John, my man, you are a legend. Thank you so much. Best video on the internet to explain Azure NAT/NAT Gateway. Your videos alone makes youtube premium worth it.
Great tech videos as always, John! By the way, the 172 ip range goes from 172.16.x.x to 172.31.x.x The 172.12.x.x would be a public ip address. I don't know that much it's just that that range was hammered into my head last week that now I can tell the private ip ranges from the public ones! Keep up the good work!
hehe. I did try bing first but it does not show your IP if you just ask that question and instead I would have had to use a site like whatismyip that then shows a bunch of adverts. This was the lesser evil ;-)
Hi, I love to watch your videos. Great work. Can you please make a video explaining azure Load balancer with multiple frontend and also cosmos db logical and physical partition key concept. Thanks.
Hi.. great video as always John. I have a query about usage of Nat gateway public ip with function app. I have a function app which is vnet integrated (regional) and its associated to a subnet. This subnet is attached to a NAT gateway which has a public ip. The problem I am trying to solve is by default the outbound ip of a function app is a list of possible ip’s which could potentially change and the api provider will need to whitelist the new IP. I tried the above setup but the outbound request still originated from the function app listed ip and not the nat gateway is. Hopefully this question made sense. If not please let me know I will try to rephrase it😊
Vnet integration, by default, only sends outbound traffic to your vnet that is RFC1918. Try the application setting for WEBSITE_VNET_ROUTE_ALL as described here docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet . I’m wondering if nat gateway will pick up the traffic after that?
Great video! John.. quick question: i need to have a subnet spanning multiple AZs with computer resources on multiple AZs. In this case should i have just 1 regional NAT gateway instead of multiple zonal gateways?
if subnet is spanning AZs then yes you would go regional but realize thats not the same as zone-redundant and you have no visibility into how its implemented. Your safest is to have separate subnets per AZ with zonal gateway or don't use nat gateway and use standard load balancer with NAT rules.
Is the NAT Gateway compatible with an Azure Firewall? For now I have setup the Azure Firewall for inbounrd traffic but if I want to use it for outbound in the future aswell do I bypass the Firewall if I use a NAT Gateway?
For regular internet egress you don’t need a special gateway in azure unless you want it. It is natively available. I cover this in the azure networking lesson of the masterclass.
How does this behave in the case of traffic that opens a connection one way and expects the remote peer to open a connection back, like passive FTP connections for instance?
When using the NAT Gateway resource is the outbound public IP only for your networks that use it? Pretty sure the answer is yes. I just want to be sure that I am the only one using that outbound IP for setting up policies for restrictions to other resources in azure and elsewhere based upon IP. I imagine if I don't use this or some similar resource to restrict outbound to the public internet that it uses a shared public IP that would not be as useful to use for restricting traffic.
If you have a session coming from outside to the public address of the VM, which path the return traffic will take?? through NAT gateway?? They are using different public addresses and you won`t be able to establish a session. Is there any kind of source NAT when session is coming from outside to public address of the VM??
Hello John, What i got is, even if we deploy a VM in seperate AZ and NAT Gateway in another AZ but VM subnet is associated with NAT gateway.....in that case VM traffic will also route through Nat Gateway...however this is not good approach...m i right????
not sure about budget replacement :-) but you can certainly use nat gateway to facilitate outbound however realize azure firewall has a lot of other capabilities. Depends on what you need.
John, my man, you are a legend. Thank you so much. Best video on the internet to explain Azure NAT/NAT Gateway. Your videos alone makes youtube premium worth it.
Great but I have no advertising on my videos anyway. You don’t need premium :)
@@NTFAQGuy Fantastic ;-) More kudos to you!
Great tech videos as always, John! By the way, the 172 ip range goes from 172.16.x.x to 172.31.x.x The 172.12.x.x would be a public ip address. I don't know that much it's just that that range was hammered into my head last week that now I can tell the private ip ranges from the public ones! Keep up the good work!
Yep sometimes my brain does strange things :) thanks
Premium quality explanation.
Love to watch your videos.
Thank you!
Thank you so much John .. you explain very well with depth yet simple way... You are a great trainer 👍
Objective and concise explanation. Thanks a mil John. Have a lovely weekend!
As always, very good explanation John! We actually are going to use the NatGw and this video will clear up alot of questions. 👍🏻
Hey John, This video is useful and clear to understand. Thank you for making this video.
Thanks John a very useful recap on NAT Gateway
This tutorial is just excellent. Thanks John!!
You're very welcome!
Very nicely explained Azure NAT. thank you.
Glad it was helpful!
Great overview! The AZ explanation is excellent.
Thank you.
As always, super high quality content. Thanks !
Thanks for the demo and lecture.
Oh shit, feels like I timed traveled lol
I'm so used to the new video format that this video hit me different when my browser was done rendering it
😁
Lol
great video.
Thanks!
Great video, thank you!
Thanks John, very clearly explained from the ground up! Thought you would be using BING for the IP address search, not Goog....!! :-P
hehe. I did try bing first but it does not show your IP if you just ask that question and instead I would have had to use a site like whatismyip that then shows a bunch of adverts. This was the lesser evil ;-)
Great explanation.
Thank you!
Hey John, once again awesome video. Can you please cover one video for VWan Hub please.
Hi, I love to watch your videos. Great work. Can you please make a video explaining azure Load balancer with multiple frontend and also cosmos db logical and physical partition key concept.
Thanks.
Nice! Thank you! Wondering why there is no private NAT Gateways :) To do the same kind of thing but withing VNET
Private endpoints :)
@@NTFAQGuy I think I head about it somewhere :)
Very useful.
Glad to hear that
what an absolute awesome video a major light bulb moment 😂
Great to hear
Hi.. great video as always John. I have a query about usage of Nat gateway public ip with function app. I have a function app which is vnet integrated (regional) and its associated to a subnet. This subnet is attached to a NAT gateway which has a public ip. The problem I am trying to solve is by default the outbound ip of a function app is a list of possible ip’s which could potentially change and the api provider will need to whitelist the new IP. I tried the above setup but the outbound request still originated from the function app listed ip and not the nat gateway is. Hopefully this question made sense. If not please let me know I will try to rephrase it😊
I'm afraid I've not tried that configuration. I'd have to set that up but not something have cycles to do right now, sorry :-(
Vnet integration, by default, only sends outbound traffic to your vnet that is RFC1918. Try the application setting for WEBSITE_VNET_ROUTE_ALL as described here docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet . I’m wondering if nat gateway will pick up the traffic after that?
BazookaMan3 i did try that setting. Unfortunately that still picked the function app ip and not Nat gateway :(
you are awesome :)
Thanks a lot
Glad it helped!
nice work..
Thanks
#JohnSavill , I am always a fan of your great videos, your dedication and discipline towards the work :) . Keep posting, keep sharing
Skip right to NAT Gateways here 9:33
Thanks for the great video. Out of interest (and completely off topic), how many Ironmans have you done?
15 fulls. Hopefully another 5 in 2021 if COVID allows :)
Not to be pedantic, but the private space at 172 starts at 16 does it not? making 172.12 a public address?
Quite right, whoops :) too many numbers in my head :)
@@NTFAQGuy Happens to everyone.
Good luck for Ironman!
Great video! John.. quick question: i need to have a subnet spanning multiple AZs with computer resources on multiple AZs. In this case should i have just 1 regional NAT gateway instead of multiple zonal gateways?
if subnet is spanning AZs then yes you would go regional but realize thats not the same as zone-redundant and you have no visibility into how its implemented. Your safest is to have separate subnets per AZ with zonal gateway or don't use nat gateway and use standard load balancer with NAT rules.
Is the NAT Gateway compatible with an Azure Firewall?
For now I have setup the Azure Firewall for inbounrd traffic but if I want to use it for outbound in the future aswell do I bypass the Firewall if I use a NAT Gateway?
Docs discuss their default behavior. docs.microsoft.com/en-us/azure/firewall/integrate-with-nat-gateway
Excellent tutorial.. for ipv6 we have Egress-only internet gateways in aws. Is there similar services in azure?
For regular internet egress you don’t need a special gateway in azure unless you want it. It is natively available. I cover this in the azure networking lesson of the masterclass.
How does this behave in the case of traffic that opens a connection one way and expects the remote peer to open a connection back, like passive FTP connections for instance?
When using the NAT Gateway resource is the outbound public IP only for your networks that use it? Pretty sure the answer is yes. I just want to be sure that I am the only one using that outbound IP for setting up policies for restrictions to other resources in azure and elsewhere based upon IP.
I imagine if I don't use this or some similar resource to restrict outbound to the public internet that it uses a shared public IP that would not be as useful to use for restricting traffic.
And thank you for all the amazing videos! I have learned so much in a very short time thanks to you.
Yes. Only subnets connected
If you have a session coming from outside to the public address of the VM, which path the return traffic will take?? through NAT gateway?? They are using different public addresses and you won`t be able to establish a session. Is there any kind of source NAT when session is coming from outside to public address of the VM??
Return uses same path as ingress
Hello John, What i got is, even if we deploy a VM in seperate AZ and NAT Gateway in another AZ but VM subnet is associated with NAT gateway.....in that case VM traffic will also route through Nat Gateway...however this is not good approach...m i right????
Yes
Hi... Can you please let me know how to remove NAT gateway from the subnet using Azure powershell
that is covered in the docs. just search for remove nat gateway azure powershell
Can nat gateway replace az firewall for outbound network traffic if for a budget friendly architecture?
not sure about budget replacement :-) but you can certainly use nat gateway to facilitate outbound however realize azure firewall has a lot of other capabilities. Depends on what you need.