Configure Azure NAT Gateway integration

Azure NAT Gateway is a fully managed, highly resilient service that ensures all outbound internet-facing traffic routes through a network address translation (NAT) gateway within Azure Virtual Network. You can associate your NAT gateway with one or more subnets in your Azure virtual network and provide robust support for your App Service application.

There are two important scenarios for using Azure NAT Gateway with App Service:

A NAT gateway gives you a static, predictable public IP address for outbound internet-facing traffic to your app within the virtual network.
A NAT gateway significantly increases the available source network address translation (SNAT) ports in scenarios where you have a high number of concurrent connections to the same public address/port combination. For more information, see Troubleshoot intermittent outbound connection errors in Azure App Service.

The following diagram shows internet traffic from an app flowing to a NAT gateway in an Azure virtual network:

Diagram that shows internet traffic from an app flowing to a NAT gateway in a virtual network.

This article describes how to configure Azure NAT Gateway integration with Azure App Service and Azure Virtual Network. Follow steps in the Azure portal or use the Azure CLI.

Prerequisites

An App Service app with regional virtual network integration. You can follow the steps in Prepare app with virtual network integration in this article.
The virtual network integration must route all internet-bound traffic (application and configuration). For more information, see Integrate your app with an Azure virtual network > Routes.

Important considerations for integration

Review the following important considerations about Azure NAT Gateway integration:

Whether you can use a NAT gateway with App Service is dependent on virtual network integration. You must have a supported pricing tier in an App Service plan.
When you use a NAT gateway together with App Service, all traffic to Azure Storage must use private endpoints or service endpoints.
Azure NAT Gateway is supported for App Service Environment v3 only.

Prepare app with virtual network integration

Confirm your app is integrated with a virtual network and subnet, as described in Integrate your app with an Azure virtual network. Verify the network integration is enabled to route all application and configuration traffic.

Azure portal
Azure CLI

In the Azure portal, go to your app, and select Settings > Networking.
In the Outbound traffic configuration section, confirm the Virtual network integration option is set to the desired virtual network and subnet for the integration:

The Virtual network integration option value is a link to the integrated network.

To view the details for the integrated network, select the link:
(As needed) If the Virtual network integration option isn't set, select the Not configured link:
1. In the Virtual Network Integration page, select Add virtual network integration:
2. In the Add virtual network integration pane, select your Subscription, Virtual Network, and Subnet.
3. Select Connect.
The page refreshes to show the integration details for the new network connection.
In the details view for the virtual network integration, confirm all traffic routes are enabled (each checkbox is selected):
- In the Application routing section, enable the Outbound internet traffic option.
- In the Configuration routing section, enable the Container image pull, Content storage, and Backup/restore options.
If you make changes, select Apply.

For detailed steps, see Configure application routing.

In the following commands, replace the <placeholder> parameter values with the information for your app and configuration.

Prepare an App Service app, virtual network, and subnet.

Enable virtual network integration for the app:

az webapp vnet-integration add --resource-group <resource-group-name> --name <app-name> --vnet <virtual-network-name> --subnet <subnet-name>

Ensure the virtual network integration enables all route traffic with the vnet-route-all-enabled flag:

az webapp config set --resource-group <resource-group-name> --name <app-name> --vnet-route-all-enabled

Create and configure an Azure NAT gateway

Create the NAT gateway with a public IP address and associate it with the subnet for virtual network integration.

Review the available Azure NAT Gateway SKUs and select the best plan for your configuration.

Azure portal
Azure CLI

In the Azure portal Home page, select + Create a resource.
In the Create a resource page, search for NAT gateway.
Locate the NAT gateway card for the Azure Service, and select Create > NAT gateway.
In the Create network address translation (NAT) gateway pane, configure the settings on the Basics tab:
- Select the Subscription to use for the new gateway.
- Select an existing Resource group for the new gateway, or create a new one.
- Enter a unique NAT gateway name.
- Select the Region where your app is located.
- Select the SKU for the NAT gateway resource. To use IPv4 IP addresses, select Standard. To use IPv4 or IPv6 IP addresses, select Standard V2.
- Enter the TCP idle timeout value. The allowable range is 4 to 120 minutes.
On the Outbound IP tab, select the public IP address to use for the gateway connection.

Select the checkbox for an existing address in the Public IP address or Public IP prefix list.

You can also create a new IP address or IP prefix for the connection:
1. Select the + Add public IP addresses or prefixes link.
2. In the Manage public IP addresses and prefixes pane, select the Create a public IP address link.
  1. In the Add a public IP address dialog, enter a unique Name for the IP address.
  2. Select the IP version.
  3. Select OK.
3. Select the Create a new public IP prefix link.
  1. In the Add a public IP prefix dialog, enter a unique Name for the IP prefix.
  2. Select the IP version and choose the Prefix size.
  3. Select OK.
4. In the Manage public IP addresses and prefixes pane, select Save.
On the Networking tab, select the Virtual network for virtual network integration, and then select the Specific subnets within the selected virtual network:
Select Review + Create, and then select Create.
When the NAT gateway is ready, select Go to resource group.
In the Overview page for your new NAT gateway, select Settings > Outbound IP.

The page shows the public IP address that your app uses for outbound internet-facing traffic.

In the following commands, replace the <placeholder> parameter values with the information for your app and configuration.

Create a public IP address for the connection:

az network public-ip create --resource-group <resource-group-name> --name <public-ip-address-name> --sku standard --allocation static

Create a NAT gateway:

az network nat gateway create --resource-group <resource-group-name> --name <nat-gateway-name> --public-ip-addresses <public-ip-address-name> --idle-timeout 10

Associate the NAT gateway with the subnet for virtual network integration:

az network vnet subnet update --resource-group <resource-group-name> --vnet-name <virtual-network-name> --name <integration-subnet-name> --nat-gateway <nat-gateway-name>

Scale your NAT gateway

You can use the same NAT gateway across multiple subnets in the same virtual network. This approach enables you to use a NAT gateway across multiple apps and App Service plans.

Azure NAT Gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports), which allow up to 1 million available ports. For more information, see Azure NAT Gateway resource.

Feedback

Var denne side nyttig?

Last updated on 2026-03-26