Tutorial: Create a single virtual machine inbound NAT rule using the Azure portal

  • Article

Inbound NAT rules allow you to connect to virtual machines (VMs) in an Azure virtual network by using an Azure Load Balancer public IP address and port number.

For more information about Azure Load Balancer rules, see Manage rules for Azure Load Balancer using the Azure portal.

In this tutorial, you learn how to:

  • Create a virtual network and virtual machines
  • Create a standard SKU public load balancer with frontend IP, health probe, backend configuration, load-balancing rule, and inbound NAT rules
  • Create a NAT gateway for outbound internet access for the backend pool
  • Install and configure a web server on the VMs to demonstrate the port forwarding and load-balancing rules

Prerequisites

  • An Azure account with an active subscription.

Sign in to Azure

Sign in to the Azure portal.

Create a load balancer

You create a load balancer in this section. The frontend IP, backend pool, load-balancing, and inbound NAT rules are configured as part of the creation.

  1. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

  2. In the Load balancer page, select Create.

  3. In the Basics tab of the Create load balancer page, enter, or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select load-balancer-rg.
    Instance details
    Name Enter load-balancer
    Region Select China North 2.
    SKU Leave the default Standard.
    Type Select Public.
    Tier Leave the default Regional.

  4. Select Next: Frontend IP configuration at the bottom of the page.

  5. In Frontend IP configuration, select + Add a frontend IP configuration.

  6. Enter lb-frontend in Name.

  7. Select IPv4 or IPv6 for the IP version.

  8. Select IP address for the IP type.

    Note

    For more information on IP prefixes, see Azure Public IP prefix.

  9. Select Create new in Public IP address.

  10. In Add a public IP address, enter lb-frontend-ip for Name.

  11. Select Zone-redundant in Availability zone.

    Note

    In regions with Availability Zones, you have the option to select no-zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements. In regions without Availability Zones, this field won't appear.
    For more information on availability zones, see Availability zones overview.

  12. Select OK.

  13. Select Add.

  14. Select Next: Backend pools at the bottom of the page.

  15. In the Backend pools tab, select + Add a backend pool.

  16. Enter or select the following information in Add backend pool.

    Setting Value
    Name Enter lb-backend-pool.
    Virtual network Select lb-vnet (load-balancer-rg).
    Backend Pool Configuration Select NIC.

  17. Select + Add in Virtual machines.

  18. Select the checkboxes next to lb-vm1 and lb-vm2 in Add virtual machines to backend pool.

  19. Select Add and then select Save.

  20. Select the Next: Inbound rules button at the bottom of the page.

  21. In Load balancing rule in the Inbound rules tab, select + Add a load balancing rule.

  22. In Add load balancing rule, enter or select the following information.

    Setting Value
    Name Enter lb-HTTP-rule
    IP Version Select IPv4 or IPv6 depending on your requirements.
    Frontend IP address Select lb-frontend (To be created).
    Backend pool Select lb-backend-pool.
    Protocol Select TCP.
    Port Enter 80.
    Backend port Enter 80.
    Health probe Select Create new.
    In Name, enter lb-health-probe.
    Select TCP in Protocol.
    Leave the rest of the defaults, and select Save.
    Session persistence Select None.
    Idle timeout (minutes) Enter or select 15.
    Enable TCP reset Select checkbox to enable.
    Enable Floating IP Leave the default of unchecked.
    Outbound source network address translation (SNAT) Leave the default of (Recommended) Use outbound rules to provide backend pool members access to the internet.

    For more information about load-balancing rules, see Load-balancing rules.

  23. Select Save.

  24. In Inbound NAT rule in the Inbound rules tab, select + Add an inbound nat rule.

  25. In Add inbound NAT rule, enter or select the following information.

    Setting Value
    Name Enter lb-NAT-rule-VM1-221.
    Target virtual machine Select lb-vm1.
    Network IP configuration Select ipconfig1 (10.0.0.4).
    Frontend IP address Select lb-frontend (To be created).
    Frontend Port Enter 221.
    Service Tag Select Custom.
    Backend port Enter 22.
    Protocol Leave the default of TCP.
    Enable TCP Reset Leave the default of unchecked.
    Idle timeout (minutes) Leave the default 4.
    Enable Floating IP Leave the default of unchecked.

  26. Select Add.

  27. Select + Add an inbound nat rule.

  28. In Add inbound NAT rule, enter or select the following information.

    Setting Value
    Name Enter lb-NAT-rule-VM2-222.
    Target virtual machine Select lb-vm2.
    Network IP configuration Select ipconfig1 (10.0.0.5).
    Frontend IP address Select lb-frontend.
    Frontend Port Enter 222.
    Service Tag Select Custom.
    Backend port Enter 22.
    Protocol Leave the default of TCP.
    Enable TCP Reset Leave the default of unchecked.
    Idle timeout (minutes) Leave the default 4.
    Enable Floating IP Leave the default of unchecked.

  29. Select Add.

  30. Select the blue Review + create button at the bottom of the page.

  31. Select Create.

Create a NAT gateway

In this section, you create a NAT gateway for outbound internet access for resources in the virtual network.

For more information about outbound connections and Azure Virtual Network NAT, see Using Source Network Address Translation (SNAT) for outbound connections and What is Virtual Network NAT?.

  1. In the search box at the top of the portal, enter NAT gateway. Select NAT gateways in the search results.

  2. In NAT gateways, select + Create.

  3. In Create network address translation (NAT) gateway, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select load-balancer-rg.
    Instance details
    NAT gateway name Enter lb-nat-gateway.
    Region Select China North 2.
    Availability zone Select None.
    Idle timeout (minutes) Enter 15.

  4. Select the Outbound IP tab or select the Next: Outbound IP button at the bottom of the page.

  5. In Outbound IP, select Create a new public IP address next to Public IP addresses.

  6. Enter nat-gw-public-ip in Name in Add a public IP address.

  7. Select OK.

  8. Select the Subnet tab or select the Next: Subnet button at the bottom of the page.

  9. In Virtual network in the Subnet tab, select lb-vnet.

  10. Select backend-subnet under Subnet name.

  11. Select the blue Review + create button at the bottom of the page, or select the Review + create tab.

  12. Select Create.

Install web server

In this section, you'll SSH to the virtual machines through the inbound NAT rules and install a web server.

  1. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

  2. Select load-balancer.

  3. Select Fronted IP configuration in Settings.

  4. In the Frontend IP configuration, make note of the IP address for lb-frontend. In this example, it's 20.99.165.176.

  5. If you're using a Mac or Linux computer, open a Bash prompt. If you're using a Windows computer, open a PowerShell prompt.

  6. At your prompt, open an SSH connection to lb-vm1. Replace the IP address with the address you retrieved in the previous step and port 221 you used for the lb-vm1 inbound NAT rule. Replace the path to the .pem with the path to where the key file was downloaded.

    ssh -i .\Downloads\lb-key-pair.pem azureuser@20.99.165.176 -p 221

    Tip

    The SSH key you created can be used the next time your create a VM in Azure. Just select the Use a key stored in Azure for SSH public key source the next time you create a VM. You already have the private key on your computer, so you won't need to download anything.

  7. From your SSH session, update your package sources and then install the latest NGINX package.

    sudo apt-get -y update
sudo apt-get -y install nginx

  8. Enter Exit to leave the SSH session

  9. At your prompt, open an SSH connection to lb-vm2. Replace the IP address with the address you retrieved in the previous step and port 222 you used for the lb-vm2 inbound NAT rule. Replace the path to the .pem with the path to where the key file was downloaded.

    ssh -i .\Downloads\lb-key-pair.pem azureuser@20.99.165.176 -p 222

  10. From your SSH session, update your package sources and then install the latest NGINX package.

    sudo apt-get -y update
sudo apt-get -y install nginx

  11. Enter Exit to leave the SSH session.

Test the web server

In this section you test the web server by using the public IP address for the load balancer.

  1. Open your web browser.

  2. In the address bar, enter the IP address for the load balancer. In this example, it's 20.99.165.176.

  3. The default NGINX website is displayed.

    Screenshot of testing the NGINX web server.

Clean up resources

If you're not going to continue to use this application, delete the virtual machines and load balancer with the following steps:

  1. In the search box at the top of the portal, enter Resource group. Select Resource groups in the search results.

  2. Select load-balancer-rg in Resource groups.

  3. Select Delete resource group.

  4. Enter load-balancer-rg in TYPE THE RESOURCE GROUP NAME:. Select Delete.

Next steps

Advance to the next article to learn how to create a cross-region load balancer:

Create a multiple virtual machines inbound NAT rule using the Azure portal