Azure NAT Gateway on Microsoft Azure
Azure NAT Gateway is a fully managed network service that provides outbound internet connectivity for resources in Azure virtual networks. The service simplifies network architecture by offering a centralized solution for outbound connectivity with static public IP addresses.
Unlike Load Balancer-based outbound rules or individual public IPs per VM, NAT Gateway enables a simpler, more scalable solution for outbound traffic. The service is fully zone-redundant and provides high availability without additional configuration.
For companies with GDPR requirements, Azure NAT Gateway is available in European Azure regions and meets all relevant compliance standards.
Typical Use Cases
Private VMs with internet access: Virtual machines without public IP addresses can securely access the internet while inbound connections remain blocked.
Static outbound IPs for whitelisting: External APIs or partner systems requiring IP whitelisting can be reached via fixed NAT Gateway IPs.
Microservices architectures: Containers and serverless functions in private subnets gain reliable internet access for external dependencies.
Batch workloads: Large data processing jobs can access external services in parallel without risking SNAT port exhaustion.
Frequently Asked Questions about Azure NAT Gateway
What differentiates NAT Gateway from other outbound solutions?
NAT Gateway offers significantly higher SNAT port limits (64,000 ports per IP) compared to Load Balancer Outbound Rules or individual Public IPs, simpler management, and better zone redundancy. The service is specifically optimized for outbound scenarios and requires no configuration of health probes or backend pools.
How is Azure NAT Gateway billed?
Costs consist of two components: an hourly base charge per NAT Gateway and charges for processed data. Approximately €0.045 per hour, plus approximately €0.04 per processed GB. Inactive NAT Gateways continue to incur hourly charges.
Can I combine NAT Gateway with Azure Firewall?
Yes, NAT Gateway and Azure Firewall can be used together. NAT Gateway is used for outbound internet traffic, while Azure Firewall handles inspection and filtering. Route prioritization is managed via User Defined Routes (UDRs).
How many public IP addresses can a NAT Gateway use?
A single NAT Gateway supports up to 16 public IP addresses. These can be configured as individual IPs or as IP prefix. Each IP provides 64,000 SNAT ports, enabling over 1 million concurrent connections in total.
Is NAT Gateway compatible with Private Link?
NAT Gateway is only used for outbound internet traffic. For connections to Azure services via Private Endpoints, NAT Gateway is not relevant, as these connections run directly over the Azure backbone and don’t require public IPs.
What monitoring options does NAT Gateway offer?
Azure Monitor provides metrics such as SNAT connection count, processed bytes, and packet count. Alarms can be configured when approaching SNAT port limits. Integration with Network Watcher enables troubleshooting of connectivity issues.
Can NAT Gateway be used with multiple subnets?
Yes, a NAT Gateway can be assigned to multiple subnets within the same Virtual Network. This simplifies management and reduces costs, as not every subnet needs its own gateway.
Alternatives
alternatives:
- provider: “aws” product: “nat-gateway”
- provider: “gcp” product: “cloud-nat”
Integration with innFactory
As a Microsoft Solutions Partner, innFactory supports you in implementing and optimizing Azure NAT Gateway. We help with network architecture, cost optimization, and migration from existing outbound solutions.
Contact us for a non-binding consultation on Azure NAT Gateway and network architectures.
