Integrate NAT gateway with Azure Firewall in a hub and spoke network for outbound connectivity
06/13/2025
In this tutorial, you learn how to integrate a NAT gateway with Azure Firewall in a hub and spoke network for enhanced outbound connectivity and scalability.
Azure Firewall provides 2,496 SNAT ports per public IP address configured per backend Virtual Machine Scale Set instance (minimum of two instances). You can associate up to 250 public IP addresses to Azure Firewall. Depending on your architecture requirements and traffic patterns, you might require more SNAT ports than what Azure Firewall can provide. You might also require the use of fewer public IPs while also requiring more SNAT ports. A better method for outbound connectivity is to use NAT gateway. NAT gateway provides 64,512 SNAT ports per public IP address and can be used with up to 16 public IP addresses.
NAT gateway can be integrated with Azure Firewall by configuring NAT gateway directly to the Azure Firewall subnet. This association provides a more scalable method of outbound connectivity. For production deployments, a hub and spoke network is recommended, where the firewall is in its own virtual network. The workload servers are peered virtual networks in the same region as the hub virtual network where the firewall resides. In this architectural setup, NAT gateway can provide outbound connectivity from the hub virtual network for all spoke virtual networks peered.
Note
Azure NAT Gateway isn't currently supported in secured virtual hub network (vWAN) architectures. You must deploy using a hub virtual network architecture as described in this tutorial. For more information about Azure Firewall architecture options, see What are the Azure Firewall Manager architecture options?.
In this tutorial, you learn how to:
Create a hub virtual network and deploy an Azure Firewall and Azure Bastion during deployment
Create a NAT gateway and associate it with the firewall subnet in the hub virtual network
Create a spoke virtual network
Create a virtual network peering
Create a route table for the spoke virtual network
Create a firewall policy for the hub virtual network
Create a virtual machine to test the outbound connectivity through the NAT gateway
This article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. You also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Authenticate to Azure using Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
This article requires version 2.0.28 or later of the Azure CLI.
Create the hub virtual network
The hub virtual network contains the firewall subnet that is associated with the Azure Firewall and NAT gateway. Use the following example to create the hub virtual network.
In the search box at the top of the portal, enter Virtual network. Select Virtual networks in the search results.
Select + Create.
In the Basics tab of Create virtual network, enter, or select the following information:
Setting
Value
Project details
Subscription
Select your subscription.
Resource group
Select Create new. Enter test-rg. Select OK.
Instance details
Name
Enter vnet-hub.
Region
Select China North 3.
Select Next to proceed to the Security tab.
Select Enable Azure Bastion in the Azure Bastion section of the Security tab.
Azure Bastion uses your browser to connect to VMs in your virtual network over secure shell (SSH) or remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see Azure Bastion
Note
Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.
Enter or select the following information in Azure Bastion:
Setting
Value
Azure Bastion host name
Enter bastion.
Azure Bastion public IP address
Select Create a public IP address. Enter public-ip-bastion in Name. Select OK.
Select Enable Azure Firewall in the Azure Firewall section of the Security tab.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. For more information about Azure Firewall, see Azure Firewall.
Enter or select the following information in Azure Firewall:
Setting
Value
Azure Firewall name
Enter firewall.
Tier
Select Standard.
Policy
Select Create new. Enter firewall-policy in Name. Select OK.
Azure Firewall public IP address
Select Create a public IP address. Enter public-ip-firewall in Name. Select OK.
Select Next to proceed to the IP addresses tab.
Select Review + create.
Select Create.
It takes a few minutes for the bastion host and firewall to deploy. When the virtual network is created as part of the deployment, you can proceed to the next steps.
All outbound internet traffic traverses the NAT gateway to the internet. Use the following example to create a NAT gateway for the hub and spoke network and associate it with the AzureFirewallSubnet.
The spoke virtual network contains the test virtual machine used to test the routing of the internet traffic to the NAT gateway. Use the following example to create the spoke network.
A virtual network peering is used to connect the hub to the spoke and the spoke to the hub. Use the following example to create a two-way network peering between the hub and spoke.
A route table forces all traffic leaving the spoke virtual network to the hub virtual network. The route table is configured with the private IP address of the Azure Firewall as the virtual appliance.
Obtain private IP address of firewall
The private IP address of the firewall is needed for the route table created later in this article. Use the following example to obtain the firewall private IP address.
In the search box at the top of the portal, enter Firewall. Select Firewalls in the search results.
Select firewall.
In the Overview of firewall, note the IP address in the field Firewall private IP. The IP address in this example is 10.0.1.68.
Use Get-AzFirewall to obtain the private IP address of the firewall.
# Get the private IP address of the firewall
$firewallParams = @{
ResourceGroupName = 'test-rg'
Name = 'firewall'
}
$firewall = Get-AzFirewall @firewallParams
$firewall.IpConfigurations[0].PrivateIpAddress
# Get the private IP address of the firewall
az network firewall show \
--resource-group test-rg \
--name firewall \
--query "ipConfigurations[0].privateIpAddress" \
--output tsv
Create route table
Create a route table to force all inter-spoke and internet egress traffic through the firewall in the hub virtual network.
Traffic from the spoke through the hub must be allowed through and firewall policy and a network rule. Use the following example to create the firewall policy and network rule.
An Ubuntu virtual machine is used to test the outbound internet traffic through the NAT gateway. Use the following example to create an Ubuntu virtual machine.
In the portal, search for and select Virtual machines.
In Virtual machines, select + Create, then Azure virtual machine.
On the Basics tab of Create a virtual machine, enter, or select the following information:
Setting
Value
Project details
Subscription
Select your subscription.
Resource group
Select test-rg.
Instance details
Virtual machine name
Enter vm-spoke.
Region
Select China North 3.
Availability options
Select No infrastructure redundancy required.
Security type
Leave the default of Standard.
Image
Select Ubuntu Server 24.04 LTS - Gen2.
Size
Select a size.
Administrator account
Authentication type
Select Password.
Username
Enter azureuser.
Password
Enter a password.
Confirm password
Reenter the password.
Inbound port rules
Public inbound ports
Select None.
Select the Networking tab at the top of the page or select Next:Disks, then Next:Networking.
Enter or select the following information in the Networking tab:
Setting
Value
Network interface
Virtual network
Select vnet-spoke.
Subnet
Select subnet-private (10.1.0.0/24).
Public IP
Select None.
NIC network security group
Select Advanced.
Configure network security group
Select Create new. Enter nsg-1 for the name. Leave the rest at the defaults and select OK.
Leave the rest of the settings at the defaults and select Review + create.
Review the settings and select Create.
Wait for the virtual machine to finishing deploying before proceeding to the next steps.
Note
Virtual machines in a virtual network with a bastion host don't need public IP addresses. Bastion provides the public IP, and the VMs use private IPs to communicate within the network. You can remove the public IPs from any VMs in bastion hosted virtual networks. For more information, see Dissociate a public IP address from an Azure VM.
# Get the network interface object
$nicParams = @{
ResourceGroupName = "test-rg"
Name = "nic-1"
}
$nic = Get-AzNetworkInterface @nicParams
$vmConfigParams = @{
VM = $vmConfig
Id = $nic.Id
}
$vmConfig = Add-AzVMNetworkInterface @vmConfigParams
Use New-AzVM to create the VM. The command generates SSH keys for the virtual machine for sign-in. Make note of the location of the private key. The private key is needed in later steps for connecting to the virtual machine with Azure Bastion.
# Get the public IP address of the NAT gateway
$publicIpNatParams = @{
ResourceGroupName = 'test-rg'
Name = 'public-ip-nat'
}
$publicIpNat = Get-AzPublicIpAddress @publicIpNatParams
$publicIpNat.IpAddress