This chapter covers Azure NAT Gateway, a fully managed and resilient Network Address Translation (NAT) service that enables outbound connectivity for virtual networks. On the AZ-104 exam, approximately 5–10% of networking questions relate to outbound connectivity scenarios, including NAT Gateway, Azure Load Balancer outbound rules, and Azure Firewall. Understanding NAT Gateway's design, configuration, and comparison with other outbound methods is critical for passing the exam.
Jump to a section
Imagine a company with one public phone number and 200 employees, each with an internal extension. When an employee calls out, the receptionist records which extension placed the call and replaces it with the company number. When the response comes back, she looks up the log and routes it to the correct extension. From outside, nobody can dial employees directly — they only ever see the company number. This is exactly how Azure NAT Gateway works: it provides a single public IP address (the company number) for outbound traffic from many private VMs (the internal extensions). The NAT Gateway maintains a stateful mapping table that records each outbound flow (source private IP:port → public IP:port) and ensures return traffic is forwarded to the correct VM. The key difference is that the switchboard (NAT Gateway) handles thousands of simultaneous calls using port translation (SNAT), and it can have multiple public IP addresses (like multiple phone lines) to scale. Also, the switchboard never accepts incoming calls — it only handles outbound-initiated conversations, just like NAT Gateway does not allow inbound connections from the internet.
What is Azure NAT Gateway?
Azure NAT Gateway is a fully managed, elastically scalable, and highly available Network Address Translation (NAT) service that allows all instances in a private subnet to connect outbound to the internet while preventing inbound connections from the internet. It uses Source Network Address Translation (SNAT) to map private IP addresses to one or more public IP addresses, enabling thousands of concurrent outbound flows per public IP.
NAT Gateway is a regional resource that can be attached to up to 10 subnets within the same virtual network. It does not require any routing configuration beyond default routes – once attached to a subnet, the subnet's route table automatically gets a default route (0.0.0.0/0) with the NAT Gateway as the next hop (though this is implicit, not a user-defined route).
Why Does NAT Gateway Exist?
Before NAT Gateway, outbound connectivity in Azure was provided by: - Azure Load Balancer outbound rules – required a load balancer and incurred costs even if not used for inbound traffic. - Azure Firewall – expensive and overkill for simple outbound-only scenarios. - Instance-level Public IPs – each VM got its own public IP, which is insecure and hard to manage. - Default outbound access – Azure provides temporary public IPs for VMs without public IPs, but these are not predictable and have SNAT port exhaustion risks.
NAT Gateway solves these problems by providing a dedicated, scalable, and secure outbound connectivity solution. It is the recommended method for outbound connectivity in Azure (as per Azure best practices).
How NAT Gateway Works Internally
When a VM in a subnet attached to a NAT Gateway initiates an outbound connection, the following happens:
The VM sends a packet with source IP 10.0.0.4 (private) and source port 12345, destination IP 203.0.113.5 and destination port 80.
The packet reaches the subnet's default gateway (the NAT Gateway).
NAT Gateway translates the source IP to one of its public IPs (e.g., 20.0.0.1) and assigns a new source port (e.g., 1024). It records the mapping (10.0.0.4:12345 → 20.0.0.1:1024) in its stateful connection table.
The packet is sent to the internet with source 20.0.0.1:1024.
When the response returns (dest 20.0.0.1:1024), NAT Gateway looks up its table, finds the mapping, and forwards the packet to 10.0.0.4:12345.
The VM receives the response as if it came directly from the internet.
This process is transparent to the VM. The VM never knows its source IP was translated.
Key Components, Values, Defaults, and Timers
Public IP Addresses: You can assign up to 16 public IP addresses (standard SKU) or public IP prefixes (up to /24) to a NAT Gateway. The number of available SNAT ports per IP is 64,512. With 16 IPs, you get 1,032,192 ports.
SNAT Port Reuse: A single flow uses one SNAT port. Idle timeout is 4 minutes (configurable from 4 to 120 minutes). After idle timeout, the mapping is removed. TCP reset (RST) can be sent on timeout if enabled.
Concurrent Flows: Each public IP supports 64,512 concurrent flows. With 16 IPs, that's 1,032,192 flows.
Protocol Support: TCP and UDP (no ICMP, but ICMP errors are handled).
Availability Zones: NAT Gateway can be zone-redundant or zonal. For higher availability, deploy zone-redundant.
Scale: NAT Gateway automatically scales out (up to 100 Gbps throughput). No manual scaling required.
Configuration and Verification Commands
Create NAT Gateway via Azure CLI:
az network nat gateway create \
--resource-group myResourceGroup \
--name myNATGateway \
--location eastus \
--public-ip-addresses myPublicIP \
--idle-timeout 10Attach to a subnet:
az network vnet subnet update \
--resource-group myResourceGroup \
--vnet-name myVNet \
--name mySubnet \
--nat-gateway myNATGatewayVerify outbound IP:
az vm run-command invoke \
--resource-group myResourceGroup \
--name myVM \
--command-id RunPowerShellScript \
--scripts "(Invoke-WebRequest -Uri https://api.ipify.org).Content"Check SNAT port usage (metrics):
Azure Monitor metrics: SNATConnectionCount, TotalConnectionCount, DroppedPackets.
Interaction with Related Technologies
Azure Firewall: Can be used for outbound traffic, but is more expensive and provides full inspection. NAT Gateway is simpler and cheaper for pure outbound.
Azure Load Balancer: Outbound rules on Standard Load Balancer also provide SNAT but require load balancer configuration. NAT Gateway is preferred for outbound-only.
Azure Firewall with NAT Gateway: Can be combined for high availability: Firewall for inspection, NAT Gateway for SNAT.
Private Link: NAT Gateway does not interfere with private endpoints.
Network Security Groups (NSGs): NSGs still apply to VMs; NAT Gateway does not bypass them. Outbound traffic must be allowed by NSG rules.
Route Tables: When NAT Gateway is attached to a subnet, it adds an implicit default route. User-defined routes (UDRs) can override this, but that may break connectivity.
Limitations and Edge Cases
Inbound only: NAT Gateway does not support inbound connections. For inbound, use Load Balancer or Application Gateway.
No outbound through ExpressRoute or VPN: NAT Gateway only provides internet outbound. For forced tunneling, use Azure Firewall.
Single region: NAT Gateway is regional. For multi-region, deploy per region.
Subnet attachment: Only one NAT Gateway per subnet. A NAT Gateway can be attached to up to 10 subnets.
IPv6: Only IPv4 is supported. IPv6 not supported.
ICMP: NAT Gateway does not translate ICMP, but ICMP error messages are passed through.
Exam-Relevant Details
Default idle timeout: 4 minutes (configurable 4–120 minutes).
SNAT ports per IP: 64,512.
Maximum public IPs: 16.
Maximum subnets per NAT Gateway: 10.
Standard SKU only: Basic public IPs are not supported.
No inbound rules: NAT Gateway is outbound-only.
No cost for attached subnets: You pay for the NAT Gateway resource and public IPs.
Zone-redundant by default: If no zone specified, it's zone-redundant.
Create NAT Gateway Resource
In the Azure portal, navigate to 'Create a resource' and search for 'NAT Gateway'. Provide a name, region (must match the virtual network's region), and availability zone (none, zone-redundant, or specific zone). Zone-redundant is recommended for high availability. At this stage, you also set the idle timeout (default 4 minutes, range 4–120). You do not attach subnets yet. You must also assign at least one public IP address (Standard SKU) or public IP prefix. The resource is created, but no traffic flows until attached to a subnet.
Assign Public IP or Prefix
You must assign at least one Standard SKU public IP address or a public IP prefix to the NAT Gateway. The public IP can be created during NAT Gateway creation or attached later. Each public IP provides 64,512 SNAT ports. You can assign up to 16 IPs or a prefix up to /24 (which gives 256 IPs, but only the first 16 are used for SNAT? Actually, a /24 prefix contains 256 IPs, but NAT Gateway only uses up to 16 IPs from the prefix; the rest are reserved. For maximum scale, use 16 individual IPs or a /28 prefix (16 IPs). The public IPs must be in the same region as the NAT Gateway.
Attach NAT Gateway to Subnet
In the NAT Gateway resource, go to 'Subnets' and add one or more subnets from the same virtual network. Alternatively, you can update the subnet's properties to reference the NAT Gateway. When attached, the subnet's effective routes automatically get a default route (0.0.0.0/0) with the NAT Gateway as next hop. This route is not visible in the route table but is effective. Any existing default route (e.g., from Azure Firewall) may conflict. Only one NAT Gateway can be attached to a subnet. A NAT Gateway can be attached to up to 10 subnets.
Configure NSGs and UDRs
After attaching, ensure Network Security Groups (NSGs) allow outbound traffic to the internet (e.g., allow outbound to 0.0.0.0/0 for TCP/UDP). NAT Gateway does not bypass NSGs. Also, if you have user-defined routes (UDRs), ensure they do not override the default route to NAT Gateway. For example, if you have a forced tunneling route pointing to a virtual appliance, traffic will go there instead of NAT Gateway. The NAT Gateway's implicit route has a next hop type 'VirtualAppliance'? No, it's 'Internet' but with NAT Gateway as the next hop. Actually, the effective route shows next hop type 'Internet' but the traffic goes through NAT Gateway. This is a common exam trick.
Verify Outbound Connectivity
Deploy a VM in the attached subnet (without a public IP). RDP or SSH into the VM using a bastion or jump box. From the VM, run a command to check the outbound public IP, e.g., 'curl ifconfig.me' or 'Invoke-WebRequest -Uri https://api.ipify.org'. The returned IP should be one of the NAT Gateway's public IPs. Also, check that inbound connections from the internet cannot reach the VM directly (unless there's a separate inbound path). Use Azure Monitor metrics to verify SNAT port usage and dropped packets. If SNAT port exhaustion occurs, add more public IPs or increase idle timeout.
Enterprise Scenario 1: E-Commerce Platform with High Throughput
A large e-commerce company runs thousands of VMs in a virtual network that need to fetch product data from external APIs and send analytics to third-party services. Previously, they used a Standard Load Balancer with outbound rules, but managing the load balancer for outbound-only traffic was costly and complex. They migrated to Azure NAT Gateway with 16 public IPs to handle over 1 million concurrent connections. They configured idle timeout to 10 minutes to avoid port exhaustion during long-lived API calls. The NAT Gateway automatically scales to handle spikes during Black Friday. The team monitors SNATConnectionCount metric and set alerts when usage exceeds 80%. One issue they faced: initially they forgot to remove the load balancer's outbound rules, causing dual NAT and asymmetric routing. They resolved by disabling outbound rules on the load balancer and ensuring only NAT Gateway is attached to the subnet.
Enterprise Scenario 2: Secure Outbound for Healthcare Application
A healthcare provider needs to send patient data to a cloud-based EHR system via HTTPS. They require a fixed outbound IP for firewall whitelisting. They deployed a NAT Gateway with a single public IP (static). They attached it to the subnet hosting the application VMs. To ensure security, they locked down NSGs to only allow outbound to the EHR's IP on port 443. They also enabled TCP reset on idle timeout to immediately close stale connections. The challenge was that the EHR system required a dedicated outbound IP, and using NAT Gateway was simpler than reserving a public IP per VM. They also needed to ensure high availability; they deployed the NAT Gateway as zone-redundant. In production, they monitor for dropped packets due to SNAT port exhaustion; they have a runbook to add additional public IPs if needed.
Common Misconfiguration: Overlapping Routes
A common mistake is attaching NAT Gateway to a subnet that already has a route table with a default route (0.0.0.0/0) pointing to Azure Firewall. The NAT Gateway's implicit route does not override the UDR. Traffic still goes through the firewall, bypassing NAT Gateway. To fix, either remove the UDR or ensure the firewall is the intended next hop. Another misconfiguration: using Basic SKU public IPs (not supported). The NAT Gateway creation will fail. Also, forgetting that NAT Gateway does not support inbound connections; if a VM needs to be accessed from the internet, a separate inbound method (like Load Balancer) is required.
What AZ-104 Tests on NAT Gateway
The AZ-104 exam objectives under 'Configure and manage virtual networking' (Objective 4.1) include 'Configure outbound connectivity' and specifically mentions NAT Gateway. You should expect 1-2 questions on NAT Gateway, often comparing it with other outbound methods. The exam focuses on: - When to use NAT Gateway vs. Load Balancer outbound rules vs. Azure Firewall vs. instance-level public IPs. - Limitations: No inbound, no IPv6, no Basic SKU, maximum 16 public IPs, 64,512 ports per IP, 10 subnets per gateway. - Default idle timeout: 4 minutes (configurable). - Zone-redundant option. - How to attach to subnet and effect on routing.
Common Wrong Answers and Why Candidates Choose Them
'NAT Gateway supports inbound connections' – Candidates confuse NAT Gateway with Load Balancer or Application Gateway. Remember: NAT Gateway is outbound-only.
'NAT Gateway requires a route table with a default route' – The implicit route is added automatically; no manual UDR needed. Candidates think they must create a UDR.
'You can attach NAT Gateway to multiple virtual networks' – Only one virtual network (same region). A NAT Gateway is regional and can only attach to subnets in its own VNet.
'NAT Gateway provides SNAT ports for each VM individually' – SNAT ports are shared across all VMs in the subnet. Candidates think each VM gets its own pool.
'NAT Gateway can use Basic public IPs' – Only Standard SKU is allowed.
Specific Numbers and Terms on the Exam
64,512 – SNAT ports per public IP.
16 – Maximum public IPs per NAT Gateway.
10 – Maximum subnets per NAT Gateway.
4 minutes – Default idle timeout.
4–120 minutes – Configurable idle timeout range.
Standard SKU – Required for public IPs.
Zone-redundant – Default availability option.
TCP reset – Optional feature to send RST on idle timeout.
Edge Cases and Exceptions
If you attach a NAT Gateway to a subnet that already has a default route via UDR, the UDR takes precedence. The NAT Gateway is ignored.
If you need outbound connectivity to on-premises (via ExpressRoute or VPN), NAT Gateway is not used; traffic goes through the gateway subnet.
NAT Gateway does not support ICMP, but ICMP error messages (like TTL exceeded) are passed through.
You cannot use NAT Gateway with Azure Firewall in the same subnet; they are separate solutions.
How to Eliminate Wrong Answers
If a question mentions inbound connectivity, eliminate NAT Gateway.
If a question mentions IPv6, eliminate NAT Gateway.
If a question mentions Basic SKU, eliminate NAT Gateway.
If a question mentions needing multiple VNets, check if NAT Gateway is per VNet.
If a question mentions manual routing, check if NAT Gateway adds implicit route.
Azure NAT Gateway is a fully managed, outbound-only NAT service for private subnets.
Each public IP provides 64,512 SNAT ports; maximum 16 public IPs per NAT Gateway.
Default idle timeout is 4 minutes, configurable from 4 to 120 minutes.
Only Standard SKU public IPs are supported; Basic SKU is not.
NAT Gateway is attached to subnets (up to 10) and adds an implicit default route.
NAT Gateway does not support inbound connections, IPv6, or ICMP translation.
For high availability, deploy zone-redundant NAT Gateway.
Monitor SNAT port usage via Azure Monitor metrics (SNATConnectionCount).
NAT Gateway is the recommended outbound method for Azure (as per best practices).
If a UDR with 0.0.0.0/0 exists, it overrides the NAT Gateway's implicit route.
These come up on the exam all the time. Here's how to tell them apart.
Azure NAT Gateway
Dedicated outbound-only service, no inbound dependencies.
Automatically scales up to 100 Gbps throughput.
Up to 16 public IPs, 64,512 SNAT ports per IP.
No additional cost for inbound traffic; pay only for NAT Gateway and public IPs.
Simpler configuration: attach to subnet, no outbound rules needed.
Azure Load Balancer Outbound Rules
Requires a Standard Load Balancer (even if not used for inbound).
Manual scaling via outbound rules; limited by load balancer SKU.
SNAT port pool depends on number of frontend IPs (up to 128,000 ports per IP with multiple frontends).
You pay for the load balancer even if no inbound traffic.
More complex: configure outbound rules, backend pool, and health probes.
Mistake
NAT Gateway provides inbound connectivity from the internet.
Correct
NAT Gateway is outbound-only. It translates private source IPs to public IPs for outbound traffic but does not allow inbound connections. For inbound, use Azure Load Balancer, Application Gateway, or public IPs on VMs.
Mistake
You need to create a user-defined route to direct traffic to NAT Gateway.
Correct
When NAT Gateway is attached to a subnet, it automatically adds an implicit default route (0.0.0.0/0) with next hop 'Internet' via the NAT Gateway. No manual UDR is required. However, if a UDR with 0.0.0.0/0 exists, it takes precedence.
Mistake
Each VM gets its own dedicated SNAT port pool.
Correct
SNAT ports are shared across all VMs in the subnet(s) attached to the NAT Gateway. The total pool of 64,512 ports per public IP is used by all VMs. If one VM consumes many ports, others may experience exhaustion.
Mistake
NAT Gateway supports both IPv4 and IPv6.
Correct
NAT Gateway only supports IPv4. IPv6 is not supported. For IPv6 outbound, consider Azure Firewall or other solutions.
Mistake
NAT Gateway can be attached to multiple virtual networks.
Correct
A NAT Gateway can only be attached to subnets within the same virtual network and region. It cannot span multiple VNets. However, one NAT Gateway can be attached to up to 10 subnets within that VNet.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Azure NAT Gateway is outbound-only. It translates private IPs to public IPs for outbound traffic and allows return traffic, but it does not accept unsolicited inbound connections from the internet. For inbound, use Azure Load Balancer, Application Gateway, or assign a public IP directly to the VM.
Each public IP assigned to a NAT Gateway provides 64,512 SNAT ports. You can assign up to 16 public IPs, giving a total of 1,032,192 SNAT ports. These ports are shared across all VMs in the attached subnets.
The default idle timeout is 4 minutes. It can be configured between 4 and 120 minutes. After the idle timeout, the SNAT mapping is removed. You can optionally enable TCP reset to send a RST packet when the timeout occurs.
No, Azure NAT Gateway only supports IPv4. IPv6 outbound connectivity is not supported. For IPv6, consider Azure Firewall or other solutions.
No, a NAT Gateway can only be attached to subnets within the same virtual network and region. It can be attached to up to 10 subnets within that VNet.
No, when you attach a NAT Gateway to a subnet, it automatically adds an implicit default route (0.0.0.0/0) with the NAT Gateway as next hop. However, if you have an existing user-defined route (UDR) with 0.0.0.0/0, that UDR takes precedence.
NAT Gateway only supports Standard SKU public IPs. If you try to use a Basic SKU, the creation or attachment will fail. You must use Standard SKU public IPs or public IP prefixes.
You've just covered Azure NAT Gateway — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?