Azure SNAT exhaustion - how do I know when it is happening?

Question

We think we are having Azure SNAT exhaustion issues with a group of virtual machines within Cloud Foundry. The machines are not going through a load balancer. I've been through this document: https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#snatexhaust

I want to find out how, if possible, to know if we are hitting SNAT exhaustion issues without having to open a support ticket with Microsoft. Remediating or preventing the SNAT issues is NOT what I'm asking about.

Thanks,

golfalot · Answer 1 · 2020-03-09T21:10:08.573

9

For an Azure WebApp, click Diagnose and solve problems, then in search box type snat then click the SNAT Port Exhaustion item which appears as the result of your search.

edited Mar 09 '20 at 21:10

answered Mar 09 '20 at 20:22

golfalot

956
12
22

score 6 · Accepted Answer · answered Dec 05 '18 at 17:05

6

I just got off the phone with Microsoft Azure support. At this time, there is no way for us as a customer to see SNAT exhaustion without opening a ticket.

answered Dec 05 '18 at 17:05

T. Bowman

141
1
1
6

score 4 · Answer 3 · answered Dec 13 '18 at 22:30

4

I have put in an enhancement request for Microsoft to enable monitoring on it: https://feedback.azure.com/forums/231545-diagnostics-and-monitoring/suggestions/36274288-apim-load-balancer-metrics-to-view-snat-metrics-st

If it sounds like a good solution make sure to up vote it!

answered Dec 13 '18 at 22:30

Michael S Volk

41
1

Hi! Welcome to stackoverflow, thank you for the answer, be sure to check https://stackoverflow.com/help/how-to-answer you might find some useful tips – Sylhare Dec 13 '18 at 22:41

score 4 · Answer 4 · answered Nov 05 '19 at 01:36

The answer may be outdated. With Azure Standard LoadBalancer you will be able to see the following SNAT Metrics.

SNAT Connection Count
Allocated SNAT Ports
Used SNAT Ports

This is not available with Azure Basic Load Balancer, which requires support ticket to get info on SNATS.

Hope it helps.

Nancy · Answer 5 · 2018-12-05T05:55:28.503

I want to find out how, if possible, to know if we are hitting SNAT exhaustion issues

When SNAT port resources are exhausted, outbound flows fail. You could observe failing outbound connections or are advised by support that you're exhausting SNAT ports.

The outbound connections have a 4-minute idle timeout. This timeout is not adjustable. UDP SNAT ports generally exhaust much faster than TCP SNAT ports due to the difference in the algorithm used. So you may check the timeout flows via capturing networking packages using Microsoft Network Monitor on the VM or use Network Watcher for packet capture on the Azure portal.

If you have any unclear in my reply, feel free to let me know.

Thanks, that is good information but simply seeing failed connections does not confirm SNAT exhaustion. Seeing the failed connections was a clue we were having an issue but there is no way to confirm SNAT exhaustion w/o a ticket to Microsoft it turns out. — T. Bowman, Dec 05 '18 at 17:09

Azure SNAT exhaustion - how do I know when it is happening?

5 Answers5