Thanks for the heads up! We use NAT Gateway for client security requirements. Customers want to know which IPs our people are coming from. If you have multiple public ips or prefixes assigned to your NAT Gateway, it does round robin (or is it random? can't recall but it changes) for any new outbound connections. It's causing issues where we connect to a customers service (website, hosted desktop, etc) on one ip for auth and their service expects subsequent comm from that same ip BUT the next connection comes from a different ip in the natgw pool. Otherwise, natgw has been really effective at its job.
each outbound connection (within a session timeout limit) will have the same public ip...but a new session will grab which ever public IP is available at that time. So if you MUST always have the same public IP then you p[robably need to have only 1 public IP to a gateway. You could also lengthen the session timeout...let me know how it goes!
Hey Dean, Great video as always :) Are you aware of any documentation regarding this change in AVD deployment? I had a customer telling me they noticed NAT Gateway deployed automatically with their AVD. I've been chasing MS team to confirm how it'll be in cause all of a sudden there would be a responsibility of NatGateway resource back on customer. i.e. do we need DoS for that IP address ?
Thanks! There is no updated AVD Docs on this yet…they are coming. I haven’t seen NatGW deploying with AVD automatically! NO you do not need DDoS on the NatGW public IP, It does not accept inbound traffic.
I think the original intent back then was make Azure as easy to use as possible, and since it was already in the internet…security times do change and we all need to be ready
Ok, the NAT Gateway allows outbound only and its stateful. Can you please explain, why you call this a "Zero Trust Model Network Device"? And what does that term even mean?
Zero trust model is where access is directly and specifically granted when it is needed and only as long as it is needed, and in the most least privileged manner. Does that help?
As I cover in the video firewalls will allow you to access the internet, but you may run into SNAT port exhaustion if you, you can front the firewall with Nat Gateway
thanks for this, very useful. However I don’t believe NAT Gateway in combination with Azure Firewall is supported for Zone Redundant deployments. I learned this the hard way when I wanted to have a predictable IP address when making outbound SNAT connections through the Azure Firewall for 3rd party whitelisting purposes.
As I explained in the video the NAT Gateway is NOT zone redundant today, because you need to deploy a separate instance in each zone So if your firewall is also zone redundant then you have to build multiple Nat Gateways. I have shared this feedback with the product team to make the Gateway zone redundant…stay tuned
The original announcement, and subsequent announcements, have said that this default outbound access will only be removed for new VMs in subnets created after September '25. So, unless somebody really messed up the communication, existing VMs and subnets should be fine.
You are correct, but do you know how many new VMs are deployed everyday…This change does have impact on existing environments, deployment methodologies, security, and more. This information is still very important for everyone to figure out how they will function in this new Azure BEFORE 2025 gets here or there will be impact.
I have this set up today for some of my subnet to control the prefix. To my knowledge, one of my subnets are private so I'm confused why they and their limitations were such a focus here.
Since private subnets are in preview, and new to most viewers I wanted to layout how they function today, their limits due to the lack of internet access and they are the perfect method to understand how Azure will function in 2025. So it made sense to talk about all these in this video
For a single IP I’d suggest Azure Load Balancer. This way to are not directly exposing your VM to the internet while only granting outbound internet access to the VMs in the back end pool
Why is Azure copying Oracle Cloud and aws now? All these public-subnet vs Private Subnet and NAT Gateway along with Internet Gateway were Oracle's way (and AWS too)
you are correct AWS and Oracle did this first...I think since they were created...Azure is doing it now because it is much more secure...like I talked about in the video
Good video, read about it a while ago. I've never heard of SNAT referred to as secure nat, i always thought it stood for source network address translation? Anyway, who cares, thanks for the video.
how would you handle a zone redundant firewall with NAT gateway when you have to pin a NAT gateway to a particular zone? more of an issue if that zone fails.
That is a GREAT question! Today…I don’t think there is an answer…in my opinion, NAT Gateway needs to become a zonal resource…which would solve for this scenario…I’ll pass your feedback to the product group…stay tuned!
you force all your traffic out through the firewall's interface, not a NAT GW. if the NVA is zonal the NIC(s) attached to it are as well...once traffic is sent to the WAN interface Azure does the SNAT from there.
True, but you are still limited in SNAT ports on the firewall. The Azure Firewall has more scalability then a NVA built on VMs in Azure, because it’s built on VM ScaleSets with scalable public IPs. So by adding the Nat Gateway to either the Azure firewall or another NVA you now get almost double the number of SNAT ports and session limits to eliminate port exhaustion
@@AzureAcademy a VAST majority of customers will never experience port exhaustion but yes you are correct that can remediate it. still can't get on the Az Firewall bandwagon due to absurd pricing.
I hear ya...The Nat Gateway pricing is FAR more reasonable...but just so you know...Azure Firewall pricing is very similar to other firewall vendors with similar features...for what ever thats worth 😉
Here is my book! a.co/d/0eGslIpm Leave a 5 ⭐ review to help the book rise on the charts and more people can find it! (only if you think its good of course) 😉
There was another comment like yours…I’ve heard it used as both source and secure…so you can call it a mistake…it maybe I was just testing you to see if you were paying attention and you passed! 🤣🤷🏼♂️🤦♂️
Yes, No and I hope not. The VMs themselves may not be directly impacted...but I am talking to other product teams who are not 100% sure yet. So the teams are working internally to reduce any impact. AND You also need to make your own environment ready for the change before next year based on how things will change so you reduce the impact as well
Every day that passes, complexity, cost, pain grows with Azure/365. Just another set of extra costs wrapped up in claims of more security/better defaults.
complexity does grow over time...but so do solutions! I brought this to your attention NOW so you have time to work on your environment so you won't be impacted in 2025. Also as I said in the video the product teams are always working to improve on these things...so stay tuned for more!
In this case the complexity and cost is indeed justified by the improved security. Bad security defaults is one of the most common sources of breaches.
Would really like to see more IPv6 support from the Azure network stack, Azure Firewall in particular This is a move in the right direction but still lots to be done
@@AzureAcademy instead of IPv4 where possible and then NAT64 does the rest for us - just trying to minimise NAT where possible Also makes planning the network a lot easier!
WHAT...how is this NOT News!!! Just because its going into effect next year?? people need time to think through things, POC changes and come up with the way that will work for all the things they need.
Check out my NEW Book on Azure here a.co/d/0i8nEnJc
It's a good move, I come from AWS background and was suprised how I had internet access by default in azure
I know right! But after 16 years of doing it this way it’s a big change!
Thanks for the heads up!
We use NAT Gateway for client security requirements. Customers want to know which IPs our people are coming from.
If you have multiple public ips or prefixes assigned to your NAT Gateway, it does round robin (or is it random? can't recall but it changes) for any new outbound connections.
It's causing issues where we connect to a customers service (website, hosted desktop, etc) on one ip for auth and their service expects subsequent comm from that same ip BUT the next connection comes from a different ip in the natgw pool.
Otherwise, natgw has been really effective at its job.
each outbound connection (within a session timeout limit) will have the same public ip...but a new session will grab which ever public IP is available at that time. So if you MUST always have the same public IP then you p[robably need to have only 1 public IP to a gateway. You could also lengthen the session timeout...let me know how it goes!
Hey Dean, Great video as always :)
Are you aware of any documentation regarding this change in AVD deployment? I had a customer telling me they noticed NAT Gateway deployed automatically with their AVD. I've been chasing MS team to confirm how it'll be in cause all of a sudden there would be a responsibility of NatGateway resource back on customer. i.e. do we need DoS for that IP address ?
Thanks! There is no updated AVD Docs on this yet…they are coming. I haven’t seen NatGW deploying with AVD automatically! NO you do not need DDoS on the NatGW public IP, It does not accept inbound traffic.
Honestly, I never understood why this wasn't the default behavior from the start. It always felt like an unnecessary risk.
I think the original intent back then was make Azure as easy to use as possible, and since it was already in the internet…security times do change and we all need to be ready
Ok, the NAT Gateway allows outbound only and its stateful. Can you please explain, why you call this a "Zero Trust Model Network Device"? And what does that term even mean?
Zero trust model is where access is directly and specifically granted when it is needed and only as long as it is needed, and in the most least privileged manner. Does that help?
We normally implement a firewall (azure or market place) will these be affected by the change?
As I cover in the video firewalls will allow you to access the internet, but you may run into SNAT port exhaustion if you, you can front the firewall with Nat Gateway
I strongly believe they should be making announcement on all social media out there
Agreed! I am talking to that team about announcements
Thanks for this great video, very good explanation.
Thanks!
thanks for this, very useful. However I don’t believe NAT Gateway in combination with Azure Firewall is supported for Zone Redundant deployments. I learned this the hard way when I wanted to have a predictable IP address when making outbound SNAT connections through the Azure Firewall for 3rd party whitelisting purposes.
As I explained in the video the NAT Gateway is NOT zone redundant today, because you need to deploy a separate instance in each zone
So if your firewall is also zone redundant then you have to build multiple Nat Gateways.
I have shared this feedback with the product team to make the Gateway zone redundant…stay tuned
@@AzureAcademy Wow, amazing! Thank you
Anytime
The original announcement, and subsequent announcements, have said that this default outbound access will only be removed for new VMs in subnets created after September '25. So, unless somebody really messed up the communication, existing VMs and subnets should be fine.
You are correct, but do you know how many new VMs are deployed everyday…This change does have impact on existing environments, deployment methodologies, security, and more.
This information is still very important for everyone to figure out how they will function in this new Azure BEFORE 2025 gets here or there will be impact.
I have this set up today for some of my subnet to control the prefix. To my knowledge, one of my subnets are private so I'm confused why they and their limitations were such a focus here.
Since private subnets are in preview, and new to most viewers I wanted to layout how they function today, their limits due to the lack of internet access and they are the perfect method to understand how Azure will function in 2025. So it made sense to talk about all these in this video
Instead of allowing whole subnet, how can I allow a single IP if I want to allow internet to a single VM in a subnet?
For a single IP I’d suggest Azure Load Balancer. This way to are not directly exposing your VM to the internet while only granting outbound internet access to the VMs in the back end pool
Why is Azure copying Oracle Cloud and aws now? All these public-subnet vs Private Subnet and NAT Gateway along with Internet Gateway were Oracle's way (and AWS too)
you are correct AWS and Oracle did this first...I think since they were created...Azure is doing it now because it is much more secure...like I talked about in the video
Is this a massive price rise by stealth?
No I don’t think so…but I guess that will depend on how many gateways you build
Ok NAT gateway is a good thing but it puts a ton of data processing costs on top...
yeah...730gb a month is just over $30.00
Good video, read about it a while ago. I've never heard of SNAT referred to as secure nat, i always thought it stood for source network address translation? Anyway, who cares, thanks for the video.
yeah I have heard it both ways... 🤷♂️
It's definitely source
LOL ok...you got it 😉
Why Aws kicks Azures Ass - private and public subnets has always been there. Seems weird not to do this.
LOL that’s one opinion 🤔🤷🏼♂️🤣 each platform has its strengths…for example AWS workspaces are nothing next to Azure Virtual Desktop ☺️
how would you handle a zone redundant firewall with NAT gateway when you have to pin a NAT gateway to a particular zone? more of an issue if that zone fails.
That is a GREAT question! Today…I don’t think there is an answer…in my opinion, NAT Gateway needs to become a zonal resource…which would solve for this scenario…I’ll pass your feedback to the product group…stay tuned!
you force all your traffic out through the firewall's interface, not a NAT GW. if the NVA is zonal the NIC(s) attached to it are as well...once traffic is sent to the WAN interface Azure does the SNAT from there.
True, but you are still limited in SNAT ports on the firewall. The Azure Firewall has more scalability then a NVA built on VMs in Azure, because it’s built on VM ScaleSets with scalable public IPs. So by adding the Nat Gateway to either the Azure firewall or another NVA you now get almost double the number of SNAT ports and session limits to eliminate port exhaustion
@@AzureAcademy a VAST majority of customers will never experience port exhaustion but yes you are correct that can remediate it. still can't get on the Az Firewall bandwagon due to absurd pricing.
I hear ya...The Nat Gateway pricing is FAR more reasonable...but just so you know...Azure Firewall pricing is very similar to other firewall vendors with similar features...for what ever thats worth 😉
Great Video!
Glad you enjoyed it! How are you going to get ready for 2025?
wow! i had now idea.... this is great info 🙂
please share on all social media so others can learn about this change as well 👍
There should be an option switch to turn it on and off. I dont want Outbound just going away the have to do all this stuff.
That is why we all need to start getting ready NOW...so September 2025 will be a non-event! Thats why I made this video now!
😂 If SNAT stands for Secure NAT and not Source NAT, what is DNAT stands for?
I have heard it and read it used both as source and secure and YES D is for destination. 🤦♂️🤷🏼♂️
...where is the AVD book ... Walter wants 5 of those 🤩🤩🤩
Here is my book! a.co/d/0eGslIpm
Leave a 5 ⭐ review to help the book rise on the charts and more people can find it! (only if you think its good of course) 😉
@@AzureAcademy 😍🥰🤩
👍😊👍
What did i tell you.... Nothing to worry about
👍☺️👍
Hope this doesn't impact AVDs!
This will absolutely impact AVD! You MUST take steps like Nat Gateway to continue to have internet access
SNAT = Source Network Address Translation
There was another comment like yours…I’ve heard it used as both source and secure…so you can call it a mistake…it maybe I was just testing you to see if you were paying attention and you passed! 🤣🤷🏼♂️🤦♂️
Existing VMs will not be impacted by this retirement.
Yes, No and I hope not. The VMs themselves may not be directly impacted...but I am talking to other product teams who are not 100% sure yet. So the teams are working internally to reduce any impact. AND You also need to make your own environment ready for the change before next year based on how things will change so you reduce the impact as well
those new Team members #clerks😁 wiill never create such Hollywood style vids 😁 ... one that could #blondie ...maybe 🤩😂 ... need more training 😍
Thats why I am helping them! Give'em time 😊
@@AzureAcademy 🤣🤣🤣🤣
👍😊👍
Stock videos galore...
World you rather I add stock videos to keep things interesting or would you prefer to start at an unmoving talking head the whole time?
@@AzureAcademy I think the presenter is entertaining enough with the content that the need to add stock vids is not required. But, hey, feel free!
thank you...I will try to strike more of a balance with it
Every day that passes, complexity, cost, pain grows with Azure/365. Just another set of extra costs wrapped up in claims of more security/better defaults.
complexity does grow over time...but so do solutions! I brought this to your attention NOW so you have time to work on your environment so you won't be impacted in 2025. Also as I said in the video the product teams are always working to improve on these things...so stay tuned for more!
In this case the complexity and cost is indeed justified by the improved security. Bad security defaults is one of the most common sources of breaches.
Agreed!
Would really like to see more IPv6 support from the Azure network stack, Azure Firewall in particular
This is a move in the right direction but still lots to be done
Agreed! Tell me more about IPv6 in your environment. Do you use it instead of IPv4 for private IPs or just on the public?
@@AzureAcademy instead of IPv4 where possible and then NAT64 does the rest for us - just trying to minimise NAT where possible
Also makes planning the network a lot easier!
Makes sense, NAT did save the internet…but caused several problem doing it. IPv6 should help us all move forward
OMG!!!! nah, clickbaity.....This isn't even new.
WHAT...how is this NOT News!!! Just because its going into effect next year?? people need time to think through things, POC changes and come up with the way that will work for all the things they need.
100% NOT click bait. Sat on a beach and got the notification to watch this video. Super useful for CSPs!
awesome...Thanks for the feedback
That’s why I only use aws
LOL really? This has been the ONLY reason you use AWS??? Come on...there have to be better reasons!