2

I am working on an architecture on azure where I need to create 3 private subnets where I have a bunch of vms with private address only and no public address but I want them to contact outside for updates and all but none in outside world can contact them (normal private subnet thing). In aws it is really easy as we just have to define a nat gateway and place it in public subnet also there are bunch of information on internet on how to do it but almost nothing for Azure. May be there is no concept or terminology like different subnets on Azure.

How I am planning to do it on Azure

  1. Make a nat gateway and attach to all private subnets.
  2. Define a NSG where I will only define outbound traffic to 0.0.0.0/0 and no inbound from it.
  3. Default routes

Is this the right way to do it? any suggestions?

RAJAT RAWAT
  • 498
  • 7
  • 17
  • Interesting, I just found this: Private IP addresses assigned to a network interface enable a virtual machine to communicate with other resources in an Azure virtual network and connected networks. A private IP address also enables outbound communication to the Internet using an unpredictable IP address https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses Does it mean we dont need any NAT gateway or anything for private subnets as vms have by default outbound traffic. – RAJAT RAWAT Apr 09 '20 at 20:22

1 Answers1

1

I believe you can attach a NAT Gateway to the Vnet and the outbound network flow will automatically default to the NAT gateway without requiring any other changes.

From one of the Azure NAT Gateway pages: NAT gateways are defined with a property on a subnet within a virtual network. Flows created by virtual machines on subnet subnetname of virtual network vnetname will use the NAT gateway. All outbound connectivity will use the IP addresses associated with natgatewayname as the source IP address.

So, if the documentation is accurate, you should only have to create the NAT Gateway, associate it to the subnet(s) and the outbound flows will automatically use the NAT Gateway for outbound.

Shibby
  • 26
  • 1
  • I found that by default Azure allows all the outbound traffic and basically every subnet is private subnet and if you want to allow inbound traffic you have to define that in nsg. azure firewall, standard LB are some exceptions and in that case the solution you have mentioned will work. thank you for your time and help :) – RAJAT RAWAT Oct 21 '20 at 17:02