Skip to content

quickstart-create-nat-gateway-v2.md

Latest commit

 

History

History
740 lines (544 loc) · 25.3 KB

quickstart-create-nat-gateway-v2.md

File metadata and controls

740 lines (544 loc) · 25.3 KB
title Create a Standard V2 Azure NAT Gateway
titlesuffix Azure NAT Gateway
description This quickstart shows how to create a Standard V2 Azure NAT Gateway by using the Azure portal.
author asudbring
ms.author allensu
ms.service azure-nat-gateway
ms.topic quickstart
ms.date 11/06/2025
ms.custom template-quickstart, FY23 content-maintenance, linux-related-content

Quickstart: Create a Standard V2 Azure NAT Gateway

In this quickstart, learn how to create a Standard V2 Azure NAT Gateway by using the Azure portal, and PowerShell. The NAT Gateway service provides scalable outbound connectivity for virtual machines in Azure.

Note

Terraform is currently unavailable. Use the Azure portal, CLI, or Azure PowerShell to create a Standard V2 NAT Gateway.

Prerequisites

Portal

PowerShell

  • An Azure account with an active subscription. Create an account for free.

  • Azure Cloud Shell or Azure PowerShell.

    The steps in this quickstart run the Azure PowerShell cmdlets interactively in Azure Cloud Shell. To run the commands in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

    You can also install Azure PowerShell locally to run the cmdlets. The steps in this article require Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find your installed version. If you need to upgrade, see Update the Azure PowerShell module.

CLI

[!INCLUDE quickstarts-free-trial-note]

Create a resource group

Create a resource group to contain all resources for this quickstart.

Portal

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal enter Resource group. Select Resource groups in the search results.

  3. Select + Create.

  4. In the Basics tab of Create a resource group, enter, or select the following information.

    Setting Value
    Subscription Select your subscription
    Resource group test-rg
    Region East US

  5. Select Review + create.

  6. Select Create.

PowerShell

Create a resource group with New-AzResourceGroup. An Azure resource group is a logical container into which Azure resources are deployed and managed.

The following example creates a resource group named test-rg in the eastus location:

$rsg = @{
    Name = 'test-rg'
    Location = 'eastus'
}
New-AzResourceGroup @rsg

CLI

Create a resource group with az group create. An Azure resource group is a logical container into which Azure resources are deployed and managed.

The following example creates a resource group named test-rg in the eastus location:

az group create \
    --name test-rg \
    --location eastus

Create the NAT gateway

In this section, create the NAT gateway and supporting resources.

Azure NAT Gateway supports multiple deployment options for IP addresses and redundancy configurations to meet your connectivity and availability requirements.

Zone redundant IPv4 address

Portal

  1. Sign in to the Azure preview portal.

  2. In the search box at the top of the Azure portal, enter Public IP address. Select Public IP addresses in the search results.

  3. Select Create.

  4. Enter the following information in Create public IP address.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select your resource group. The example uses test-rg.
    Instance details
    Region Select a region. This example uses East US.
    Configuration details
    Name Enter public-ip-nat.
    IP version Select IPv4.
    SKU Select Standard V2 (For use with Standard V2 NAT Gateway).
    Tier Select Regional.

  5. Select Review + create and then select Create.

  6. In the search box at the top of the Azure portal, enter NAT gateway. Select NAT gateways in the search results.

  7. Select Create.

  8. Enter or select the following information in the Basics tab of Create network address translation (NAT) gateway.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg or your resource group.
    Instance details
    NAT gateway name Enter nat-gateway.
    Region Select your region. This example uses East US.
    SKU Select Standard V2.
    TCP idle timeout (minutes) Leave the default of 4.

  9. Select Next.

  10. In the Outbound IP tab, select + Add public IP addresses or prefixes.

  11. In Add public IP addresses or prefixes, select Public IP addresses. Select the public IP address you created earlier, public-ip-nat.

  12. Select Save.

  13. Select Review + create, then select Create.

PowerShell

Use New-AzPublicIpAddress to create a zone redundant IPv4 public IP address for the NAT gateway.

## Create public IP address for NAT gateway ##
$ip = @{
    Name = 'public-ip-nat'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Sku = 'StandardV2'
    AllocationMethod = 'Static'
    IpAddressVersion = 'IPv4'
    Zone = 1,2,3
}
$publicIPIPv4 = New-AzPublicIpAddress @ip

Use New-AzNatGateway to create the NAT gateway resource.

## Create NAT gateway resource ##
$nat = @{
    ResourceGroupName = 'test-rg'
    Name = 'nat-gateway'
    IdleTimeoutInMinutes = '4'
    Sku = 'StandardV2'
    Location = 'eastus'
    PublicIpAddress = $publicIPIPv4
    Zone = 1,2,3
}
$natGateway = New-AzNatGateway @nat

CLI

Use az network public-ip create to create a zone redundant IPv4 public IP address for the NAT gateway.

az network public-ip create \
    --resource-group test-rg \
    --name public-ip-nat \
    --location eastus \
    --sku StandardV2 \
    --allocation-method Static \
    --version IPv4 \
    --zone 1 2 3

Use az network nat gateway create to create the NAT gateway resource.

az network nat gateway create \
    --resource-group test-rg \
    --name nat-gateway \
    --location eastus \
    --public-ip-addresses public-ip-nat \
    --idle-timeout 4 \
    --sku StandardV2 \
    --zone 1 2 3

Zone redundant IPv4 prefix

Portal

  1. Sign in to the Azure preview portal.

  2. In the search box at the top of the Azure portal, enter Public IP prefix. Select Public IP Prefixes in the search results.

  3. Select Create.

  4. Enter the following information in the Basics tab of Create a public IP prefix.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select your resource group. This example uses test-rg.
    Instance details
    Name Enter public-ip-prefix-nat.
    Region Select your region. This example uses East US.
    Sku Select Standard V2.
    IP version Select IPv4.
    Prefix ownership Select Microsoft owned.
    Prefix size Select a prefix size. This example uses /28 (16 addresses).

  5. Select Review + create, then select Create.

  6. In the search box at the top of the Azure portal, enter NAT gateway. Select NAT gateways in the search results.

  7. Select Create.

  8. Enter or select the following information in the Basics tab of Create network address translation (NAT) gateway.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg or your resource group.
    Instance details
    NAT gateway name Enter nat-gateway.
    Region Select your region. This example uses East US.
    SKU Select Standard V2.
    TCP idle timeout (minutes) Leave the default of 4.

  9. Select Next.

  10. In the Outbound IP tab, select + Add public IP addresses or prefixes.

  11. In Add public IP addresses or prefixes, select Public IP prefixes. Select the public IP prefix you created earlier, public-ip-prefix-nat.

  12. Select Review + create, then select Create.

PowerShell

Use New-AzPublicIpPrefix to create a zone redundant IPv4 public IP prefix for the NAT gateway.

## Create public IP prefix for NAT gateway ##
$ip = @{
    Name = 'public-ip-prefix-nat'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Sku = 'StandardV2'
    PrefixLength = '31'
    IpAddressVersion = 'IPv4'
    Zone = 1,2,3
}
$publicIPIPv4prefix = New-AzPublicIpPrefix @ip

Use New-AzNatGateway to create the NAT gateway resource.

## Create NAT gateway resource ##
$nat = @{
    ResourceGroupName = 'test-rg'
    Name = 'nat-gateway'
    IdleTimeoutInMinutes = '4'
    Sku = 'StandardV2'
    Location = 'eastus'
    PublicIpPrefix = $publicIPIPv4prefix
    Zone = 1,2,3
}
$natGateway = New-AzNatGateway @nat

CLI

Use az network public-ip prefix create to create a zone redundant IPv4 public IP prefix for the NAT gateway.

az network public-ip prefix create \
    --resource-group test-rg \
    --name public-ip-prefix-nat \
    --location eastus \
    --length 31 \
    --sku StandardV2 \
    --version IPv4 \
    --zone 1 2 3

Use az network nat gateway create to create the NAT gateway resource.

az network nat gateway create \
    --resource-group test-rg \
    --name nat-gateway \
    --location eastus \
    --public-ip-prefixes public-ip-prefix-nat \
    --idle-timeout 4 \
    --sku StandardV2 \
    --zone 1 2 3

Create virtual network and subnet configurations

Create the virtual network and subnets needed for this quickstart.

Portal

  1. In the search box at the top of the Azure portal, enter Virtual network. Select Virtual networks in the search results.

  2. Select Create.

  3. Enter or select the following information in the Basics tab of Create virtual network.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg or your resource group.
    Instance details
    Name Enter vnet-1.
    Region Select your region. This example uses East US.

  4. Select the IP Addresses tab, or select Next, then Next.

  5. In Subnets select the default subnet.

  6. Enter or select the following information in Edit subnet.

    Setting Value
    Subnet purpose Leave the default.
    Name Enter subnet-1.
    Private subnet
    Enable private subnet (no default outbound access) Check the box.
    Security
    NAT gateway Select nat-gateway.

  7. Select Save.

  8. Select + Add a subnet.

  9. In Add a subnet enter or select the following information.

    Setting Value
    Subnet purpose Select Azure Bastion.

  10. Leave the rest of the settings as default, then select Add.

  11. Select Review + create, then select Create.

PowerShell

Use New-AzVirtualNetworkSubnetConfig to create the subnet configurations. Use New-AzVirtualNetwork to create the virtual network.

## Create subnet config and associate NAT gateway to subnet ##
$subnet = @{
    Name = 'subnet-1'
    AddressPrefix = '10.0.0.0/24'
    NatGateway = $natGateway
    DefaultOutboundAccess = $false
}
$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet 

## Create Azure Bastion subnet ##
$bastsubnet = @{
    Name = 'AzureBastionSubnet' 
    AddressPrefix = '10.0.1.0/26'
}
$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig @bastsubnet

## Create the virtual network ##
$net = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    AddressPrefix = '10.0.0.0/16'
    Subnet = $subnetConfig,$bastsubnetConfig
}
$vnet = New-AzVirtualNetwork @net

CLI

Use az network vnet create to create the virtual network. Use az network vnet subnet create and az network vnet subnet update to create and configure the subnet.

## Create the virtual network ##
az network vnet create \
    --resource-group test-rg \
    --name vnet-1 \
    --location eastus \
    --address-prefix 10.0.0.0/16 \
    --subnet-name subnet-1 \
    --subnet-prefix 10.0.0.0/24

## Associate NAT gateway to subnet and disable default outbound access ##
az network vnet subnet update \
    --resource-group test-rg \
    --vnet-name vnet-1 \
    --name subnet-1 \
    --nat-gateway nat-gateway \
    --default-outbound false

## Create Azure Bastion subnet ##
az network vnet subnet create \
    --resource-group test-rg \
    --vnet-name vnet-1 \
    --name AzureBastionSubnet \
    --address-prefix 10.0.1.0/26

Create Azure Bastion host

Create an Azure Bastion host to securely connect to the virtual machine.

Portal

  1. In the search box at the top of the Azure portal, enter Bastion. Select Bastions in the search results.

  2. Select Create.

  3. Enter or select the following information in the Basics tab of Create a Bastion.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg or your resource group.
    Instance details
    Name Enter bastion.
    Region Select your region. This example uses East US.
    Tier Select Developer.
    Virtual network Select vnet-1.
    Subnet Select AzureBastionSubnet.

  4. Select Review + create, then select Create.

PowerShell

Use New-AzBastion to create the Azure Bastion host.

## Create public IP address for bastion host ##
$ip = @{
    Name = 'public-ip-bastion'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Sku = 'Standard'
    AllocationMethod = 'Static'
    Zone = 1,2,3
}
$publicipbastion = New-AzPublicIpAddress @ip

## Create bastion host ##
$bastion = @{
    Name = 'bastion'
    ResourceGroupName = 'test-rg'
    PublicIpAddressRgName = 'test-rg'
    PublicIpAddressName = 'public-ip-bastion'
    VirtualNetworkRgName = 'test-rg'
    VirtualNetworkName = 'vnet-1'
    Sku = 'Basic'
}
New-AzBastion @bastion

CLI

Use az network public-ip create to create a public IP address for the bastion host. Use az network bastion create to create the Azure Bastion host.

## Create public IP address for bastion host ##
az network public-ip create \
    --resource-group test-rg \
    --name public-ip-bastion \
    --location eastus \
    --sku Standard \
    --allocation-method Static \
    --zone 1 2 3

## Create bastion host ##
az network bastion create \
    --resource-group test-rg \
    --name bastion \
    --location eastus \
    --vnet-name vnet-1 \
    --public-ip-address public-ip-bastion \
    --sku Basic

The bastion host can take several minutes to deploy. Wait for the bastion host to deploy before moving on to the next section.

Create virtual machine

In this section, you create a virtual machine to test the NAT gateway and verify the public IP address of the outbound connection. The following command creates SSH keys for authentication. The private key is needed later to sign in to the virtual machine through Azure Bastion. The username and password credential is required for the command. The password isn't used to sign in to the virtual machine.

Portal

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. Select Create > Virtual machine.

  3. In Create a virtual machine enter or select the following information in the Basics tab.

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select test-rg or your resource group.
    Instance details
    Virtual machine name Enter vm-1.
    Region Select your region. This example uses East US.
    Availability options Leave the default of No infrastructure redundancy required.
    Security type Select Standard.
    Image Select Ubuntu Server 24.04 LTS - Gen2.
    Size Select a size
    Authentication type Select SSH public key.
    Username Enter a username of your choice. You need this username to sign in to the virtual machine later.
    SSH public key source Select Generate new key pair.
    Key pair name Enter ssh-key.
    Public inbound ports Select None.

  4. Select Next: Disks, then select Next: Networking.

  5. In the Networking tab, enter or select the following information.

    Setting Value
    Network interface
    Virtual network Select vnet-1.
    Subnet Select subnet-1.
    Public IP Select None.
    NIC network security group Select Basic.
    Public inbound ports Leave the default of None.

  6. Select Review + create, then select Create.

PowerShell

Use Get-Credential to create a username and password for the virtual machine. Use New-AzNetworkInterface to create a network interface for the virtual machine. Use New-AzVMConfig to create the virtual machine configuration. Use New-AzVM to create the virtual machine.

## Get credentials for virtual machine ##
$cred = Get-Credential

## Create network interface for virtual machine ##
$nic = @{
    Name = "nic-1"
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Subnet = $vnet.Subnets[0]
}
$nicVM = New-AzNetworkInterface @nic

## Create a virtual machine configuration ##
$vmsz = @{
    VMName = 'vm-1'
    VMSize = 'Standard_DS1_v2'  
}
$vmos = @{
    ComputerName = 'vm-1'
    Credential = $cred
    DisablePasswordAuthentication = $true
}
$vmimage = @{
    PublisherName = 'Canonical'
    Offer = '0001-com-ubuntu-server-jammy'
    Skus = '22_04-lts-gen2'
    Version = 'latest'     
}
$vmConfig = New-AzVMConfig @vmsz `
    | Set-AzVMOperatingSystem @vmos -Linux `
    | Set-AzVMSourceImage @vmimage `
    | Add-AzVMNetworkInterface -Id $nicVM.Id

## Create the virtual machine ##
$vm = @{
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    VM = $vmConfig
    SshKeyName = 'ssh-key'
}
New-AzVM @vm -GenerateSshKey

CLI

Use az network nic create to create a network interface for the virtual machine. Use az vm create to create the virtual machine.

## Create network interface for virtual machine ##
az network nic create \
    --resource-group test-rg \
    --name nic-1 \
    --vnet-name vnet-1 \
    --subnet subnet-1

## Create the virtual machine ##
az vm create \
    --resource-group test-rg \
    --name vm-1 \
    --location eastus \
    --nics nic-1 \
    --image Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest \
    --size Standard_DS1_v2 \
    --admin-username azureuser \
    --generate-ssh-keys \
    --public-ip-address ""

Wait for the virtual machine creation to complete before moving on to the next section.

Important

Ensure that you download the SSH private key to the virtual machine. You need the private key to sign in to the virtual machine through Azure Bastion.

Test NAT gateway

In this section, you test the NAT gateway. You first discover the public IP of the NAT gateway. You then connect to the test virtual machine and verify the outbound connection through the NAT gateway public IP.

  1. In the search box at the top of the portal, enter NAT gateway. Select NAT gateways in the search results.

  2. Select nat-gateway.

  3. Expand Settings, then select Outbound IP.

  4. Make note of the IP address deployed for the outbound IP address. Individual Public IPs and Public IP Prefixes configured for the NAT gateway are listed here.

  5. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  6. Select vm-1.

  7. On the Overview page, select Connect, then select Connect via Bastion.

  8. In the Authentication pull-down, select SSH Private Key From Local File.

  9. In Username, enter the username you entered during virtual machine creation.

  10. In Local File, select the SSH private key file you downloaded earlier.

  11. Select Connect.

  12. In the bash prompt, enter the following command:

    curl ifconfig.me

  13. Verify the IP address returned by the command matches the public IP address of the NAT gateway you noted earlier.

    azureuser@vm-1:~$ curl ifconfig.me
203.0.113.0.25

Clean up resources

Portal

[!INCLUDE portal-clean-up.md]

PowerShell

If you're not going to continue to use this application, delete the virtual network, virtual machine, and NAT gateway with the following command:

Remove-AzResourceGroup -Name 'test-rg' -Force

CLI

If you're not going to continue to use this application, delete the virtual network, virtual machine, and NAT gateway with the following command:

az group delete \
    --name test-rg \
    --yes \
    --no-wait

Next steps

For more information on Azure NAT Gateway, see:

[!div class="nextstepaction"] Azure NAT Gateway overview Azure NAT Gateway resource