Skip to main content
Welcome to the lesson on configuring internet access with Azure Virtual NAT. This lesson explains how Azure NAT Gateway (NAT) provides secure, scalable outbound internet access for Azure resources without requiring a public IP address on each virtual machine. You will learn the design rationale, common scenarios, and practical configuration steps to create a NAT Gateway and associate it with one or more subnets in a virtual network. By the end of this lesson you’ll be able to:
  1. Understand the purpose of NAT Gateway and how it provides outbound-only internet connectivity for specific subnets.
  2. Explain when to choose NAT Gateway instead of assigning public IPs to each VM or using a load balancer for egress.
  3. Describe how NAT Gateway can be used together with Azure Load Balancer to manage both inbound and outbound traffic flows.
  4. Configure and associate a NAT Gateway with subnets to enable scalable, managed outbound traffic for your workloads.
A presentation slide titled "Learning Objectives" that lists four numbered points about NAT Gateway: its purpose for outbound-only internet connectivity, when it replaces public IPs or load balancers for egress, how it works with load balancers for inbound/outbound flows, and how to configure and associate it with subnets for scalable outbound traffic. The slide has a turquoise gradient panel on the left and colorful numbered markers beside each objective on the right.
This lesson will guide you through when and how to use NAT Gateway to provide reliable, secure outbound internet connectivity for your workloads.
Tip: NAT Gateway is optimized for outbound-only scenarios where you want to centralize egress traffic and avoid assigning public IP addresses to every VM. It performs source NAT (SNAT) for connections leaving your virtual network and scales to support high-traffic workloads.

When to use NAT Gateway

Use NAT Gateway when you need:
  • Centralized, managed outbound connectivity for one or more subnets.
  • A simple model to control egress IPs (one or more public IPs assigned to the NAT).
  • High SNAT capacity and predictable source IPs for external services.
Consider alternatives when you need inbound connectivity (use Public IPs or Azure Load Balancer) or when you require complex application-level routing or WAF functionality.
OptionBest forKey benefit
NAT GatewayCentralized outbound egress for subnetsRemoves the need for public IPs on each VM; scalable SNAT
Public IP per VMIndividual servers needing direct inbound accessDirect inbound and outbound traffic per resource
Azure Load Balancer (Outbound rules)Managed inbound and outbound flows at scaleCombines inbound load balancing with controlled egress (use with NAT for advanced scenarios)

Quick design notes

  • NAT Gateway is outbound-only by design. It does not provide inbound connectivity to your VMs. For inbound traffic, pair NAT Gateway with a Load Balancer or assign public IPs where required.
  • You can attach a NAT Gateway to one or multiple subnets within a virtual network.
  • A NAT Gateway can reference one or more public IP addresses (or prefix) to present stable egress IPs to external services.
Warning: NAT Gateway does not replace a Load Balancer for inbound traffic. If your application requires incoming connections or TLS termination, use Azure Load Balancer, Application Gateway, or public IP assignments alongside or instead of NAT Gateway. Also review NAT Gateway pricing and regional availability before implementation.
This lesson will now walk through the common architecture patterns and step-by-step configuration (Portal, CLI, and ARM/Terraform examples) to deploy NAT Gateway and associate it with subnets.

Watch Video