| title | Integrate NAT Gateway with Azure Firewall in Hub and Spoke Network |
|---|---|
| titleSuffix | Azure NAT Gateway |
| description | Learn to integrate NAT gateway with Azure Firewall in a hub and spoke network for scalable outbound connectivity. Step-by-step tutorial with Portal, PowerShell, and CLI examples. |
| author | asudbring |
| ms.author | allensu |
| ms.service | azure-nat-gateway |
| ms.topic | tutorial |
| ms.date | 09/11/2025 |
| ms.custom | template-tutorial |
In this tutorial, you learn how to integrate a NAT gateway with Azure Firewall in a hub and spoke network for enhanced outbound connectivity and scalability.
Azure Firewall provides 2,496 SNAT ports per public IP address configured per backend Virtual Machine Scale Set instance (minimum of two instances). You can associate up to 250 public IP addresses to Azure Firewall. Depending on your architecture requirements and traffic patterns, you might require more SNAT ports than what Azure Firewall can provide. You might also require the use of fewer public IPs while also requiring more SNAT ports. A better method for outbound connectivity is to use NAT gateway. NAT gateway provides 64,512 SNAT ports per public IP address and can be used with up to 16 public IP addresses.
NAT gateway can be integrated with Azure Firewall by configuring NAT gateway directly to the Azure Firewall subnet. This association provides a more scalable method of outbound connectivity. For production deployments, a hub and spoke network is recommended, where the firewall is in its own virtual network. The workload servers are peered virtual networks in the same region as the hub virtual network where the firewall resides. In this architectural setup, NAT gateway can provide outbound connectivity from the hub virtual network for all spoke virtual networks peered.
:::image type="content" source="./media/tutorial-hub-spoke-nat-firewall/resources-diagram.png" alt-text="Diagram of Azure resources created in tutorial." lightbox="./media/tutorial-hub-spoke-nat-firewall/resources-diagram.png":::
Note
While you can deploy NAT Gateway in a hub and spoke virtual network architecture as described in this tutorial, NAT Gateway isn't supported in the hub virtual network of a vWAN architecture. To use in a vWAN architecture, NAT Gateway must be configured directly to the spoke virtual networks associated with the secured virtual hub (vWAN). For more information about Azure Firewall architecture options, see What are the Azure Firewall Manager architecture options?
In this tutorial, you learn how to:
[!div class="checklist"]
- Create a hub virtual network and deploy an Azure Firewall and Azure Bastion during deployment
- Create a NAT gateway and associate it with the firewall subnet in the hub virtual network
- Create a spoke virtual network
- Create a virtual network peering
- Create a route table for the spoke virtual network
- Create a firewall policy for the hub virtual network
- Create a virtual machine to test the outbound connectivity through the NAT gateway
- An Azure account with an active subscription. Create an account for free.
- An Azure account with an active subscription. Create an account for free.
[!INCLUDE cloud-shell-try-it.md]
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
Create a resource group to contain all resources for this quickstart.
-
Sign in to the Azure portal.
-
In the search box at the top of the portal enter Resource group. Select Resource groups in the search results.
-
Select + Create.
-
In the Basics tab of Create a resource group, enter, or select the following information.
Setting Value Subscription Select your subscription Resource group test-rg Region West US -
Select Review + create.
-
Select Create.
Create a resource group with New-AzResourceGroup. An Azure resource group is a logical container into which Azure resources are deployed and managed.
The following example creates a resource group named test-rg in the westus location:
$rsg = @{
Name = 'test-rg'
Location = 'westus'
}
New-AzResourceGroup @rsg
The hub virtual network contains the firewall subnet that is associated with the Azure Firewall and NAT gateway. Use the following example to create the hub virtual network.
-
Sign in to the Azure portal.
-
In the search box at the top of the Azure portal, enter Virtual network. Select Virtual networks in the search results.
-
Select Create.
-
Enter or select the following information in the Basics tab of Create virtual network.
Setting Value Project details Subscription Select your subscription. Resource group Select test-rg or your resource group. Instance details Name Enter vnet-hub. Region Select your region. This example uses West US. -
Select the IP Addresses tab, or select Next: Security, then Next: IP Addresses.
-
In Subnets select the default subnet.
-
Enter or select the following information in Edit subnet.
Setting Value Subnet purpose Leave the default. Name Enter subnet-1. -
Leave the rest of the settings as default, then select Save.
-
Select + Add a subnet.
-
In Add a subnet enter or select the following information.
Setting Value Subnet purpose Select Azure Bastion. -
Leave the rest of the settings as default, then select Add.
-
Select + Add a subnet.
-
In Add a subnet enter or select the following information.
Setting Value Subnet purpose Select Azure Firewall. -
Leave the rest of the settings as default, then select Add.
-
Select Review + create, then select Create.
Use New-AzVirtualNetwork to create the hub virtual network.
# Create hub virtual network
$vnetParams = @{
ResourceGroupName = 'test-rg'
Location = 'westus'
Name = 'vnet-hub'
AddressPrefix = '10.0.0.0/16'
}
$hubVnet = New-AzVirtualNetwork @vnetParams
Use Add-AzVirtualNetworkSubnetConfig to create a subnet for Azure Firewall and Azure Bastion.
# Create default subnet
$subnetParams = @{
Name = 'subnet-1'
AddressPrefix = '10.0.0.0/24'
VirtualNetwork = $hubVnet
}
Add-AzVirtualNetworkSubnetConfig @subnetParams
# Create subnet for Azure Firewall
$subnetParams = @{
Name = 'AzureFirewallSubnet'
AddressPrefix = '10.0.1.64/26'
VirtualNetwork = $hubVnet
}
Add-AzVirtualNetworkSubnetConfig @subnetParams
# Create subnet for Azure Bastion
$subnetParams = @{
Name = 'AzureBastionSubnet'
AddressPrefix = '10.0.1.0/26'
VirtualNetwork = $hubVnet
}
Add-AzVirtualNetworkSubnetConfig @subnetParams
Use Set-AzVirtualNetwork to update the virtual network.
# Create the virtual network
$hubVnet | Set-AzVirtualNetwork
Azure Bastion provides secure RDP and SSH connectivity to virtual machines over TLS without requiring public IP addresses on the VMs.
-
In the search box at the top of the Azure portal, enter Bastion. Select Bastions in the search results.
-
Select Create.
-
Enter or select the following information in the Basics tab of Create a Bastion.
Setting Value Project details Subscription Select your subscription. Resource group Select test-rg or your resource group. Instance details Name Enter bastion. Region Select your region. This example uses West US. Tier Select Developer. Virtual network Select vnet-1. Subnet Select AzureBastionSubnet. -
Select Review + create, then select Create.
Use New-AzPublicIpAddress to create a public IP for Azure Bastion.
# Create public IP for Azure Bastion
$publicIpBastionParams = @{
ResourceGroupName = 'test-rg'
Location = 'westus'
Name = 'public-ip-bastion'
Sku = 'Standard'
AllocationMethod = 'Static'
Zone = 1, 2, 3
}
$publicIpBastion = New-AzPublicIpAddress @publicIpBastionParams
Use New-AzBastion to create Azure Bastion.
# Create Azure Bastion
$bastionParams = @{
ResourceGroupName = "test-rg"
Name = "bastion"
VirtualNetworkName = "vnet-hub"
PublicIpAddressName = "public-ip-bastion"
PublicIPAddressRgName = "test-rg"
VirtualNetworkRgName = "test-rg"
Sku = "Basic"
}
New-AzBastion @bastionParams
-
In the search box at the top of the portal, enter Firewall. Select Firewalls in the search results.
-
Select + Create.
-
On the Create a Firewall page, use the following table to configure the firewall:
Setting Value Project details Subscription Select your subscription. Resource group Select test-rg. Instance details Name Enter firewall. Region Select West US. Availability zone Accept the default None. Firewall SKU Select Standard. Firewall management Select Use a Firewall Policy to manage this firewall. Firewall policy Select Add new.
Name: Enter firewall-policy.
Region: Select West US.
Policy tier: Standard.
Select OK.Choose a virtual network Virtual network Select Use existing. Virtual network Select vnet-hub. Public IP address Public IP address Select Add new.
Name: Enter public-ip-firewall.
SKU: Standard.
Assignment: Static.
Availability zone: Zone-redundant.
Select OK. -
Accept the other default values, then select Review + create.
-
Review the summary, and then select Create to create the firewall.
The firewall takes a few minutes to deploy.
-
After deployment completes, go to the test-rg resource group, and select the firewall resource.
-
Note the firewall private and public IP addresses. You use these addresses later.
Use New-AzPublicIpAddress to create a public IP for Azure Firewall.
# Create public IP for Azure Firewall
$publicIpFirewallParams = @{
ResourceGroupName = 'test-rg'
Location = 'westus'
Name = 'public-ip-firewall'
AllocationMethod = 'Static'
Sku = 'Standard'
Zone = 1, 2, 3
}
$publicIpFirewall = New-AzPublicIpAddress @publicIpFirewallParams
Use New-AzFirewallPolicy to create a firewall policy.
# Create firewall policy
$firewallPolicyParams = @{
ResourceGroupName = 'test-rg'
Location = 'westus'
Name = 'firewall-policy'
}
$firewallPolicy = New-AzFirewallPolicy @firewallPolicyParams
Use New-AzFirewall to create Azure Firewall.
# Create Azure Firewall
$firewallParams = @{
ResourceGroupName = 'test-rg'
Location = 'westus'
Name = 'firewall'
VirtualNetworkName = 'vnet-hub'
PublicIpName = 'public-ip-firewall'
FirewallPolicyId = $firewallPolicy.Id
}
$firewall = New-AzFirewall @firewallParams
All outbound internet traffic traverses the NAT gateway to the internet. Use the following example to create a NAT gateway for the hub and spoke network and associate it with the AzureFirewallSubnet.
-
In the search box at the top of the portal, enter Public IP address. Select Public IP addresses in the search results.
-
Select + Create.
-
Enter the following information in Create public IP address.
Setting Value Subscription Select your subscription. Resource group Select test-rg. Region Select West US. Name Enter public-ip-nat. IP version Select IPv4. SKU Select Standard. Availability zone Select Zone-redundant. Tier Select Regional. -
Select Review + create and then select Create.
[!NOTE] A Standard V2 Public IP address can only be associated with a Standard V2 NAT Gateway and not any other services.
-
In the search box at the top of the portal, enter NAT gateway. Select NAT gateways in the search results.
-
Select + Create.
-
Enter or select the following information in the Basics tab of Create network address translation (NAT) gateway.
Setting Value Project details Subscription Select your subscription. Resource group Select test-rg. Instance details NAT gateway name Enter nat-gateway. Region Select West US. SKU Select Standard. TCP idle timeout (minutes) Leave the default of 4. -
Select Next.
-
In the Outbound IP tab, select + Add public IP addresses or prefixes.
-
In Add public IP addresses or prefixes, select Public IP addresses. Select the public IP address you created earlier, public-ip-nat.
-
Select Next.
-
In the Networking tab, in Virtual network, select vnet-hub.
-
Leave the checkbox for Default to all subnets unchecked.
-
In Select specific subnets, select AzureFirewallSubnet.
-
Select Review + create, then select Create.
Use New-AzPublicIpAddress to create a zone redundant IPv4 public IP address for the NAT gateway.
## Create public IP address for NAT gateway ##
$ip = @{
Name = 'public-ip-nat'
ResourceGroupName = 'test-rg'
Location = 'westus'
Sku = 'Standard'
AllocationMethod = 'Static'
IpAddressVersion = 'IPv4'
Zone = 1,2,3
}
$publicIPIPv4 = New-AzPublicIpAddress @ip
Note
A Standard V2 Public IP address can only be associated with a Standard V2 NAT Gateway and not any other services.
Use New-AzNatGateway to create the NAT gateway resource.
## Create NAT gateway resource ##
$nat = @{
ResourceGroupName = 'test-rg'
Name = 'nat-gateway'
IdleTimeoutInMinutes = '4'
Sku = 'Standard'
Location = 'westus'
PublicIpAddress = $publicIPIPv4
Zone = 1
}
$natGateway = New-AzNatGateway @nat
Use Set-AzVirtualNetworkSubnetConfig to associate NAT gateway with AzureFirewallSubnet.
# Get the hub virtual network
$vnetHub = Get-AzVirtualNetwork -ResourceGroupName 'test-rg' -Name 'vnet-hub'
# Associate NAT gateway with AzureFirewallSubnet
$subnetParams = @{
VirtualNetwork = $vnetHub
Name = 'AzureFirewallSubnet'
AddressPrefix = '10.0.1.64/26'
NatGateway = $natGateway
}
Set-AzVirtualNetworkSubnetConfig @subnetParams
# Update the virtual network
$vnetHub | Set-AzVirtualNetwork
The spoke virtual network contains the test virtual machine used to test the routing of the internet traffic to the NAT gateway. Use the following example to create the spoke network.
-
In the search box at the top of the portal, enter Virtual network. Select Virtual networks in the search results.
-
Select + Create.
-
In the Basics tab of Create virtual network, enter, or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select test-rg. Instance details Name Enter vnet-spoke. Region Select West US. -
Select Next to proceed to the Security tab.
-
Select Next to proceed to the IP addresses tab.
-
In the IP Addresses tab in IPv4 address space, select Delete address space to delete the address space that is auto populated.
-
Select + Add IPv4 address space.
-
In IPv4 address space enter 10.1.0.0. Leave the default of /16 (65,536 addresses) in the mask selection.
-
Select + Add a subnet.
-
In Add a subnet enter or select the following information:
Setting Value Subnet purpose Leave the default Default. Name Enter subnet-private. IPv4 IPv4 address range Leave the default of 10.1.0.0/16. Starting address Leave the default of 10.1.0.0. Size Leave the default of /24(256 addresses). -
Select Add.
-
Select Review + create.
-
Select Create.
Use New-AzVirtualNetwork to create the spoke virtual network.
# Create spoke virtual network
$vnetParams = @{
ResourceGroupName = 'test-rg'
Location = 'westus'
Name = 'vnet-spoke'
AddressPrefix = '10.1.0.0/16'
}
$spokeVnet = New-AzVirtualNetwork @vnetParams
Use Add-AzVirtualNetworkSubnetConfig to create a subnet for the spoke virtual network.
# Create subnet in spoke virtual network
$subnetParams = @{
Name = 'subnet-private'
AddressPrefix = '10.1.0.0/24'
VirtualNetwork = $spokeVnet
}
Add-AzVirtualNetworkSubnetConfig @subnetParams
Use Set-AzVirtualNetwork to update the spoke virtual network.
# Create the virtual network
$spokeVnet | Set-AzVirtualNetwork
A virtual network peering is used to connect the hub to the spoke and the spoke to the hub. Use the following example to create a two-way network peering between the hub and spoke.
-
In the search box at the top of the portal, enter Virtual network. Select Virtual networks in the search results.
-
Select vnet-hub.
-
Select Peerings in Settings.
-
Select + Add.
-
Enter or select the following information in Add peering:
Setting Value Remote virtual network summary Peering link name Enter vnet-spoke-to-vnet-hub. Virtual network deployment model Leave the default of Resource manager. Subscription Select your subscription. Virtual network Select vnet-spoke (test-rg). Remote virtual network peering settings Allow 'vnet-spoke' to access 'vnet-hub' Leave the default of Selected. Allow 'vnet-spoke' to receive forwarded traffic from 'vnet-hub' Select the checkbox. Allow gateway or route server in 'vnet-spoke' to forward traffic to 'vnet-hub' Leave the default of Unselected. Enable 'vnet-spoke' to use 'vnet-hub's' remote gateway or route server Leave the default of Unselected. Local virtual network summary Peering link name Enter vnet-hub-to-vnet-spoke. Local virtual network peering settings Allow 'vnet-hub' to access 'vnet-spoke' Leave the default of Selected. Allow 'vnet-hub' to receive forwarded traffic from 'vnet-spoke' Select the checkbox. Allow gateway or route server in 'vnet-hub' to forward traffic to 'vnet-spoke' Leave the default of Unselected. Enable 'vnet-hub' to use 'vnet-spoke's' remote gateway or route server Leave the default of Unselected. -
Select Add.
-
Select Refresh and verify Peering status is Connected.
Use Add-AzVirtualNetworkPeering to create a peering from the hub to the spoke.
# Create peering from hub to spoke
$peeringParams = @{
Name = 'vnet-hub-to-vnet-spoke'
VirtualNetwork = $hubVnet
RemoteVirtualNetworkId = $spokeVnet.Id
AllowForwardedTraffic = $true
}
Add-AzVirtualNetworkPeering @peeringParams
Use Add-AzVirtualNetworkPeering to create a peering from the spoke to the hub.
# Create peering from spoke to hub
$peeringParams = @{
Name = 'vnet-spoke-to-vnet-hub'
VirtualNetwork = $spokeVnet
RemoteVirtualNetworkId = $hubVnet.Id
AllowForwardedTraffic = $true
}
Add-AzVirtualNetworkPeering @peeringParams
A route table forces all traffic leaving the spoke virtual network to the hub virtual network. The route table is configured with the private IP address of the Azure Firewall as the virtual appliance.
The private IP address of the firewall is needed for the route table created later in this article. Use the following example to obtain the firewall private IP address.
-
In the search box at the top of the portal, enter Firewall. Select Firewalls in the search results.
-
Select firewall.
-
In the Overview of firewall, note the IP address in the field Firewall private IP. The IP address in this example is 10.0.1.68.
Use Get-AzFirewall to obtain the private IP address of the firewall.
# Get the private IP address of the firewall
$firewallParams = @{
ResourceGroupName = 'test-rg'
Name = 'firewall'
}
$firewall = Get-AzFirewall @firewallParams
$firewall.IpConfigurations[0].PrivateIpAddress
Create a route table to force all inter-spoke and internet egress traffic through the firewall in the hub virtual network.
-
In the search box at the top of the portal, enter Route table. Select Route tables in the search results.
-
Select + Create.
-
In Create Route table enter or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select test-rg. Instance details Region Select West US. Name Enter route-table-spoke. Propagate gateway routes Select No. -
Select Review + create.
-
Select Create.
-
In the search box at the top of the portal, enter Route table. Select Route tables in the search results.
-
Select route-table-spoke.
-
In Settings select Routes.
-
Select + Add in Routes.
-
Enter or select the following information in Add route:
Setting Value Route name Enter route-to-hub. Destination type Select IP Addresses. Destination IP addresses/CIDR ranges Enter 0.0.0.0/0. Next hop type Select Virtual appliance. Next hop address Enter 10.0.1.68. -
Select Add.
-
Select Subnets in Settings.
-
Select + Associate.
-
Enter or select the following information in Associate subnet:
Setting Value Virtual network Select vnet-spoke (test-rg). Subnet Select subnet-private. -
Select OK.
Use New-AzRouteTable to create the route table.
# Create route table
$routeTableParams = @{
ResourceGroupName = 'test-rg'
Location = 'westus'
Name = 'route-table-spoke'
}
$routeTable = New-AzRouteTable @routeTableParams
Use Add-AzRouteConfig to create a route in the route table.
# Create route
$routeConfigParams = @{
Name = 'route-to-hub'
AddressPrefix = '0.0.0.0/0'
NextHopType = 'VirtualAppliance'
NextHopIpAddress = $firewall.IpConfigurations[0].PrivateIpAddress
RouteTable = $routeTable
}
Add-AzRouteConfig @routeConfigParams
Use Set-AzRouteTable to update the route table.
# Update the route table
$routeTable | Set-AzRouteTable
Use Set-AzVirtualNetworkSubnetConfig to associate the route table with the spoke subnet.
# Associate route table with subnet
$subnetConfigParams = @{
VirtualNetwork = $spokeVnet
Name = 'subnet-private'
AddressPrefix = '10.1.0.0/24'
RouteTable = $routeTable
}
Set-AzVirtualNetworkSubnetConfig @subnetConfigParams
Use Set-AzVirtualNetwork to update the spoke virtual network.
# Update the virtual network
$spokeVnet | Set-AzVirtualNetwork
Traffic from the spoke through the hub must be allowed through and firewall policy and a network rule. Use the following example to create the firewall policy and network rule.
-
In the search box at the top of the portal, enter Firewall. Select Firewall Policies in the search results.
-
Select firewall-policy.
-
Expand Settings then select Network rules.
-
Select + Add a rule collection.
-
In Add a rule collection enter or select the following information:
Setting Value Name Enter spoke-to-internet. Rule collection type Select Network. Priority Enter 100. Rule collection action Select Allow. Rule collection group Select DefaultNetworkRuleCollectionGroup. Rules Name Enter allow-web. Source type IP Address. Source Enter 10.1.0.0/24. Protocol Select TCP. Destination Ports Enter 80,443. Destination Type Select IP Address. Destination Enter * -
Select Add.
Use Get-AzFirewallPolicy to get the existing firewall policy.
# Get the existing firewall policy
$firewallPolicyParams = @{
Name = 'firewall-policy'
ResourceGroupName = 'test-rg'
}
$firewallPolicy = Get-AzFirewallPolicy @firewallPolicyParamsUse New-AzFirewallPolicyNetworkRule to create a network rule.
# Create a network rule for web traffic
$networkRuleParams = @{
Name = 'allow-internet'
SourceAddress = '10.1.0.0/24'
Protocol = 'TCP'
DestinationAddress = '*'
DestinationPort = '*'
}
$networkRule = New-AzFirewallPolicyNetworkRule @networkRuleParamsUse New-AzFirewallPolicyFilterRuleCollection to create a rule collection for the network rule.
# Create a rule collection for the network rule
$ruleCollectionParams = @{
Name = 'spoke-to-internet'
Priority = 100
Rule = $networkRule
ActionType = 'Allow'
}
$ruleCollection = New-AzFirewallPolicyFilterRuleCollection @ruleCollectionParamsUse New-AzFirewallPolicyRuleCollectionGroup to create a rule collection group.
$newRuleCollectionGroupParams = @{
Name = 'DefaultNetworkRuleCollectionGroup'
Priority = 200
FirewallPolicyObject = $firewallPolicy
RuleCollection = $ruleCollection
}
New-AzFirewallPolicyRuleCollectionGroup @newRuleCollectionGroupParamsAn Ubuntu virtual machine is used to test the outbound internet traffic through the NAT gateway. Use the following example to create an Ubuntu virtual machine.
-
In the portal, search for and select Virtual machines.
-
In Virtual machines, select + Create, then Azure virtual machine.
-
On the Basics tab of Create a virtual machine, enter, or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select test-rg. Instance details Virtual machine name Enter vm-spoke. Region Select West US. Availability options Select No infrastructure redundancy required. Security type Leave the default of Standard. Image Select Ubuntu Server 24.04 LTS - x64 Gen2. VM architecture Leave the default of x64. Size Select a size. Administrator account Authentication type Select SSH public key. Username Enter azureuser. SSH public key source Select Generate new key pair. Key pair name Enter vm-spoke-key. Inbound port rules Public inbound ports Select None. -
Select the Networking tab at the top of the page or select Next:Disks, then Next:Networking.
-
Enter or select the following information in the Networking tab:
Setting Value Network interface Virtual network Select vnet-spoke. Subnet Select subnet-private (10.1.0.0/24). Public IP Select None. NIC network security group Select Advanced. Configure network security group Select Create new.
Enter nsg-1 for the name.
Leave the rest at the defaults and select OK. -
Leave the rest of the settings at the defaults and select Review + create.
-
Review the settings and select Create.
-
The Generate new key pair dialog box appears. Select Download private key and create resource.
The private key downloads to your local machine. The private key is needed in later steps for connecting to the virtual machine with Azure Bastion. The name of the private key file is the name you entered in the Key pair name field. In this example, the private key file is named ssh-key.
Wait for the virtual machine to finishing deploying before proceeding to the next steps.
Note
Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.
Use New-AzNetworkSecurityGroup to create the network security group.
$nsgParams = @{
ResourceGroupName = "test-rg"
Name = "nsg-1"
Location = "westus"
}
New-AzNetworkSecurityGroup @nsgParams
Use New-AzNetworkInterface to create the network interface.
$nicParams = @{
ResourceGroupName = "test-rg"
Name = "nic-1"
SubnetId = (Get-AzVirtualNetwork -ResourceGroupName "test-rg" -Name "vnet-spoke").Subnets[0].Id
NetworkSecurityGroupId = (Get-AzNetworkSecurityGroup -ResourceGroupName "test-rg" -Name "nsg-1").Id
Location = "westus"
}
New-AzNetworkInterface @nicParams
Use Get-Credential to set a user name and password for the VM and store them in the $cred variable.
$cred = Get-Credential
Note
A username is required for the VM. The password is optional and won't be used if set. SSH key configuration is recommended for Linux VMs.
Use New-AzVMConfig to define a VM.
$vmConfigParams = @{
VMName = "vm-spoke"
VMSize = "Standard_DS4_v2"
}
$vmConfig = New-AzVMConfig @vmConfigParams
Use Set-AzVMOperatingSystem and Set-AzVMSourceImage to create the rest of the VM configuration. The following example creates an Ubuntu Server virtual machine:
$osParams = @{
VM = $vmConfig
ComputerName = "vm-spoke"
Credential = $cred
}
$vmConfig = Set-AzVMOperatingSystem @osParams -Linux -DisablePasswordAuthentication
$imageParams = @{
VM = $vmConfig
PublisherName = "Canonical"
Offer = "ubuntu-24_04-lts"
Skus = "server"
Version = "latest"
}
$vmConfig = Set-AzVMSourceImage @imageParams
Use Add-AzVMNetworkInterface to attach the NIC that you previously created to the VM.
# Get the network interface object
$nicParams = @{
ResourceGroupName = "test-rg"
Name = "nic-1"
}
$nic = Get-AzNetworkInterface @nicParams
$vmConfigParams = @{
VM = $vmConfig
Id = $nic.Id
}
$vmConfig = Add-AzVMNetworkInterface @vmConfigParams
Use New-AzVM to create the VM. The command generates SSH keys for the virtual machine for sign-in. Make note of the location of the private key. The private key is needed in later steps for connecting to the virtual machine with Azure Bastion.
$vmParams = @{
VM = $vmConfig
ResourceGroupName = "test-rg"
Location = "westus"
SshKeyName = "vm-spoke-key"
}
New-AzVM @vmParams -GenerateSshKey
You connect to the Ubuntu virtual machines you created in the previous steps to verify that the outbound internet traffic is leaving the NAT gateway.
Obtain the NAT gateway public IP address for verification of the steps later in the article.
-
In the search box at the top of the portal, enter Public IP. Select Public IP addresses in the search results.
-
Select public-ip-nat.
-
Make note of value in IP address. The example used in this article is 203.0.113.0.25.
Use Get-AzPublicIpAddress to obtain the public IP address of the NAT gateway.
# Get the public IP address of the NAT gateway
$publicIpNatParams = @{
ResourceGroupName = 'test-rg'
Name = 'public-ip-nat'
}
$publicIpNat = Get-AzPublicIpAddress @publicIpNatParams
$publicIpNat.IpAddress
-
In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.
-
Select vm-spoke.
-
In Overview, select Connect then Connect via Bastion.
-
Select SSH as the connection type. Upload your SSH private key file. Select Connect.
-
In the bash prompt, enter the following command:
curl ifconfig.me
-
Verify the IP address returned by the command matches the public IP address of the NAT gateway.
azureuser@vm-1:~$ curl ifconfig.me 203.0.113.0.25 -
Close the Bastion connection to vm-spoke.
[!INCLUDE portal-clean-up.md]
Use Remove-AzResourceGroup to remove the resource group.
# Remove resource group
$rgParams = @{
Name = 'test-rg'
}
Remove-AzResourceGroup @rgParams
Advance to the next article to learn how to integrate a NAT gateway with an Azure Load Balancer:
[!div class="nextstepaction"] Integrate NAT gateway with an internal load balancer