Quickstart: Create a StandardV2 NAT gateway

• An Azure account with an active subscription. Create an account for free.

• An Azure account with an active subscription. Create an account for free.

• Azure Cloud Shell or Azure PowerShell.

  The steps in this quickstart run the Azure PowerShell cmdlets interactively in Azure Cloud Shell. To run the commands in Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code, and then paste it into Cloud Shell to run it. You can also run Cloud Shell from within the Azure portal.

  You can also install Azure PowerShell locally to run the cmdlets. The steps in this article require Azure PowerShell module version 5.4.1 or later. To find your installed version, run Get-Module -ListAvailable Az. If you need to upgrade, see Update-AzModule.

• If you don't have an Azure account, create a free account before you begin.

• To run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use and manage extensions with the Azure CLI.

  • To find the version and dependent libraries that are installed, run az version. To upgrade to the latest version, run az upgrade.

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter Resource group. Select Resource groups in the search results.

3. Select + Create.

4. On the Basics tab of Create a resource group, enter or select the following information.

   Setting	Value
   Subscription	Select your subscription.
   Resource group	Enter test-rg.
   Region	Enter East US.

5. Select Review + create.

6. Select Create.

Create a resource group by using New-AzResourceGroup. An Azure resource group is a logical container into which Azure resources are deployed and managed.

The following example creates a resource group named test-rg in the eastus location:

$rsg = @{
    Name = 'test-rg'
    Location = 'eastus'
}
New-AzResourceGroup @rsg

Create a resource group by using az group create. An Azure resource group is a logical container into which Azure resources are deployed and managed.

The following example creates a resource group named test-rg in the eastus location:

az group create \
    --name test-rg \
    --location eastus

1. Sign in to the Azure preview portal.

2. In the search box at the top of the portal, enter Public IP address. Select Public IP addresses in the search results.

3. Select Create.

4. In Create public IP address, enter the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select your resource group. This example uses test-rg.
   Instance details
   Region	Select a region. This example uses East US.
   Configuration details
   Name	Enter public-ip-nat.
   IP version	Select IPv4.
   SKU	Select Standard V2 (For use with Standard V2 NAT Gateway).
   Tier	Select Regional.

5. Select Review + create, and then select Create.

6. In the search box at the top of the Azure portal, enter NAT gateway. Select NAT gateways in the search results.

7. Select Create.

8. On the Basics tab of Create network address translation (NAT) gateway, enter or select the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg or your resource group.
   Instance details
   NAT gateway name	Enter nat-gateway.
   Region	Select your region. This example uses East US.
   SKU	Select Standard V2.
   TCP idle timeout (minutes)	Leave the default of 4.

9. Select Next.

10. On the Outbound IP tab, select + Add public IP addresses or prefixes.

11. In Add public IP addresses or prefixes, select Public IP addresses. Select the public IP address that you created earlier, public-ip-nat.

12. Select Save.

13. Select Review + create, and then select Create.

Create a zone-redundant IPv4 public IP address for the NAT gateway by using New-AzPublicIpAddress.

## Create a public IP address for the NAT gateway ##
$ip = @{
    Name = 'public-ip-nat'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Sku = 'StandardV2'
    AllocationMethod = 'Static'
    IpAddressVersion = 'IPv4'
    Zone = 1,2,3
}
$publicIPIPv4 = New-AzPublicIpAddress @ip

Create the NAT gateway resource by using New-AzNatGateway.

## Create the NAT gateway resource ##
$nat = @{
    ResourceGroupName = 'test-rg'
    Name = 'nat-gateway'
    IdleTimeoutInMinutes = '4'
    Sku = 'StandardV2'
    Location = 'eastus'
    PublicIpAddress = $publicIPIPv4
    Zone = 1,2,3
}
$natGateway = New-AzNatGateway @nat

Create a zone-redundant IPv4 public IP address for the NAT gateway by using az network public-ip create.

az network public-ip create \
    --resource-group test-rg \
    --name public-ip-nat \
    --location eastus \
    --sku StandardV2 \
    --allocation-method Static \
    --version IPv4 \
    --zone 1 2 3

Create the NAT gateway resource by using az network nat gateway create.

az network nat gateway create \
    --resource-group test-rg \
    --name nat-gateway \
    --location eastus \
    --public-ip-addresses public-ip-nat \
    --idle-timeout 4 \
    --sku StandardV2 \
    --zone 1 2 3

1. Sign in to the Azure preview portal.

2. In the search box at the top of the portal, enter Public IP prefix. Select Public IP Prefixes in the search results.

3. Select Create.

4. On the Basics tab of Create a public IP prefix, enter the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select your resource group. This example uses test-rg.
   Instance details
   Name	Enter public-ip-prefix-nat.
   Region	Select your region. This example uses East US.
   Sku	Select Standard V2.
   IP version	Select IPv4.
   Prefix ownership	Select Microsoft owned.
   Prefix size	Select a prefix size. This example uses /28 (16 addresses).

5. Select Review + create, and then select Create.

6. In the search box at the top of the Azure portal, enter NAT gateway. Select NAT gateways in the search results.

7. Select Create.

8. On the Basics tab of Create network address translation (NAT) gateway, enter or select the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg or your resource group.
   Instance details
   NAT gateway name	Enter nat-gateway.
   Region	Select your region. This example uses East US.
   SKU	Select Standard V2.
   TCP idle timeout (minutes)	Leave the default of 4.

9. Select Next.

10. On the Outbound IP tab, select + Add public IP addresses or prefixes.

11. In Add public IP addresses or prefixes, select Public IP prefixes. Select the public IP prefix that you created earlier, public-ip-prefix-nat.

12. Select Review + create, and then select Create.

Create a zone-redundant IPv4 public IP prefix for the NAT gateway by using New-AzPublicIpPrefix.

## Create a public IP prefix for the NAT gateway ##
$ip = @{
    Name = 'public-ip-prefix-nat'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Sku = 'StandardV2'
    PrefixLength = '31'
    IpAddressVersion = 'IPv4'
    Zone = 1,2,3
}
$publicIPIPv4prefix = New-AzPublicIpPrefix @ip

Create the NAT gateway resource by using New-AzNatGateway.

## Create the NAT gateway resource ##
$nat = @{
    ResourceGroupName = 'test-rg'
    Name = 'nat-gateway'
    IdleTimeoutInMinutes = '4'
    Sku = 'StandardV2'
    Location = 'eastus'
    PublicIpPrefix = $publicIPIPv4prefix
    Zone = 1,2,3
}
$natGateway = New-AzNatGateway @nat

Create a zone-redundant IPv4 public IP prefix for the NAT gateway by using az network public-ip prefix create.

az network public-ip prefix create \
    --resource-group test-rg \
    --name public-ip-prefix-nat \
    --location eastus \
    --length 31 \
    --sku StandardV2 \
    --version IPv4 \
    --zone 1 2 3

Create the NAT gateway resource by using az network nat gateway create.

az network nat gateway create \
    --resource-group test-rg \
    --name nat-gateway \
    --location eastus \
    --public-ip-prefixes public-ip-prefix-nat \
    --idle-timeout 4 \
    --sku StandardV2 \
    --zone 1 2 3

1. In the search box at the top of the Azure portal, enter Virtual network. Select Virtual networks in the search results.

2. Select Create.

3. On the Basics tab of Create virtual network, enter or select the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg or your resource group.
   Instance details
   Name	Enter vnet-1.
   Region	Select your region. This example uses East US.

4. Select the IP Addresses tab, or select Next > Next.

5. In Subnets, select the default subnet.

6. In Edit subnet, enter or select the following information.

   Setting	Value
   Subnet purpose	Leave the default.
   Name	Enter subnet-1.
   Private subnet
   Enable private subnet (no default outbound access)	Select the checkbox.
   Security
   NAT gateway	Select nat-gateway.

7. Select Save.

8. Select + Add a subnet.

9. In Add a subnet, enter or select the following information.

   Setting	Value
   Subnet purpose	Select Azure Bastion.

10. Leave the rest of the settings as default, and then select Add.

11. Select Review + create, and then select Create.

Create the subnet configurations by using New-AzVirtualNetworkSubnetConfig. Create the virtual network by using New-AzVirtualNetwork.

## Create the subnet configuration and associate the NAT gateway with the subnet ##
$subnet = @{
    Name = 'subnet-1'
    AddressPrefix = '10.0.0.0/24'
    NatGateway = $natGateway
    DefaultOutboundAccess = $false
}
$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet 

## Create the Azure Bastion subnet ##
$bastsubnet = @{
    Name = 'AzureBastionSubnet' 
    AddressPrefix = '10.0.1.0/26'
}
$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig @bastsubnet

## Create the virtual network ##
$net = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    AddressPrefix = '10.0.0.0/16'
    Subnet = $subnetConfig,$bastsubnetConfig
}
$vnet = New-AzVirtualNetwork @net

Create the virtual network by using az network vnet create. Create and configure the subnet by using az network vnet subnet create and az network vnet subnet update.

## Create the virtual network ##
az network vnet create \
    --resource-group test-rg \
    --name vnet-1 \
    --location eastus \
    --address-prefix 10.0.0.0/16 \
    --subnet-name subnet-1 \
    --subnet-prefix 10.0.0.0/24

## Associate the NAT gateway with the subnet and disable default outbound access ##
az network vnet subnet update \
    --resource-group test-rg \
    --vnet-name vnet-1 \
    --name subnet-1 \
    --nat-gateway nat-gateway \
    --default-outbound false

## Create the Azure Bastion subnet ##
az network vnet subnet create \
    --resource-group test-rg \
    --vnet-name vnet-1 \
    --name AzureBastionSubnet \
    --address-prefix 10.0.1.0/26

1. In the search box at the top of the Azure portal, enter Bastion. Select Bastions in the search results.

2. Select Create.

3. On the Basics tab of Create a Bastion, enter or select the following information.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg or your resource group.
   Instance details
   Name	Enter bastion.
   Region	Select your region. This example uses East US.
   Tier	Select Developer.
   Virtual network	Select vnet-1.
   Subnet	Select AzureBastionSubnet.

4. Select Review + create, and then select Create.

Create the Azure Bastion host by using New-AzBastion.

## Create a public IP address for the Azure Bastion host ##
$ip = @{
    Name = 'public-ip-bastion'
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Sku = 'Standard'
    AllocationMethod = 'Static'
    Zone = 1,2,3
}
$publicipbastion = New-AzPublicIpAddress @ip

## Create the Azure Bastion host ##
$bastion = @{
    Name = 'bastion'
    ResourceGroupName = 'test-rg'
    PublicIpAddressRgName = 'test-rg'
    PublicIpAddressName = 'public-ip-bastion'
    VirtualNetworkRgName = 'test-rg'
    VirtualNetworkName = 'vnet-1'
    Sku = 'Basic'
}
New-AzBastion @bastion

Create a public IP address for the Azure Bastion host by using az network public-ip create. Create the Azure Bastion host by using az network bastion create.

## Create a public IP address for the Azure Bastion host ##
az network public-ip create \
    --resource-group test-rg \
    --name public-ip-bastion \
    --location eastus \
    --sku Standard \
    --allocation-method Static \
    --zone 1 2 3

## Create the Azure Bastion host ##
az network bastion create \
    --resource-group test-rg \
    --name bastion \
    --location eastus \
    --vnet-name vnet-1 \
    --public-ip-address public-ip-bastion \
    --sku Basic

1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

2. Select Create > Virtual machine.

3. In Create a virtual machine, enter or select the following information on the Basics tab.

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg or your resource group.
   Instance details
   Virtual machine name	Enter vm-1.
   Region	Select your region. This example uses East US.
   Availability options	Leave the default of No infrastructure redundancy required.
   Security type	Select Standard.
   Image	Select Ubuntu Server 24.04 LTS - Gen2.
   Size	Select a size.
   Authentication type	Select SSH public key.
   Username	Enter a username of your choice. You need this username to sign in to the virtual machine later.
   SSH public key source	Select Generate new key pair.
   Key pair name	Enter ssh-key.
   Public inbound ports	Select None.

4. Select Next: Disks, and then select Next: Networking.

5. On the Networking tab, enter or select the following information.

   Setting	Value
   Network interface
   Virtual network	Select vnet-1.
   Subnet	Select subnet-1.
   Public IP	Select None.
   NIC network security group	Select Basic.
   Public inbound ports	Leave the default of None.

6. Select Review + create, and then select Create.

Create a username and password for the virtual machine by using Get-Credential. Create a network interface for the virtual machine by using New-AzNetworkInterface. Create the virtual machine configuration by using New-AzVMConfig. Create the virtual machine by using New-AzVM.

## Get credentials for the virtual machine ##
$cred = Get-Credential

## Create the network interface for the virtual machine ##
$nic = @{
    Name = "nic-1"
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    Subnet = $vnet.Subnets[0]
}
$nicVM = New-AzNetworkInterface @nic

## Create the virtual machine configuration ##
$vmsz = @{
    VMName = 'vm-1'
    VMSize = 'Standard_DS1_v2'  
}
$vmos = @{
    ComputerName = 'vm-1'
    Credential = $cred
    DisablePasswordAuthentication = $true
}
$vmimage = @{
    PublisherName = 'Canonical'
    Offer = '0001-com-ubuntu-server-jammy'
    Skus = '22_04-lts-gen2'
    Version = 'latest'     
}
$vmConfig = New-AzVMConfig @vmsz `
    | Set-AzVMOperatingSystem @vmos -Linux `
    | Set-AzVMSourceImage @vmimage `
    | Add-AzVMNetworkInterface -Id $nicVM.Id

## Create the virtual machine ##
$vm = @{
    ResourceGroupName = 'test-rg'
    Location = 'eastus'
    VM = $vmConfig
    SshKeyName = 'ssh-key'
}
New-AzVM @vm -GenerateSshKey

Create a network interface for the virtual machine by using az network nic create. Create the virtual machine by using az vm create.

## Create a network interface for the virtual machine ##
az network nic create \
    --resource-group test-rg \
    --name nic-1 \
    --vnet-name vnet-1 \
    --subnet subnet-1

## Create the virtual machine ##
az vm create \
    --resource-group test-rg \
    --name vm-1 \
    --location eastus \
    --nics nic-1 \
    --image Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest \
    --size Standard_DS1_v2 \
    --admin-username azureuser \
    --generate-ssh-keys \
    --public-ip-address ""

When you finish using the resources that you created, you can delete the resource group and all its resources.

1. In the Azure portal, search for and select Resource groups.

2. On the Resource groups page, select the test-rg resource group.

3. On the test-rg page, select Delete resource group.

4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

If you no longer need this application, delete the virtual network, virtual machine, and NAT gateway by using the following command:

Remove-AzResourceGroup -Name 'test-rg' -Force

If you no longer need this application, delete the virtual network, virtual machine, and NAT gateway by using the following command:

az group delete \
    --name test-rg \
    --yes \
    --no-wait