Inbound NAT Rule
Ankit Ranjan (DevOps Engineer)
Actively Seeking Full-time Azure DevOps/Azure Cloud Engineer Opportunities | Certified Terraform Associate | IAM-Azure DevOps Engineer | Ebug India
Create a single virtual machine inbound NAT rule using the Azure portal
Inbound NAT rules enable connections to virtual machines (VMs) in an Azure virtual network using a public IP address and port number from an Azure Load Balancer.
In this example, We will see how to:
Create a Virtual Network and Virtual Machines
A virtual network and subnet are necessary for this tutorial’s resources. In this section, you'll set up a virtual network and VM for later steps.
1. In the search box at the top of the Azure portal, type Virtual machine and select Virtual machines from the results.
2. In Virtual machines, click + Create > + Virtual machine.
3. In Create a Virtual Machine, enter the required values in the Basics tab:
4. Select the Networking tab or click Next: Disks followed by Next: Networking.
5. In the Networking tab, input the necessary information
6. Then proceed by selecting Review + Create.
7. Click Create.
8. When prompted to Generate a new key pair, select Download private key and create the resource. The key file, lb-key-pair.pem, will download. Note the file location, as you’ll need it for later steps.
Repeat steps 1 through 7 to create a second VM with the same values as the first (lb-vm1), adjusting only the specified settings.
Create a Load Balancer
In this section, you'll set up a load balancer and configure the frontend IP, backend pool, load-balancing rule, and inbound NAT rules.
1. In the Azure portal search bar, type Load balancer and select Load balancers from the results.
2. In the Load balancer page, select Create.
3. In the Basics tab of the Create load balancer page, provide the required information, then click Next: Frontend IP configuration at the bottom.
4. In Frontend IP configuration, select + Add a frontend IP configuration.
5. Select OK, then Add.
6. Click Next: Backend pools.
7. select?+ Add a backend pool in the Backend pools tab.
8. Click Next: Inbound rules.
9. In the Inbound Rules tab, add a load-balancing rule:
10. To add inbound NAT rules:
11. Click Review + Create at the bottom, then Create.
Create a NAT Gateway
In this section, you'll set up a NAT gateway to enable outbound internet access for resources in the virtual network.
1. In the Azure portal search bar, enter NAT gateway and select NAT gateways from the results.
2. In NAT gateways, select + Create.
3. On the Create network address translation (NAT) gateway page, fill in the required fields, then select the Outbound IP tab or click Next: Outbound IP.
4. In the Outbound IP section:
5. Select the Subnet tab or click Next: Subnet.
6. In the Subnet tab:
7. Click Review + Create and then Create.
Install a Web Server
In this section, you'll SSH into the virtual machines via inbound NAT rules and install a web server.
1. In the Azure portal search bar, type Load balancer and select Load balancers from the results.
2. Choose your load balancer and go to Frontend IP configuration under Settings.
3. Note the IP address for lb-frontend (e.g., 20.99.165.176).
4. In your terminal, initiate an SSH connection to lb-vm1:
ssh -i .\Downloads\lb-key-pair.pem [email protected] -p 221
5. From within the SSH session:
sudo apt-get -y update
sudo apt-get -y install nginx
6. Repeat the SSH process for lb-vm2:
ssh -i .\Downloads\lb-key-pair.pem [email protected] -p 222
sudo apt-get -y update
sudo apt-get -y install nginx
Test the Web Server
In this section, you'll verify the web server is running by accessing it through the load balancer's public IP address.
1. Open your web browser.
2. In the address bar, type the load balancer’s public IP address (e.g., 20.99.165.176).
Clean Up Resources
If you no longer need this setup, delete the virtual machines and load balancer as follows:
1. In the Azure portal search bar, type Resource group and select Resource groups from the results.
2. Choose load-balancer-rg under Resource groups.
3. Select Delete resource group.
4. In the confirmation box, type load-balancer-rg and click Delete.
Create Inbound NAT Rule V2 Using the Azure Portal
Inbound NAT rules enable connections to virtual machines (VMs) in an Azure virtual network by utilizing a public IP address and port number from an Azure Load Balancer.
In This example, We Will see how to:
Create a Virtual Network and Virtual Machines
To proceed with this tutorial, you'll need to create a virtual network and subnet. This section guides you through setting up a virtual network and creating virtual machines.
1. Sign in to the Azure portal.
2. In the search bar at the top, type Virtual machine and select Virtual machines from the results.
3. In the Virtual machines page, click + Create > + Virtual machine.
4. On the Create a virtual machine page:
5. In the Networking tab, provide the required information.
6. Go to Review + create and select Create.
7. At the Generate new key pair prompt, select Download private key and create resource. This will download your key file as myKey.pem. Note the file location as you'll need the path for later steps.
8. Repeat steps 1 through 6 to create a second VM with the same settings as myVM1, adjusting only the specified values.
Create a Load Balancer
In this section, you’ll set up a load balancer and configure the frontend IP, backend pool, load-balancing, and inbound NAT rules.
1. In the Azure portal search bar, type Load balancer and select Load balancers from the results.
2. On the Load balancer page, select Create.
3. In the Basics tab of the Create load balancer page, enter the required information, then select Next: Frontend IP configuration.
4. In Frontend IP configuration:
5. Select Next: Backend pools.
6. In the Backend pools tab:
7. Click Next: Inbound rules.
8. In the Inbound Rules tab:
9. Select Review + Create and then Create to finalize the setup.
领英推荐
Create a Multiple VMs Inbound NAT Rule
In this section, you will create an inbound NAT rule for multiple instances in the backend pool of the load balancer.
1. In the Azure portal search bar, type Load balancer and select Load balancers from the results.
2. Choose myLoadBalancer from the list.
3. In myLoadBalancer, navigate to Inbound NAT rules under Settings.
4. Click + Add to create a new inbound NAT rule.
5. Fill in the required fields in the Add inbound NAT rule section, leaving the other settings at their defaults, and then select Add.
Create a NAT Gateway
In this section, you will create a NAT gateway to enable outbound internet access for resources within the virtual network.
1. In the Azure portal search bar, type NAT gateway and select NAT gateways from the search results.
2. On the NAT gateways page, click + Create.
3. In the Create network address translation (NAT) gateway form, provide the necessary information:
4. In the Outbound IP section, choose Create a new public IP address next to Public IP addresses.
5. Select the Subnet tab or click Next: Subnet at the bottom of the page.
6. In the Virtual network dropdown on the Subnet tab, select myVNet.
7. Finally, click the Review + Create button at the bottom of the page, and click Create to finalize the setup.
Install Web Server
In this section, you will SSH into the virtual machines using the inbound NAT rules and install a web server.
1. In the Azure portal search bar, type Load balancer and select Load balancers from the results.
2. Click on my load balancer.
3. In the Settings section, select Frontend IP configuration.
4. Note the IP address for the front end (for example, it may be 20.99.165.176).
5. Establish an SSH connection to myVM1 using the noted IP address and port 221 for the myVM1 inbound NAT rule. Make sure to replace the path to the .pem file with the actual path where the key file was downloaded.
ssh -i .\Downloads\myKey.pem [email protected] -p 221
sudo apt-get -y update
sudo apt-get -y install nginx
6. Now, open an SSH connection to myVM2 using the same IP address and port 222 for the myVM2 inbound NAT rule. Again, replace the path to the .pem file as needed.
ssh -i .\Downloads\myKey.pem [email protected] -p 222
sudo apt-get -y update
sudo apt-get -y install nginx
Test the Web Server
In this section, you will test the web server by accessing the load balancer's IP address.
1. Open your web browser.
2. In the address bar, input the load balancer's IP address (for example, 20.99.165.176).
3. The default NGINX website should be displayed.
Clean Up Resources
If you no longer need this application, you can delete the virtual machines and load balancer by following these steps:
1. In the Azure portal search bar, type Resource group and select Resource groups from the results.
2. Choose TutorialLBPF-rg from the list of resource groups.
3. Click on Delete resource group.
4. In the prompt that appears, type TutorialLBPF-rg in the field labeled TYPE THE RESOURCE GROUP NAME: Click Delete to confirm.
Migrate from Inbound NAT rules Version 1 to Version 2
An inbound NAT rule is utilized to direct traffic from the front end of a load balancer to one or more instances within the backend pool.
These rules establish a 1:1 mapping between the load balancer's frontend IP address and its corresponding backend instances. Currently, there are two versions of inbound NAT rules: Version 1 and Version 2.
How to Migrate from Version 1 to Version 2
Before starting the migration process, it is essential to review the following information:
1. Migrating to Version 2 of Inbound NAT rules will result in downtime for any active traffic currently routed through these NAT rules. However, traffic through load balancer rules or outbound rules will remain unaffected during the migration.
2. Assess the maximum number of instances within your backend pool. Since Version 2 targets the load balancer’s backend pool, ensure that an adequate number of ports are allocated for the NAT rule's front end.
3. Each backend instance will be accessible on the port specified in the new NAT rule.
4. Multiple NAT rules cannot coexist if they share overlapping port ranges or utilize the same backend port.
5. NAT rules and load balancing rules cannot share the same backend port.
Manual Migration
To migrate to Version 2 of Inbound NAT rules, follow these three steps:
1. Delete the Version 1 Inbound NAT rules from the load balancer’s configuration.
2. Remove any references to the NAT rule from the configuration of the virtual machine or virtual machine scale set.
3. Update all instances within the virtual machine scale set.
Virtual Machine Migration Steps
The steps below detail the process for transitioning from Version 1 to Version 2 of Inbound NAT rules for a virtual machine.
Azure CLI
az network lb inbound-nat-rule delete -g MyResourceGroup --lb-name MyLoadBalancer --name NATruleV1
az network nic ip-config inbound-nat-rule remove -g MyResourceGroup --nic-name MyNic -n MyIpConfig --inbound-nat-rule MyNatRule
az network lb inbound-nat-rule create -g MyResourceGroup --lb-name MyLoadBalancer -n MyNatRule --protocol Tcp --frontend-port-range-start 201 --frontend-port-range-end 500 --backend-port 22 --backend-address-pool MybackendPool
PowerShell
$slb = Get-AzLoadBalancer -Name "MyLoadBalancer" -ResourceGroupName "MyResourceGroup"
Remove-AzLoadBalancerInboundNatRuleConfig -Name "myinboundnatrule" -LoadBalancer $loadbalancer
Set-AzLoadBalancer -LoadBalancer $slb
$nic = Get-AzNetworkInterface -Name "myNIC" -ResourceGroupName "MyResourceGroup"
$nic.IpConfigurations[0].LoadBalancerInboundNatRule ?= $null
Set-AzNetworkInterface -NetworkInterface $nic
$slb | Add-AzLoadBalancerInboundNatRuleConfig -Name "NewNatRuleV2" -FrontendIPConfiguration $slb.FrontendIpConfigurations[0] -Protocol "Tcp" -FrontendPortRangeStart 201-FrontendPortRangeEnd 500 -BackendAddressPool $slb.BackendAddressPools[0] -BackendPort 22
$slb | Set-AzLoadBalancer
Virtual Machine Scale Set Migration Steps
The steps outlined below will guide you in migrating from Version 1 to Version 2 of Inbound NAT rules for a virtual machine scale set, assuming that the upgrade mode for the scale set is set to Manual.
Azure CLI
az network lb inbound-nat-pool delete ?-g MyResourceGroup --lb-name MyLoadBalancer -n MyNatPool
az vmss update -g MyResourceGroup -n MyVMScaleSet --remove virtualMachineProfile.networkProfile.networkInterfaceConfigurations[0].ipConfigurations[0].loadBalancerInboundNatPools
az vmss update-instances --instance-ids '*' --resource-group MyResourceGroup --name MyVMScaleSet
az network lb inbound-nat-rule create -g MyResourceGroup --lb-name MyLoadBalancer -n MyNatRule --protocol Tcp --frontend-port-range-start 201 --frontend-port-range-end 500 --backend-port 22 --backend-address-pool MybackendPool
PowerShell
Remove the Inbound NAT rule
$slb = Get-AzLoadBalancer -Name "MyLoadBalancer" -ResourceGroupName "MyResourceGroup"
Remove-AzLoadBalancerInboundNatPoolConfig -Name myinboundnatpool -LoadBalancer $slb
Set-AzLoadBalancer -LoadBalancer $slb
Remove the Inbound NAT pool association
$vmss = Get-AzVmss -ResourceGroupName "MyResourceGroup" -VMScaleSetName "MyVMScaleSet"
$vmss.VirtualMachineProfile.NetworkProfile.NetworkInterfaceConfigurations[0].IpConfigurations[0].loadBalancerInboundNatPools = $null
Upgrade all instances in the VMSS
Update-AzVmssInstance -ResourceGroupName $resourceGroupName -VMScaleSetName $vmssName -InstanceId "*"
$slb | Add-AzLoadBalancerInboundNatRuleConfig -Name "NewNatRuleV2" -FrontendIPConfiguration $slb.FrontendIpConfigurations[0] -Protocol "Tcp" -FrontendPortRangeStart 201-FrontendPortRangeEnd 500 -BackendAddressPool $slb.BackendAddressPools[0] -BackendPort 22
$slb | Set-AzLoadBalancer
Automated Migration for Virtual Machine Scale Set
The migration process will utilize existing backend pools that match the NAT Pools to be migrated. If no suitable backend pool is found, the script will terminate without making any changes.
Alternatively, you can use the -backendPoolReuseStrategy parameter to control backend pool creation: choose NoReuse to always create new backend pools or OptionalFirstMatch to create a new backend pool only if a matching one doesn’t exist.
You can update backend pools and NAT rule associations after the migration to suit your preferences.
Prerequisites
Before initiating the migration process, ensure the following prerequisites are fulfilled:
1. The load balancer's SKU must be set to Standard to migrate NAT Pools to NAT Rules. For instructions on automating this upgrade, refer to the steps in Upgrade a Basic Load Balancer to Standard with PowerShell.
2. The Virtual Machine Scale Sets associated with the target load balancer must use either a 'Manual' or 'Automatic' upgrade policy; the 'Rolling' upgrade policy is not supported. For more details, see Virtual Machine Scale Sets Upgrade Policies.
3. Ensure that the latest version of PowerShell is installed.
4. Install the Azure PowerShell modules.
Install the AzureLoadBalancerNATPoolMigration module.
You can do this by executing the following command to install the AzureLoadBalancerNATPoolMigration module from the PowerShell Gallery:
PowerShell
Install the AzureLoadBalancerNATPoolMigration module
Install-Module -Name AzureLoadBalancerNATPoolMigration -Scope CurrentUser -Repository PSGallery -Force
Upgrading NAT Pools to NAT Rules
Once the azureLoadBalancerNATPoolMigration module is installed, follow these steps to upgrade your NAT Pools to NAT Rules:
1. Connect to Azure using the command: Connect-AzAccount.
2. Gather the names of the target load balancer for the NAT Rules upgrade, along with the corresponding Resource Group name.
3. Execute the migration command, replacing the placeholders <loadBalancerResourceGroupName> and <loadBalancerName> with your actual resource names:
PowerShell
Run the migration command
Start-AzNATPoolMigration -ResourceGroupName <loadBalancerResourceGroupName> -LoadBalancerName <loadBalancerName>