Guarantee zone resilient outbound connectivity with NAT gateway | Azure Weblog and Updates


Our clients—throughout all industries—have a important want for extremely obtainable and resilient cloud frameworks to make sure enterprise continuity and adaptableness of ever-growing workloads. A technique that clients can obtain resilient and dependable infrastructures in Microsoft Azure (for outbound connectivity) is by establishing their deployments throughout availability zones in a area.

When clients want to attach outbound to the web from their Azure infrastructures, Community Deal with Translation (NAT) gateway is one of the simplest ways. NAT gateway is a zonal useful resource that’s configured to subnets from the identical digital community, which signifies that it may be deployed to particular person zones to permit outbound connectivity. Subnets and digital networks, then again, are regional constructs that aren’t restricted to particular person zones. Subnets can include digital machine cases or scale units spanning throughout a number of availability zones.

Even with out with the ability to traverse a number of availability zones, NAT gateway nonetheless offers a extremely resilient and dependable solution to join outbound to the web. It’s because it doesn’t depend on any single compute occasion like a digital machine. As an alternative, NAT gateway leverages software-defined networking to function as a completely managed and distributed service with built-in redundancy. This built-in redundancy signifies that clients are unlikely to expertise particular person NAT gateway useful resource outages or downtime of their Azure infrastructures.

To make sure that you will have the optimum outbound configuration to satisfy your availability and safety wants whereas additionally safeguarding towards zonal outages, let’s have a look at how you can create zone resilient setups in Azure with NAT gateway.

Zone resilient outbound connectivity eventualities with NAT gateway

Buyer setup

As an example you’re a retailer who’s getting ready for an upcoming Black Friday occasion. You anticipate that site visitors to your retail web site will enhance considerably on the day of the sale. You resolve to deploy a digital machine scale set (VMSS) in order that approach your compute assets can mechanically scale out to satisfy the elevated site visitors calls for. Scalability is just not the one requirement you will have in preparation for this occasion, but additionally resiliency and safety. To make sure that you safeguard towards potential zonal outages that would affect site visitors circulation, you resolve to deploy these VMSS throughout a number of availability zones. Along with utilizing VMSS in a number of availability zones, you propose to make use of NAT gateway to deal with all outbound site visitors circulation in a scalable, safe, and dependable method.

How must you arrange your NAT gateway together with your VMSS throughout a number of availability zones? Let’s check out just a few totally different configurations together with which setups will and received’t work.

Situation 1: Arrange a single zonal NAT gateway together with your zone-spanning VMSS

First, you resolve to deploy a single NAT gateway useful resource to availability zone 1 and your VMSS throughout all three availability zones inside the identical subnet. You then configure your NAT gateway to this single subnet and to a /28 public IP prefix, which offers you a contiguous set of 16 public IP addresses for connecting outbound. Does this setup safeguard you towards potential zone outages? No.

Figure 1 shows three panels, each of an Azure region that consists of 3 availability zones. Panel 1 shows that within each Azure region is a virtual network that contains a sing subnet. A virtual machine scale set consists of multiple virtual machines that are deployed across all three zones within the single subnet. NAT gateway is attached to the subnet from zone 1. In panel 2, zone 1 is down, which causes a loss of outbound connectivity across all three zones since all outbound connectivity goes through the zone 1 NAT gateway. Panel 3 shows that if zone 2 goes down, only outbound connectivity for virtual machines from that zone goes down. Outbound connectivity from zone 1 and 3 persists since NAT gateway is in a zone not impacted by the zone 2 outage.

Determine 1: A single zonal NAT gateway configured to a zone-spanning set of digital machines doesn’t present optimum zone resiliency. NAT gateway is deployed out of zone 1 and configured to a subnet that incorporates a VMSS that spans throughout all three availability zones of the Azure area. If availability zone 1 goes down, outbound connectivity throughout all three zones will even go down.

Right here’s why:

  1. If the zone that goes down can be the zone through which NAT gateway has been deployed then all outgoing site visitors from digital machines throughout all zones will probably be blocked.
  2. If the zone that goes down is totally different than the zone that NAT gateway has been deployed in, then outgoing site visitors from the opposite zones will nonetheless happen and solely digital machines from the zone that has gone down will probably be impacted.

Situation 2: Connect a number of NAT gateways to a single subnet

For the reason that earlier configuration is not going to present the very best diploma of resiliency, you resolve you’ll as an alternative deploy 3 NAT gateway assets, one in every availability zone, and connect them to the subnet that incorporates the VMSS. Will this setup work? Sadly, no.

Figure 2 shows an Azure region that consists of 3 availability zones. A virtual network and single subnet contains a VMSS that spans across all 3 availability zones. Only one NAT gateway resource can be attached to a subnet. Multiple NAT gateways cannot be attached to a single subnet. Two of the three zonal NAT gateways attached to the subnet are crossed out with a red X to show this is not permitted.

Determine 2: A number of NAT gateways can’t be connected to a single subnet by design.

Right here’s why:

A subnet can’t have multiple NAT gateway connected to it and it’s not attainable to arrange a number of NAT gateways on a single subnet. When NAT gateway is configured to a subnet, NAT gateway turns into the default subsequent hop kind for community site visitors earlier than reaching the web. Consequently, digital machines in a subnet will supply NAT to the general public IP deal with(es) of NAT gateway earlier than egressing to the web. If multiple NAT gateway had been to be connected to the identical subnet, the subnet wouldn’t know which NAT gateway to make use of to ship outbound site visitors.

Situation 3: Deploy zonal NAT gateways with zonally configured VMSS for optimum zone resiliency

What’s the optimum answer then for making a safe, resilient, and scalable outbound setup? The answer is to deploy a VMSS in every availability zone, configure every to their very own respective subnet after which connect every subnet to a zonal NAT gateway useful resource.

Figure 3 shows two panels, each of an Azure region that consists of 3 availability zones. Panel 1 and 2 show that within each Azure region is a virtual network that contains 3 subnets. Within each subnet, is a zonally deployed virtual machine scale set. Each subnet is attached to a zonal NAT gateway and public IP prefix in order to provide outbound connectivity for each respective zonal virtual machine scale set. Panel 2 additionally shows that if one zone goes down, outbound connectivity will not be impacted in the other two zones.

Determine 3: Zonal NAT gateways configured to particular person subnets for zonal VMSS present optimum zone resiliency for outbound connectivity.

Deploying zonal NAT gateways to match the zones of the VMSS offers the best safety towards zonal outages. Ought to one of many availability zones go down, the opposite two zones will nonetheless have the ability to egress outbound site visitors from the opposite two zonal NAT gateway assets.

Abstract of zone resilient eventualities with NAT gateway




Situation 1

Arrange a single zonal NAT gateway together with your VMSS that spans throughout a number of availability zones however confined to a single subnet.

Not really useful: if the zone that NAT gateway is positioned in goes down then outbound connectivity for all VMs within the scale set goes down.

Situation 2

Connect a number of zonal NAT gateways to a subnet that incorporates zone-spanning digital machines.

Not attainable: a number of NAT gateways can’t be related to a single subnet by design.

Situation 3

Deploy zonal NAT gateways to separate subnets with zonally configured VMSS.

Optimum configuration to supply zone resiliency and shield towards outages.

FAQ on NAT gateway and availability zones

  1. What does it imply to have a “no zone” NAT gateway?

    • “No zone” is the default availability zone chosen if you deploy a NAT gateway useful resource. No zone signifies that Azure locations the NAT gateway useful resource right into a zone for you, however you should not have visibility into which zone it’s particularly positioned. It is suggested that you simply deploy your NAT gateway to particular zones in order that you already know through which zone your NAT gateway useful resource resides. As soon as NAT gateway is deployed, the provision zone designation can’t be modified.

  2. If I’ve Load Balancer or instance-level public IPs (IL PIPs) on digital machines and NAT gateway deployed in the identical digital community and NAT gateway or an availability zone goes down, will Azure fall again to utilizing Load Balancer or IL PIPs for all outbound site visitors?

    • Azure is not going to failover to utilizing Load Balancer or IL PIPs for dealing with outbound site visitors when NAT gateway is configured to a subnet. After NAT gateway has been connected to a subnet, the user-defined route (UDR) on the supply digital machine will at all times direct digital machine–initiated packets to the NAT gateway even when the NAT gateway goes down.

Study extra


Leave a Reply