Scale Azure Firewall SNAT ports with NAT Gateway for giant workloads | Azure Weblog and Updates

This publish was co-authored by Suren Jamiyanaa, Product Supervisor II, Azure Networking.

As massive organizations throughout all industries develop their cloud enterprise and operations, one core standards for his or her cloud infrastructure is to make connections over the web at scale. Nevertheless, a typical outbound connectivity problem encountered when dealing with large-scale outbound site visitors is supply community handle translation (SNAT) port exhaustion. Every time a brand new connection to the identical vacation spot endpoint is revamped the web, a brand new SNAT port is used. SNAT port exhaustion happens when all accessible SNAT ports run out. Environments that usually require making many connections to the identical vacation spot, corresponding to accessing a database hosted in a service supplier’s information heart, are inclined to SNAT port exhaustion. On the subject of connecting outbound to the web, clients must not solely take into account potential dangers corresponding to SNAT port exhaustion but additionally methods to present safety for his or her outbound site visitors.

Azure Firewall is an clever safety service that protects cloud infrastructures in opposition to new and rising assaults by filtering community site visitors. All outbound web site visitors utilizing Azure Firewall is inspected, secured, and undergoes SNAT to hide the unique consumer IP handle. To bolster outbound connectivity, Azure Firewall might be scaled out by associating a number of public IPs to Azure Firewall. Some large-scale environments might require manually associating as much as lots of of public IPs to Firewall with the intention to meet the demand of large-scale workloads, which could be a problem to handle long-term. Associate locations additionally generally have a restrict on the variety of IPs that may be whitelisted at their vacation spot websites, which may create challenges when Firewall outbound connectivity must be scaled out with many public IPs. With out scaling this outbound connectivity, clients are extra inclined to outbound connectivity failures as a consequence of SNAT port exhaustion.

That is the place community handle translation (NAT) gateway is available in. NAT gateway might be simply deployed to an Azure Firewall subnet to robotically scale connections and filter site visitors by way of the firewall earlier than connecting to the web. NAT gateway not solely supplies a bigger SNAT port stock with fewer public IPs however NAT gateway’s distinctive technique of SNAT port allocation is particularly designed to deal with dynamic and large-scale workloads. NAT gateway’s dynamic allocation and randomized choice of SNAT ports considerably scale back the chance of SNAT port exhaustion whereas additionally holding overhead administration of public IPs at a minimal.

On this weblog, we’ll discover the advantages of utilizing NAT Gateway with Azure Firewall in addition to methods to combine each into your structure to make sure you have the most effective setup for assembly your safety and scalability wants for outbound connectivity.

Advantages of utilizing NAT Gateway with Azure Firewall

One of many best advantages of integrating NAT gateway into your Firewall structure is the scalability that it supplies for outbound connectivity. SNAT ports are a key element to creating new connections over the web and distinguishing completely different connections from each other coming from the identical supply endpoint. NAT gateway supplies 64,512 SNAT ports per public IP and might scale out to make use of 16 public IP addresses. This implies, when totally scaled out with 16 public IP addresses, NAT gateway supplies over 1 million SNAT ports. Azure Firewall, alternatively, helps 2,496 SNAT ports per public IP per digital machine occasion inside a digital machine scale set (minimal of two situations). Which means that to realize the identical quantity of SNAT port stock as NAT gateway when totally scaled out, Firewall might require as much as 200 public IPs. Not solely does NAT gateway provide extra SNAT ports with fewer public IPs, however these SNAT ports are allotted on demand to any digital machine in a subnet. On-demand SNAT port allocation is vital to how NAT gateway considerably reduces the chance of widespread outbound connectivity points like SNAT port exhaustion.

NAT gateway additionally supplies 50 Gbps of information throughput for outbound site visitors that can be utilized consistent with a normal SKU Azure Firewall, which supplies 30 Gbps of information throughput. Premium SKU Azure Firewall supplies 100 Gbps of information throughput.

With NAT gateway you additionally be certain that your outbound site visitors is completely safe since no inbound site visitors can get by way of NAT gateway. All inbound site visitors is topic to safety guidelines enabled on the Azure Firewall earlier than it may possibly attain any non-public assets inside your cloud infrastructure.

To study extra concerning the different advantages that NAT gateway affords in Azure Firewall architectures, see NAT gateway integration with Azure Firewall.

Find out how to get essentially the most out of utilizing NAT Gateway with Azure Firewall

Let’s check out methods to arrange NAT gateway with Azure Firewall and the way connectivity to and from the web works upon integrating each into your cloud structure.

Manufacturing-ready outbound connectivity with NAT Gateway and Azure Firewall

For manufacturing workloads, Azure recommends separating Azure Firewall and manufacturing workloads right into a hub and spoke topology. Introducing NAT gateway into this setup is straightforward and might be executed in only a couple brief steps. First, deploy Azure Firewall to an Azure Firewall Subnet throughout the hub digital community (VNet). Connect NAT gateway to the Azure Firewall Subnet and add as much as 16 public IP addresses and also you’re executed. As soon as configured, NAT gateway turns into the default route for all outbound site visitors from the Azure Firewall Subnet. Which means that internet-directed site visitors (site visitors with the prefix 0.0.0.0/0) routed from the spoke Vnets to the Hub Vnet’s Azure Firewall Subnet will robotically use the NAT gateway to attach outbound. As a result of NAT gateway is totally managed by Azure, NAT gateway allocates SNAT ports and scales to fulfill your outbound connectivity wants robotically. No extra configurations are required.

Determine: Separate the Azure Firewall from the manufacturing workloads in a hub and spoke topology and fix NAT gateway to the Azure Firewall Subnet within the hub digital community. As soon as configured, all outbound site visitors out of your spoke digital networks is directed by way of NAT gateway and all return site visitors is directed again to the Azure Firewall Public IP to keep up circulate symmetry. 

Find out how to arrange NAT Gateway with Azure Firewall

To make sure that you have got arrange your workloads to path to the Azure Firewall Subnet and use NAT gateway for connecting outbound, comply with these steps:

1. Deploy your Firewall to an Azure Firewall Subnet inside its personal digital community. This would be the Hub Vnet.
2. Add NAT gateway to the Azure Firewall Subnet and fix no less than one public IP handle.
3. Deploy your workloads to subnets in separate digital networks. These digital networks would be the spokes. Create as many spoke Vnets on your workload as wanted.
4. Arrange Vnet peering between the hub and spoke Vnets.
5. Insert a path to the spoke subnets to route 0.0.0.0/0 web site visitors to the Azure Firewall.
6. Add a community rule to the Firewall coverage to permit site visitors from the spoke Vnets to the web.

Check with this tutorial for step-by step steering on methods to deploy NAT gateway and Azure Firewall in a hub and spoke topology.

As soon as NAT gateway is deployed to the Azure Firewall Subnet, all outbound site visitors is directed by way of the NAT gateway. Usually, NAT gateway additionally receives any return site visitors. Nevertheless, within the presence of Azure Firewall, NAT gateway is used for outbound site visitors solely. All inbound and return site visitors is directed by way of the Azure Firewall with the intention to guarantee site visitors circulate symmetry.

FAQ

1. Can NAT gateway be utilized in a safe hub digital community structure with Azure Firewall?

   1. No, NAT gateway shouldn’t be supported in a safe hub (vWAN) structure. A hub digital community structure as described above should be used as an alternative.

2. How does NAT gateway work with a zone-redundant Azure Firewall?

   1. NAT gateway is a zonal useful resource that may present outbound connectivity from a single zone for a digital community no matter whether or not it used with a zonal or zone-redundant Azure Firewall. To study extra about methods to optimize your availability zone deployments with NAT gateway, seek advice from our final weblog.

Advantages of NAT Gateway with Azure Firewall

On the subject of offering outbound connectivity to the web from cloud architectures utilizing Azure Firewall, look no additional than NAT gateway. The advantages of utilizing NAT gateway with Azure Firewall embody:

1. Easy configuration. Connect NAT gateway to the Azure Firewall Subnet in a matter of minutes and begin connecting outbound instantly. No extra configurations required.
2. Totally managed by Azure. NAT gateway is totally managed by Azure and robotically scales to fulfill the demand of your workload.
3. Requires fewer static public IPs. NAT gateway might be related to as much as 16 static public IP addresses which permits for simple whitelisting at vacation spot endpoints and less complicated administration of downstream IP filtering guidelines.
4. Gives a higher quantity of SNAT ports for connecting outbound. NAT gateway can scale to over 1 million SNAT ports when configured to 16 public IP addresses.
5. Dynamic SNAT port allocation ensures that the total stock of SNAT ports is obtainable to each digital machine in your workload. This in flip helps to considerably scale back the chance of SNAT port exhaustion that’s widespread with different SNAT strategies.
6. Safe outbound connectivity. Ensures that no inbound site visitors from the web can attain non-public assets inside your Azure community. All inbound and response site visitors is topic to safety guidelines on the Azure Firewall.
7. Increased information throughput. A typical SKU NAT gateway supplies 50 Gbps of information throughput. A typical SKU Azure Firewall supplies 30 Gbps of information throughput.

Be taught extra

For extra info on NAT Gateway, Azure Firewall, and methods to combine each into your architectural setup, see: