Deploying NAT Gateway

This guide explains why you use an Azure NAT gateway, how it integrates with virtual networks and subnets, and the exact steps to deploy and validate it (Azure Portal + CLI/SSH). Follow the sections below for a concise, repeatable deployment and verification workflow. Why use a NAT gateway

Provides a deterministic outbound IP address (or a set of IPs) for resources in a subnet.
Keeps VMs private (no public IPs required) while allowing outbound internet access.
Eliminates the need for custom outbound user-defined routes (UDRs) for typical internet-bound traffic.
Scales to support many concurrent outbound connections (with planning for SNAT ports).

Key deployment steps at a glance

Step	Purpose	Notes
Create NAT gateway	Provision the NAT resource in your Azure region	Choose single public IP or public IP prefix based on scale needs
Assign outbound IP(s)	Ensure deterministic outbound address(es)	Use public IP prefix for high concurrency to avoid SNAT exhaustion
Attach to subnet(s)	Route outbound traffic from target subnets through NAT	A NAT gateway can be attached to multiple subnets (within same VNet)
Adjust TCP idle timeout (optional)	Tune idle connection lifetime for your workload	Default 4 min; configurable 4–120 minutes

A presentation slide titled "NAT Gateway Resource" showing three turquoise callouts with setup tips (create a NAT gateway, assign a static IP/prefix, adjust TCP idle timeout) alongside a screenshot of the Azure portal "Create NAT gateway" form with fields like subscription, resource group, name, region, and idle timeout.

The TCP idle timeout determines how long Azure keeps an idle TCP connection open. Default is 4 minutes; you can set it between 4 and 120 minutes. Increase this value for workloads that maintain long-lived idle connections (e.g., persistent database connections or long polling).

How NAT gateway integrates with VNets and subnets

Attach the NAT gateway to a subnet (or multiple subnets) inside the same VNet.
All resources (VMs, scale sets) in an attached subnet will use the NAT gateway for outbound Internet traffic.
No outbound UDRs are required — Azure automatically routes outbound traffic from the subnet to the NAT gateway.
A single NAT gateway may be attached to several subnets in the same VNet, but you cannot attach more than one NAT gateway to the same subnet.

In short: attaching a NAT gateway to a subnet provides secure, scalable, and deterministic outbound internet access for your instances. Demo environment overview The demo uses two VMs in a single VNet:

Management subnet: management VM with a public IP (used as a jumpbox).
App subnet: app VM without a public IP (will use NAT gateway for outbound traffic).

The management VM is used to SSH into the app VM via its private IP to validate outbound IP behavior.

A network diagram of an Azure vNet (vnet-az700-nat 10.80.0.0/16) showing two subnets — snet-az700-nat-mgmt (10.80.1.0/24) and snet-az700-nat-app (10.80.2.0/24) — each hosting a VM. It illustrates SSH from the internet to the mgmt_vm via a public IP, then SSH from the management subnet to the app_vm.

Provisioning the demo resources (PowerShell excerpt) A simplified excerpt of the PowerShell script used to create the resource group, VNet/subnets, and two VMs (Ubuntu 22.04 LTS):

$username            = "kodekloud"
$passwordPlain       = "@dminP@55w0rd"  # Lab only - NOT for production
$securePassword      = ConvertTo-SecureString $passwordPlain -AsPlainText -Force
$credential          = New-Object System.Management.Automation.PSCredential($username,$securePassword)

# Image (Ubuntu 22.04 LTS)
$imagePublisher      = "Canonical"
$imageOffer          = "0001-com-ubuntu-server-jammy"
$imageSku            = "22_04-lts-gen2"
$imageVersion        = "latest"

Write-Host "Starting NAT Gateway lab base deployment..." -ForegroundColor Cyan

# -------------------------- Resource Group --------------------------
if (-not (Get-AzResourceGroup -Name $resourceGroup -ErrorAction SilentlyContinue)) {
    New-AzResourceGroup -Name $resourceGroup -Location $location | Out-Null
}

# -------------------------- VNet & Subnets --------------------------
Write-Host "Creating VNet and subnets" -ForegroundColor Cyan
$mgmtSubnetCfg = New-AzVirtualNetworkSubnetConfig -Name $mgmtSubnetName -AddressPrefix $mgmtSubnetPrefix
$appSubnetCfg  = New-AzVirtualNetworkSubnetConfig -Name $appSubnetName -AddressPrefix $appSubnetPrefix
$vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $vnetAddressSpace -Subnet $mgmtSubnetCfg,$appSubnetCfg

# Retrieve subnets (objects) after creation
$mgmtSubnet = Get-AzVirtualNetworkSubnetConfig -Name $mgmtSubnetName -VirtualNetwork $vnet
$appSubnet  = Get-AzVirtualNetworkSubnetConfig -Name $appSubnetName -VirtualNetwork $vnet

# -------------------------- Public IP (Mgmt VM only) --------------------------
Write-Host "Creating Public IP for management VM" -ForegroundColor Cyan
$mgmtPip = New-AzPublicIpAddress -Name $mgmtPipName -ResourceGroupName $resourceGroup -Location $location -Sku Basic -AllocationMethod Static

Connect and check outbound IPs (step-by-step)

SSH to the management VM (has a public IP):

ssh kodekloud@52.170.237.47

From the management VM, verify its outbound public IP:

curl ifconfig.me
# Example output:
# 52.170.237.47

This confirms the management VM uses its assigned public IP for outbound traffic.

From the management VM, SSH to the app VM using its private IP (example 10.80.2.4):

ssh 10.80.2.4
# Accept host key if prompted and enter the VM password

On the app VM (no public IP), check the outbound IP:

curl ifconfig.me
# Example output (before NAT gateway): 172.191.1.94

Without a NAT gateway the app VM uses Azure’s dynamic outbound IP pool (not stable), which is unsuitable for whitelisting or consistent logging.

A screenshot of the Microsoft Azure portal showing the Overview page for a virtual machine named "vm-az700-nat-app-01," with properties like operating system (Linux Ubuntu 22.04), private IP (10.80.2.4), and size (Standard B1s). The left pane shows the virtual machines list and navigation/menu options.

Create and attach a NAT gateway (portal steps)

In the Azure portal, search for and create a NAT gateway resource:
- Choose subscription and resource group (e.g., rg-az700-nat).
- Select a region (East US in this example).
- Choose either a single outbound Public IP or a Public IP Prefix (multiple IPs).

Screenshot of the Microsoft Azure portal on the "Create network address translation (NAT) gateway" page. The Basics tab is visible with project and instance details filled in (Subscription: Kodekloud Labs, Resource group: rg-az700-nat, NAT gateway name and Region: East US).

Important scalability note

Resource	Consideration
Single Public IP on NAT gateway	~64,000 SNAT ports available — may be exhausted with many concurrent connections
Public IP Prefix (multiple IPs)	Provides multiple outbound addresses and increases available SNAT ports

If your workload makes many concurrent outbound connections, provision a public IP prefix (multiple IPs) for the NAT gateway or design to distribute connections across multiple IPs to avoid SNAT port exhaustion.

During creation attach outbound public IP(s) (single IP for labs; public IP prefix for production/high-scale). After creation, attach the NAT gateway to the app subnet:

Option A: Open the NAT gateway → Subnets → Select the app subnet → Save.
Option B: Open the VNet → Subnets → Select the app subnet → Associate NAT gateway → Save.

After deployment, you will see the NAT gateway resource (if you deferred attaching subnets during creation, the resource may show zero subnets until you associate them).

A Microsoft Azure portal deployment overview screen showing that a NAT gateway deployment ("CreateNatGatewayBlade-20250817231754") is complete, with deployment details, subscription and resource group info, and a "Go to resource" button.

Validate the change: app VM outbound IP

Return to the app VM (SSH via management VM).
Check the app VM outbound IP:

curl ifconfig.me
# Example output (after NAT gateway): <public-ip-of-nat-gateway>

Verify the outbound IP shown in the NAT gateway resource’s Overview → Outbound IP addresses to confirm the public IP in use.

A screenshot of the Microsoft Azure portal showing the overview page for a NAT gateway named "nat-az700-app-subnet." The Essentials panel lists the resource group, location (East US), virtual network and counts for subnets/public IPs, with tiles to configure outbound IP addresses and subnets.

Benefits after deploying NAT gateway

Deterministic outbound IP(s) for whitelisting and audit logs.
Azure handles outbound routing automatically — no custom outbound UDRs required.
Improved security posture: VMs can remain private (no public IPs) while still accessing the internet.

Watch Video

Azure NAT Gateway

Introduction

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Deploying NAT Gateway

Watch Video