What is Azure NAT Gateway | What is SNAT Port Exhaustion | Azure Standard Logic App Static Outbound IP Address

Azure NAT Gateway is a Network Address Translation Service. It provides outbound connectivity for one or more subnets of a virtual network. In this blog, we will understand

1. What is Azure NAT Gateway
2. Understand What is SNAT Port Exhaustion issue.
3. Why Azure NAT Gateway has been introduced and what business problems it will solve.
4. We are going to pick the most commonly used business case - How to have a static outbound IP address for the Azure Standard logic app.

Why Azure NATGateway

We have been making outbound connections in Azure even before the Azure NAT gateway was introduced. Even now, without a NAT gateway, we are making outbound connections. Then why Azure NAT Gateway? Do we really need to worry about this? The simple answer is - not unless you really make too many TCP connections in less time. Let’s understand this.

Let’s say we have Virtual Network with some basic subnet. Say this subnet is deployed with some VMs and scale set. We also have another subnet with an App Service is deployed where we host an API or website.

This Azure Virtual Network is a private network. Access to the resources inside the VNET is restricted. Now let’s talk about Out Bound connectivity. If the resources inside these virtual network need to talk to an API publicly available over the internet, sometimes the API needs to know what IP Address the request came from. But, the resources inside the VNET have a private IP address. This is needed to be translated to a public IP address before making outbound connectivity.

Each of this TCP connection need a port to be associated with it. But there are only 65K ports available to be used. This is a huge number of ports, but if we don’t design our application correctly ( for ex: if we don’t reuse the connections and make a lot of connections ) we can burn these connections easily.

Interestingly because of the way how Azure works today, you don’t really have ~65K ports available unless you have a static public IP address associated with a resource for ex for your VM. You actually get very less ports - It could be 1024 or even less than that. When there are no ports available to be used, these connections will fail. They don’t fail as refused connection, they simply time out. This is called SNAT Port Exhaustion.

CASE 1: If your VM has a static IP address, it has access to all ~65K ports. If you are making a huge number of TCP connections in small time and don’t reuse them, you might run into SNAT Port Exhaustion problem.

CASE 2: If your VM doesn’t have a static IP address, then it has fewer ports to access and if you are making more TCP connections in a short time without reusing them, you will most likely run into SNAT Port Exhaustion problem.

To solve this problem, Microsoft has introduced NAT Gateway to route all the traffic from a public static IP address.

When should you use NAT Gateway?

1. Based on how frequently your app is making connections and if you have 1 or 2 VMs, maybe this is not the thing for you.
2. But if you have a VM scale set and tons of different things in VNET which are making outbound connections.
3. If you have an AppService or standard Logic app, you can use NAT Gateway to have a dedicated outbound IP Address.

So, what is Azure NAT Gateway? - NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network with a dedicated public IP Address.

Demo

For detailed walkthrough of this demo, watch the Video

1. Create a Azure Standard Logic App and add a workflow with an Azure Function(Consumption) which returns whatever posted in request body. In real work scenario, this Azure function can be an third party API which is accessible over the internet.

2. Now configure Azure function IP restrictions to allow traffic only from one of the possible outbound ip address of workflow. As soon as we impose IP restrictions on Azure function, the work flow breaks (when outbound connection goes via a diffrent IP). It is very combursome to add all the possible outbound ip range. In real world, we don’t want to allow so many IP Addresses.

3. Create a Azure NAT Gateway with a public IP Address and assign it to a subnet.

4. In Standard Logic App, configure outbound to route via same subnet to which we have assiged NATGateway.

5. Now configure Azure function IP restrictions to allow traffic only from Azure NAT Gateway public IP address.

6. Now if we run the workflow it should work.