Thanks for the heads up! We use NAT Gateway for client security requirements. Customers want to know which IPs our people are coming from. If you have multiple public ips or prefixes assigned to your NAT Gateway, it does round robin (or is it random? can't recall but it changes) for any new outbound connections. It's causing issues where we connect to a customers service (website, hosted desktop, etc) on one ip for auth and their service expects subsequent comm from that same ip BUT the next connection comes from a different ip in the natgw pool. Otherwise, natgw has been really effective at its job.
each outbound connection (within a session timeout limit) will have the same public ip...but a new session will grab which ever public IP is available at that time. So if you MUST always have the same public IP then you p[robably need to have only 1 public IP to a gateway. You could also lengthen the session timeout...let me know how it goes!
I think the original intent back then was make Azure as easy to use as possible, and since it was already in the internet…security times do change and we all need to be ready
I have this set up today for some of my subnet to control the prefix. To my knowledge, one of my subnets are private so I'm confused why they and their limitations were such a focus here.
Since private subnets are in preview, and new to most viewers I wanted to layout how they function today, their limits due to the lack of internet access and they are the perfect method to understand how Azure will function in 2025. So it made sense to talk about all these in this video
Hey Dean, Great video as always :) Are you aware of any documentation regarding this change in AVD deployment? I had a customer telling me they noticed NAT Gateway deployed automatically with their AVD. I've been chasing MS team to confirm how it'll be in cause all of a sudden there would be a responsibility of NatGateway resource back on customer. i.e. do we need DoS for that IP address ?
Thanks! There is no updated AVD Docs on this yet…they are coming. I haven’t seen NatGW deploying with AVD automatically! NO you do not need DDoS on the NatGW public IP, It does not accept inbound traffic.
The original announcement, and subsequent announcements, have said that this default outbound access will only be removed for new VMs in subnets created after September '25. So, unless somebody really messed up the communication, existing VMs and subnets should be fine.
You are correct, but do you know how many new VMs are deployed everyday…This change does have impact on existing environments, deployment methodologies, security, and more. This information is still very important for everyone to figure out how they will function in this new Azure BEFORE 2025 gets here or there will be impact.
As I cover in the video firewalls will allow you to access the internet, but you may run into SNAT port exhaustion if you, you can front the firewall with Nat Gateway
Ok, the NAT Gateway allows outbound only and its stateful. Can you please explain, why you call this a "Zero Trust Model Network Device"? And what does that term even mean?
Zero trust model is where access is directly and specifically granted when it is needed and only as long as it is needed, and in the most least privileged manner. Does that help?
thanks for this, very useful. However I don’t believe NAT Gateway in combination with Azure Firewall is supported for Zone Redundant deployments. I learned this the hard way when I wanted to have a predictable IP address when making outbound SNAT connections through the Azure Firewall for 3rd party whitelisting purposes.
As I explained in the video the NAT Gateway is NOT zone redundant today, because you need to deploy a separate instance in each zone So if your firewall is also zone redundant then you have to build multiple Nat Gateways. I have shared this feedback with the product team to make the Gateway zone redundant…stay tuned
how would you handle a zone redundant firewall with NAT gateway when you have to pin a NAT gateway to a particular zone? more of an issue if that zone fails.
That is a GREAT question! Today…I don’t think there is an answer…in my opinion, NAT Gateway needs to become a zonal resource…which would solve for this scenario…I’ll pass your feedback to the product group…stay tuned!
you force all your traffic out through the firewall's interface, not a NAT GW. if the NVA is zonal the NIC(s) attached to it are as well...once traffic is sent to the WAN interface Azure does the SNAT from there.
True, but you are still limited in SNAT ports on the firewall. The Azure Firewall has more scalability then a NVA built on VMs in Azure, because it’s built on VM ScaleSets with scalable public IPs. So by adding the Nat Gateway to either the Azure firewall or another NVA you now get almost double the number of SNAT ports and session limits to eliminate port exhaustion
@@AzureAcademy a VAST majority of customers will never experience port exhaustion but yes you are correct that can remediate it. still can't get on the Az Firewall bandwagon due to absurd pricing.
I hear ya...The Nat Gateway pricing is FAR more reasonable...but just so you know...Azure Firewall pricing is very similar to other firewall vendors with similar features...for what ever thats worth 😉
@@AzureAcademy Because it's implemented in such a way, that you are incurring additional charges, for what was supposed to a be "flip of a switch" functionality on either the VM or Subnet level. 1. Zero Trust - No internet access by default -- solution: vm/subnet level property with name "internetAccessEnabled" and value "false" 2. Connectivity should be explicit not implicit -- solution: vm/subnet level property with name "internetAccessEnabled" and value "true" Two birds with one stone... 3. Dynamic outbound public IP - solution => NAT GW, FW, attached PIP How often did I need static outbound public IP for the past 5 years in Azure ? Answer => Never. How often did I need internet access for the past 5 years in Azure ? => Almost always.
@@AzureAcademy NAT Gateway is another 32.5$ at the moment + 4.5cents per GB processed (which goes fast with some Windows updates). Oh and of course we need a public IP, which is another ~3.5$. All of this was previously included in the cost of the VM. Yes, it was less secure, but certainly this adds to the cost of an environment.
you are not wrong! I'm talking to the product group about these things like private subnet limitations and the cost factor. Stay tuned for more updates on this!
For a single IP I’d suggest Azure Load Balancer. This way to are not directly exposing your VM to the internet while only granting outbound internet access to the VMs in the back end pool
Good video, read about it a while ago. I've never heard of SNAT referred to as secure nat, i always thought it stood for source network address translation? Anyway, who cares, thanks for the video.
Why is Azure copying Oracle Cloud and aws now? All these public-subnet vs Private Subnet and NAT Gateway along with Internet Gateway were Oracle's way (and AWS too)
you are correct AWS and Oracle did this first...I think since they were created...Azure is doing it now because it is much more secure...like I talked about in the video
Here is my book! a.co/d/0eGslIpm Leave a 5 ⭐ review to help the book rise on the charts and more people can find it! (only if you think its good of course) 😉
I have been using that for a year. I needed a known IP that when the users connected to certain outside services every Host in the AVD Host pool would show the same IP to the service they were connecting to, but never needed inbound to the hosts.
@@AzureAcademy Do you know anything about why Cloudflare flags Azure VM users as none human on tons of sites and won't let them access sites they control? Even trying to go to Cloudflare community portal blocks you on Azure.
Would really like to see more IPv6 support from the Azure network stack, Azure Firewall in particular This is a move in the right direction but still lots to be done
@@AzureAcademy instead of IPv4 where possible and then NAT64 does the rest for us - just trying to minimise NAT where possible Also makes planning the network a lot easier!
There was another comment like yours…I’ve heard it used as both source and secure…so you can call it a mistake…it maybe I was just testing you to see if you were paying attention and you passed! 🤣🤷🏼♂️🤦♂️
Every day that passes, complexity, cost, pain grows with Azure/365. Just another set of extra costs wrapped up in claims of more security/better defaults.
complexity does grow over time...but so do solutions! I brought this to your attention NOW so you have time to work on your environment so you won't be impacted in 2025. Also as I said in the video the product teams are always working to improve on these things...so stay tuned for more!
In this case the complexity and cost is indeed justified by the improved security. Bad security defaults is one of the most common sources of breaches.
Yes, No and I hope not. The VMs themselves may not be directly impacted...but I am talking to other product teams who are not 100% sure yet. So the teams are working internally to reduce any impact. AND You also need to make your own environment ready for the change before next year based on how things will change so you reduce the impact as well
WHAT...how is this NOT News!!! Just because its going into effect next year?? people need time to think through things, POC changes and come up with the way that will work for all the things they need.
Check out my NEW Book on Azure here a.co/d/0i8nEnJc
It's a good move, I come from AWS background and was suprised how I had internet access by default in azure
I know right! But after 16 years of doing it this way it’s a big change!
Thanks for the heads up!
We use NAT Gateway for client security requirements. Customers want to know which IPs our people are coming from.
If you have multiple public ips or prefixes assigned to your NAT Gateway, it does round robin (or is it random? can't recall but it changes) for any new outbound connections.
It's causing issues where we connect to a customers service (website, hosted desktop, etc) on one ip for auth and their service expects subsequent comm from that same ip BUT the next connection comes from a different ip in the natgw pool.
Otherwise, natgw has been really effective at its job.
each outbound connection (within a session timeout limit) will have the same public ip...but a new session will grab which ever public IP is available at that time. So if you MUST always have the same public IP then you p[robably need to have only 1 public IP to a gateway. You could also lengthen the session timeout...let me know how it goes!
Honestly, I never understood why this wasn't the default behavior from the start. It always felt like an unnecessary risk.
I think the original intent back then was make Azure as easy to use as possible, and since it was already in the internet…security times do change and we all need to be ready
I have this set up today for some of my subnet to control the prefix. To my knowledge, one of my subnets are private so I'm confused why they and their limitations were such a focus here.
Since private subnets are in preview, and new to most viewers I wanted to layout how they function today, their limits due to the lack of internet access and they are the perfect method to understand how Azure will function in 2025. So it made sense to talk about all these in this video
Hey Dean, Great video as always :)
Are you aware of any documentation regarding this change in AVD deployment? I had a customer telling me they noticed NAT Gateway deployed automatically with their AVD. I've been chasing MS team to confirm how it'll be in cause all of a sudden there would be a responsibility of NatGateway resource back on customer. i.e. do we need DoS for that IP address ?
Thanks! There is no updated AVD Docs on this yet…they are coming. I haven’t seen NatGW deploying with AVD automatically! NO you do not need DDoS on the NatGW public IP, It does not accept inbound traffic.
The original announcement, and subsequent announcements, have said that this default outbound access will only be removed for new VMs in subnets created after September '25. So, unless somebody really messed up the communication, existing VMs and subnets should be fine.
You are correct, but do you know how many new VMs are deployed everyday…This change does have impact on existing environments, deployment methodologies, security, and more.
This information is still very important for everyone to figure out how they will function in this new Azure BEFORE 2025 gets here or there will be impact.
We normally implement a firewall (azure or market place) will these be affected by the change?
As I cover in the video firewalls will allow you to access the internet, but you may run into SNAT port exhaustion if you, you can front the firewall with Nat Gateway
Ok, the NAT Gateway allows outbound only and its stateful. Can you please explain, why you call this a "Zero Trust Model Network Device"? And what does that term even mean?
Zero trust model is where access is directly and specifically granted when it is needed and only as long as it is needed, and in the most least privileged manner. Does that help?
thanks for this, very useful. However I don’t believe NAT Gateway in combination with Azure Firewall is supported for Zone Redundant deployments. I learned this the hard way when I wanted to have a predictable IP address when making outbound SNAT connections through the Azure Firewall for 3rd party whitelisting purposes.
As I explained in the video the NAT Gateway is NOT zone redundant today, because you need to deploy a separate instance in each zone
So if your firewall is also zone redundant then you have to build multiple Nat Gateways.
I have shared this feedback with the product team to make the Gateway zone redundant…stay tuned
@@AzureAcademy Wow, amazing! Thank you
Anytime
wow! i had now idea.... this is great info 🙂
please share on all social media so others can learn about this change as well 👍
how would you handle a zone redundant firewall with NAT gateway when you have to pin a NAT gateway to a particular zone? more of an issue if that zone fails.
That is a GREAT question! Today…I don’t think there is an answer…in my opinion, NAT Gateway needs to become a zonal resource…which would solve for this scenario…I’ll pass your feedback to the product group…stay tuned!
you force all your traffic out through the firewall's interface, not a NAT GW. if the NVA is zonal the NIC(s) attached to it are as well...once traffic is sent to the WAN interface Azure does the SNAT from there.
True, but you are still limited in SNAT ports on the firewall. The Azure Firewall has more scalability then a NVA built on VMs in Azure, because it’s built on VM ScaleSets with scalable public IPs. So by adding the Nat Gateway to either the Azure firewall or another NVA you now get almost double the number of SNAT ports and session limits to eliminate port exhaustion
@@AzureAcademy a VAST majority of customers will never experience port exhaustion but yes you are correct that can remediate it. still can't get on the Az Firewall bandwagon due to absurd pricing.
I hear ya...The Nat Gateway pricing is FAR more reasonable...but just so you know...Azure Firewall pricing is very similar to other firewall vendors with similar features...for what ever thats worth 😉
Ok NAT gateway is a good thing but it puts a ton of data processing costs on top...
yeah...730gb a month is just over $30.00
Great Video!
Glad you enjoyed it! How are you going to get ready for 2025?
Hiding under the guise of "security"...is a new revenue generator for Microsoft.
An interesting point of view…why do you feel that way?
@@AzureAcademy Because it's implemented in such a way, that you are incurring additional charges, for what was supposed to a be "flip of a switch" functionality on either the VM or Subnet level.
1. Zero Trust - No internet access by default
-- solution: vm/subnet level property with name "internetAccessEnabled" and value "false"
2. Connectivity should be explicit not implicit
-- solution: vm/subnet level property with name "internetAccessEnabled" and value "true"
Two birds with one stone...
3. Dynamic outbound public IP - solution => NAT GW, FW, attached PIP
How often did I need static outbound public IP for the past 5 years in Azure ? Answer => Never.
How often did I need internet access for the past 5 years in Azure ? => Almost always.
@@AzureAcademy NAT Gateway is another 32.5$ at the moment + 4.5cents per GB processed (which goes fast with some Windows updates). Oh and of course we need a public IP, which is another ~3.5$. All of this was previously included in the cost of the VM. Yes, it was less secure, but certainly this adds to the cost of an environment.
you are not wrong! I'm talking to the product group about these things like private subnet limitations and the cost factor. Stay tuned for more updates on this!
Yikes.. that would be $13 just to install a 1gb patch on each of my servers.
Instead of allowing whole subnet, how can I allow a single IP if I want to allow internet to a single VM in a subnet?
For a single IP I’d suggest Azure Load Balancer. This way to are not directly exposing your VM to the internet while only granting outbound internet access to the VMs in the back end pool
Good video, read about it a while ago. I've never heard of SNAT referred to as secure nat, i always thought it stood for source network address translation? Anyway, who cares, thanks for the video.
yeah I have heard it both ways... 🤷♂️
It's definitely source
LOL ok...you got it 😉
Why is Azure copying Oracle Cloud and aws now? All these public-subnet vs Private Subnet and NAT Gateway along with Internet Gateway were Oracle's way (and AWS too)
you are correct AWS and Oracle did this first...I think since they were created...Azure is doing it now because it is much more secure...like I talked about in the video
Why Aws kicks Azures Ass - private and public subnets has always been there. Seems weird not to do this.
LOL that’s one opinion 🤔🤷🏼♂️🤣 each platform has its strengths…for example AWS workspaces are nothing next to Azure Virtual Desktop ☺️
Is this a massive price rise by stealth?
No I don’t think so…but I guess that will depend on how many gateways you build
There should be an option switch to turn it on and off. I dont want Outbound just going away the have to do all this stuff.
That is why we all need to start getting ready NOW...so September 2025 will be a non-event! Thats why I made this video now!
...where is the AVD book ... Walter wants 5 of those 🤩🤩🤩
Here is my book! a.co/d/0eGslIpm
Leave a 5 ⭐ review to help the book rise on the charts and more people can find it! (only if you think its good of course) 😉
@@AzureAcademy 😍🥰🤩
👍😊👍
I have been using that for a year. I needed a known IP that when the users connected to certain outside services every Host in the AVD Host pool would show the same IP to the service they were connecting to, but never needed inbound to the hosts.
Good to know!
@@AzureAcademy Do you know anything about why Cloudflare flags Azure VM users as none human on tons of sites and won't let them access sites they control? Even trying to go to Cloudflare community portal blocks you on Azure.
I have heard about Cloudflare, but I have never used it…sorry 🥺
What did i tell you.... Nothing to worry about
👍☺️👍
😂 If SNAT stands for Secure NAT and not Source NAT, what is DNAT stands for?
I have heard it and read it used both as source and secure and YES D is for destination. 🤦♂️🤷🏼♂️
Hope this doesn't impact AVDs!
This will absolutely impact AVD! You MUST take steps like Nat Gateway to continue to have internet access
Would really like to see more IPv6 support from the Azure network stack, Azure Firewall in particular
This is a move in the right direction but still lots to be done
Agreed! Tell me more about IPv6 in your environment. Do you use it instead of IPv4 for private IPs or just on the public?
@@AzureAcademy instead of IPv4 where possible and then NAT64 does the rest for us - just trying to minimise NAT where possible
Also makes planning the network a lot easier!
Makes sense, NAT did save the internet…but caused several problem doing it. IPv6 should help us all move forward
SNAT = Source Network Address Translation
There was another comment like yours…I’ve heard it used as both source and secure…so you can call it a mistake…it maybe I was just testing you to see if you were paying attention and you passed! 🤣🤷🏼♂️🤦♂️
those new Team members #clerks😁 wiill never create such Hollywood style vids 😁 ... one that could #blondie ...maybe 🤩😂 ... need more training 😍
Thats why I am helping them! Give'em time 😊
@@AzureAcademy 🤣🤣🤣🤣
👍😊👍
Every day that passes, complexity, cost, pain grows with Azure/365. Just another set of extra costs wrapped up in claims of more security/better defaults.
complexity does grow over time...but so do solutions! I brought this to your attention NOW so you have time to work on your environment so you won't be impacted in 2025. Also as I said in the video the product teams are always working to improve on these things...so stay tuned for more!
In this case the complexity and cost is indeed justified by the improved security. Bad security defaults is one of the most common sources of breaches.
Agreed!
Existing VMs will not be impacted by this retirement.
Yes, No and I hope not. The VMs themselves may not be directly impacted...but I am talking to other product teams who are not 100% sure yet. So the teams are working internally to reduce any impact. AND You also need to make your own environment ready for the change before next year based on how things will change so you reduce the impact as well
Stock videos galore...
World you rather I add stock videos to keep things interesting or would you prefer to start at an unmoving talking head the whole time?
@@AzureAcademy I think the presenter is entertaining enough with the content that the need to add stock vids is not required. But, hey, feel free!
thank you...I will try to strike more of a balance with it
OMG!!!! nah, clickbaity.....This isn't even new.
WHAT...how is this NOT News!!! Just because its going into effect next year?? people need time to think through things, POC changes and come up with the way that will work for all the things they need.
100% NOT click bait. Sat on a beach and got the notification to watch this video. Super useful for CSPs!
awesome...Thanks for the feedback
That’s why I only use aws
LOL really? This has been the ONLY reason you use AWS??? Come on...there have to be better reasons!