how can multiple flows different destination IP address, port, and
protocol share a single SNAT port?
Per the outbound connection, One SNAT port is consumed per flow to a single destination IP address, port. This indicates that except the source information is rewritten from the virtual network private IP address, source port to public IP, SNAT port, every TCP flow mapping also considers the destination IP address and port changes when one SNAT port is consumed.
For multiple flows, each to a different destination IP address, port, and protocol, share a single SNAT port since there is a different destination IP address, the 5-tuple (the same source public IP, SNAT port, protocol, the different destination IP address, port) makes flows unique without the need for additional source ports to distinguish flows.
When there is a response back from 4.5.6.7:80 , how does Azure know to
which internal IP it has to send since they share the same port
number?
In this scenario, when the response back from 4.5.6.7, the destination server 4.5.6.7 does not know the internal IP 10.10.10.40:11111 as they are hidden behind the VIP because of the SNAT. So the response sends to the VIP and SNAT port 64.56.12.3: 5678. The system will translate the VIP and SNAT port to the source IP and source port according to the each TCP flow mapping table (including the destination IP address and port) 10.10.10.40:11111 -> 64.56.12.3:5678 -> 4.5.6.7:80.
