Back to all videos

NAT Gateway v2 Overview

By John Savill's Technical Training

Cloud NetworkingAzure ServicesNetwork Address Translation
Share:

Network Address Translation (NAT) Gateway v2: An Update

Key Concepts:

  • NAT (Network Address Translation): A method of mapping multiple private IP addresses to a smaller number of public IP addresses, enabling devices on a private network to access the internet.
  • SNAT (Source Network Address Translation): The specific type of NAT used by NAT Gateway, rewriting the source IP address and port of outbound traffic.
  • Private IP Addresses: Non-routable IP addresses (e.g., 10.x.x.x, 172.16.x.x - 172.31.x.x, 192.168.x.x) used within private networks.
  • Public IP Addresses: Globally routable IP addresses used for communication on the internet.
  • NAT Gateway: An Azure service providing scalable, highly available outbound internet access for resources in a virtual network.
  • Zone Redundancy: Distributing resources across multiple availability zones within a region to provide high availability and fault tolerance.
  • Dual-Stack VNet: A virtual network configured to support both IPv4 and IPv6 addresses.
  • Flow Logs: Records of IP traffic flowing to and from network interfaces, providing visibility into network activity.

1. The Need for NAT and NAT Gateway

The video begins by reiterating the fundamental problem NAT solves: the scarcity of IPv4 addresses. With the proliferation of internet-connected devices (even toasters!), a single public IP address per device is unsustainable. Networks, whether home networks, office networks, or Azure Virtual Networks (VNets), assign private IP addresses to internal resources. These private IPs (typically starting with 10, 172.16-172.31, or 192.168) are not directly routable on the internet.

NAT Gateway provides a scalable and managed solution for enabling outbound internet access from resources within an Azure VNet. It allows numerous internal devices to share a limited number of public IP addresses. The process involves rewriting the source IP address and port of outbound traffic, using the gateway’s public IP and an available port. When a response comes back, the gateway reverses the process, forwarding the traffic to the correct internal resource.

2. How NAT Gateway Works: SNAT in Detail

The video explains the Source Network Address Translation (SNAT) process. When a virtual machine (VM) with a private IP address (e.g., 1.4901) attempts to connect to a service on the internet (e.g., HTTPS on port 443), the traffic is routed through the NAT Gateway. The gateway replaces the source IP and port with its own public IP and an available port (e.g., Public IP 1, port 10000).

A mapping table is maintained to track these translations. When the response arrives at the gateway (Public IP 1, port 10000), the gateway uses the mapping table to forward the traffic to the original VM (Private IP 1, port 4901). The ports used by the gateway are ephemeral, meaning they are dynamically assigned and reused after a session ends. This allows a single public IP to support a large number of concurrent connections.

3. NAT Gateway Configuration and Limitations

NAT Gateway is a resource created within an Azure VNet and bound to that VNet. It cannot span multiple VNets. It can be linked to up to 800 subnets within the VNet. Linking a NAT Gateway to a subnet modifies the default internet route (0/0) to route traffic through the gateway.

Importantly, only one NAT Gateway can be associated with a given subnet. Multiple NAT Gateways can be deployed, each linked to different subnets, allowing for traffic segmentation or scaling beyond the 800-subnet limit. The video notes that while giving resources public IPs or using standard load balancers can provide internet access, these methods do not scale as effectively as NAT Gateway.

4. NAT Gateway v2: Key Improvements

The primary focus of the video is the release of NAT Gateway v2 and its significant enhancements:

  • Zone Redundancy: The most substantial improvement. NAT Gateway v2 is always zone redundant. Previous versions (v1) were either regional or zonal, requiring complex architectures to achieve high availability. With v2, the underlying microservices are distributed across all three availability zones within a region, eliminating the need for multiple gateways and simplifying management. This also reduces costs, as you no longer need to deploy and maintain multiple regional or zonal gateways.
  • IPv6 Support: NAT Gateway v2 supports both IPv4 and IPv6 addresses, allowing for up to 16 of each. This requires the VNet to be dual-stack (configured with both IPv4 and IPv6). NAT66 (IPv6 to IPv6 NAT) is used for IPv6 traffic.
  • Increased Throughput: NAT Gateway v2 offers significantly increased throughput: 100 gigabits per second (compared to 50 Gbps in v1) and 10 million packets per second. Individual connections can scale up to 1 Gbps and 100,000 packets per second.
  • Flow Logs: Flow logs provide detailed visibility into network traffic flowing through the NAT Gateway, aiding in troubleshooting, security analysis, and monitoring.
  • Public IP v2: NAT Gateway v2 requires the use of the new "Public IP v2" type, which has internal changes to support the zone redundancy.

5. Cost and Compatibility

The video emphasizes that the cost of NAT Gateway v2 is the same as v1. The added features, particularly zone redundancy, are provided at no additional cost. However, it notes that some services are not yet compatible with NAT Gateway v2 (a list is provided in the video description), but compatibility is expected to expand over time.

Quote: "…the huge, huge thing is that zone redundancy. It completely changes the architecture and how I can think about using it." – Speaker, highlighting the primary benefit of v2.

Conclusion:

NAT Gateway v2 represents a significant improvement over its predecessor, offering enhanced scalability, availability, and features without increasing cost. The introduction of zone redundancy simplifies architecture and reduces management overhead, while IPv6 support and increased throughput cater to evolving network requirements. The addition of flow logs provides valuable insights into network traffic, improving observability and security. For any Azure environment requiring scalable outbound internet access, migrating to NAT Gateway v2 is highly recommended.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "NAT Gateway v2 Overview". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video