer information into a variable for later use. ##
$slb = @{
    ResourceGroupName = 'myResourceGroup'
    Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb

## Create the multiple virtual machines inbound NAT rule. ##
$rule = @{
    Name = 'myInboundNATrule'
    Protocol = 'Tcp'
    BackendPort = '443'
    FrontendIpConfiguration = $lb.FrontendIpConfigurations[0]
    FrontendPortRangeStart = '500'
    FrontendPortRangeEnd = '1000'
    BackendAddressPool = $lb.BackendAddressPools[0]
}
$lb | Add-AzLoadBalancerInboundNatRuleConfig @rule

$lb | Set-AzLoadBalancer

CLI

In this example, you create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter --frontend-port-range-end with a value of 1000. This setting limits the backend pool to 500 virtual machines.

Use az network lb inbound-nat-rule create to create the NAT rule.

    az network lb inbound-nat-rule create \
        --backend-port 443 \
        --lb-name myLoadBalancer \
        --name myInboundNATrule \
        --protocol Tcp \
        --resource-group myResourceGroup \
        --backend-pool-name myBackendPool \
        --frontend-ip-name myFrontend \
        --frontend-port-range-end 1000 \
        --frontend-port-range-start 500
        

Change frontend port allocation for a multiple VM rule

Portal

To accommodate more virtual machines in the backend pool in a multiple instance rule, change the frontend port allocation in the inbound NAT rule. In this example, you change the Maximum number of machines in backend pool from 500 to 1000. This setting increases the maximum number of machines in the backend pool to 1000.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

3. Select myLoadBalancer or your load balancer.

4. In the load balancer page, select Inbound NAT rules in Settings.

5. Select the inbound NAT rule you wish to change. In this example, it's myInboundNATrule.

   

6. In the properties of the inbound NAT rule, change the value in Maximum number of machines in backend pool to 1000.

7. Select Save.

   

PowerShell

To accommodate more virtual machines in the backend pool in a multiple instance rule, change the frontend port allocation in the inbound NAT rule. In this example, you change the parameter -FrontendPortRangeEnd to 1500. This setting increases the maximum number of machines in the backend pool to 1000.

Use Get-AzLoadBalancer to place the load balancer information into a variable.

To change the port allocation, use Set-AzLoadBalancerInboundNatRuleConfig.

## Place the load balancer information into a variable for later use. ##
$slb = @{
    ResourceGroupName = 'myResourceGroup'
    Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb

## Set the new port allocation
$rule = @{
    Name = 'myInboundNATrule'
    Protocol = 'Tcp'
    BackendPort = '443'
    FrontendIpConfiguration = $lb.FrontendIpConfigurations[0]
    FrontendPortRangeStart = '500'
    FrontendPortRangeEnd = '1500'
    BackendAddressPool = $lb.BackendAddressPools[0]
}
$lb | Set-AzLoadBalancerInboundNatRuleConfig @rule

CLI

To accommodate more virtual machines in the backend pool, change the frontend port allocation in the inbound NAT rule. In this example, you change the parameter --frontend-port-range-end to 1500. This setting increases the maximum number of machines in the backend pool to 1000

Use az network lb inbound-nat-rule update to change the frontend port allocation.

    az network lb inbound-nat-rule update \
        --frontend-port-range-end 1500 \
        --lb-name myLoadBalancer \
        --name myInboundNATrule \
        --resource-group myResourceGroup
        

View port mappings

Port mappings for the virtual machines in the backend pool can be viewed by using the Azure portal.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

3. Select myLoadBalancer or your load balancer.

4. In the load balancer page in, select Inbound NAT rules in Settings.

5. Select myInboundNATrule or your inbound NAT rule.

   

6. Scroll to the Port mapping section of the inbound NAT rule properties page.

   

Remove an inbound NAT rule

Portal

In this example, you remove an inbound NAT rule.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

3. Select myLoadBalancer or your load balancer.

4. In the load balancer page in, select Inbound NAT rules in Settings.

5. Select the three dots next to the rule you want to remove.

6. Select Delete.

   

PowerShell

In this example, you remove an inbound NAT rule.

Use Get-AzLoadBalancer to place the load balancer information into a variable.

To remove the inbound NAT rule, use Remove-AzLoadBalancerInboundNatRuleConfig.

To save the configuration to the load balancer, use Set-AzLoadBalancer.

## Place the load balancer information into a variable for later use. ##
$slb = @{
    ResourceGroupName = 'myResourceGroup'
    Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb

## Remove the inbound NAT rule
$lb | Remove-AzLoadBalancerInboundNatRuleConfig -Name 'myInboundNATrule'

$lb | Set-AzLoadBalancer

CLI

In this example, you remove an inbound NAT rule.

Use az network lb inbound-nat-rule delete to remove the rule.

    az network lb inbound-nat-rule delete \
        --lb-name myLoadBalancer \
        --name myInboundNATrule \
        --resource-group myResourceGroup

Next steps

In this article, you learned how to manage inbound NAT rules for an Azure Load Balancer using the Azure portal, PowerShell and CLI.

For more information about Azure Load Balancer, see:

• What is Azure Load Balancer?
• Frequently asked questions - Azure Load Balancer