Edit

Share via

Tutorial: Create a single virtual machine inbound NAT rule using the Azure portal

  • Article
  • 10/24/2023

Inbound NAT rules allow you to connect to virtual machines (VMs) in an Azure virtual network by using an Azure Load Balancer public IP address and port number.

For more information about Azure Load Balancer rules, see Manage rules for Azure Load Balancer using the Azure portal.

In this tutorial, you learn how to:

  • Create a virtual network and virtual machines
  • Create a standard SKU public load balancer with frontend IP, health probe, backend configuration, load-balancing rule, and inbound NAT rules
  • Create a NAT gateway for outbound internet access for the backend pool
  • Install and configure a web server on the VMs to demonstrate the port forwarding and load-balancing rules

Diagram of load balancer resources for deploying an inbound NAT rule for a virtual machine.

Prerequisites

Sign in to Azure

Sign in to the Azure portal.

Create virtual network and virtual machines

A virtual network and subnet is required for the resources in the tutorial. In this section, you create a virtual network and virtual machines for the later steps.

  1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

  2. In Virtual machines, select + Create > + Virtual machine.

  3. In Create a virtual machine, enter or select the following values in the Basics tab:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter load-balancer-rg.
    Select OK.
    Instance details
    Virtual machine name Enter lb-vm1.
    Region Select ((US) East US).
    Availability options Select Availability zone.
    Availability zone Select Zone 1.
    Security type Select Standard.
    Image Select Ubuntu Server 20.04 LTS - Gen2.
    Azure Spot instance Leave the default of unchecked.
    Size Select a VM size.
    Administrator account
    Authentication type Select SSH public key.
    Username Enter azureuser.
    SSH public key source Select Generate new key pair.
    Key pair name Enter lb-key-pair.
    Inbound port rules
    Public inbound ports Select None.

  4. Select the Networking tab, or select Next: Disks, then Next: Networking.

  5. In the Networking tab, enter or select the following information.

    Setting Value
    Network interface
    Virtual network Select Create new.
    Enter lb-vnet in Name.
    In Address space, under Address range, enter 10.0.0.0/16.
    In Subnets, under Subnet name, enter backend-subnet.
    In Address range, enter 10.0.1.0/24.
    Select OK.
    Subnet Select backend-subnet.
    Public IP Select None.
    NIC network security group Select Advanced.
    Configure network security group Select Create new.
    Enter lb-NSG in Name.
    Select + Add an inbound rule under Inbound rules.
    In Service, select HTTP.
    Enter 100 in Priority.
    Enter lb-NSG-Rule for Name.
    Select Add.
    Select OK.

  6. Select the Review + create tab, or select the Review + create button at the bottom of the page.

  7. Select Create.

  8. At the Generate new key pair prompt, select Download private key and create resource. Your key file is downloaded as lb-key-pair.pem. Ensure you know where the .pem file was downloaded, you'll need the path to the key file in later steps.

  9. Follow the steps 1 through 7 to create another VM with the following values and all the other settings the same as lb-vm1:

    Setting Value
    Basics
    Instance details
    Virtual machine name Enter lb-vm2
    Availability zone Select Zone 2
    Administrator account
    Authentication type Select SSH public key
    SSH public key source Select Use existing key stored in Azure.
    Stored Keys Select lb-key-pair.
    Inbound port rules
    Public inbound ports Select None.
    Networking
    Network interface
    Public IP Select None.
    NIC network security group Select Advanced.
    Configure network security group Select the existing lb-NSG

Create a load balancer

You create a load balancer in this section. The frontend IP, backend pool, load-balancing, and inbound NAT rules are configured as part of the creation.

  1. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

  2. In the Load balancer page, select Create.

  3. In the Basics tab of the Create load balancer page, enter, or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select load-balancer-rg.
    Instance details
    Name Enter load-balancer
    Region Select East US.
    SKU Leave the default Standard.
    Type Select Public.
    Tier Leave the default Regional.

  4. Select Next: Frontend IP configuration at the bottom of the page.

  5. In Frontend IP configuration, select + Add a frontend IP configuration.

  6. Enter lb-frontend in Name.

  7. Select IPv4 or IPv6 for the IP version.

    Note

    IPv6 isn't currently supported with Routing Preference or Cross-region load-balancing (Global Tier).

  8. Select IP address for the IP type.

    Note

    For more information on IP prefixes, see Azure Public IP address prefix.

  9. Select Create new in Public IP address.

  10. In Add a public IP address, enter lb-frontend-ip for Name.

  11. Select Zone-redundant in Availability zone.

    Note

    In regions with Availability Zones, you have the option to select no-zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements. In regions without Availability Zones, this field won't appear.
    For more information on availability zones, see Availability zones overview.

  12. Leave the default of Microsoft Network for Routing preference.

  13. Select OK.

  14. Select Add.

  15. Select Next: Backend pools at the bottom of the page.

  16. In the Backend pools tab, select + Add a backend pool.

  17. Enter or select the following information in Add backend pool.

    Setting Value
    Name Enter lb-backend-pool.
    Virtual network Select lb-vnet (load-balancer-rg).
    Backend Pool Configuration Select NIC.

  18. Select + Add in Virtual machines.

  19. Select the checkboxes next to lb-vm1 and lb-vm2 in Add virtual machines to backend pool.

  20. Select Add and then select Save.

  21. Select the Next: Inbound rules button at the bottom of the page.

  22. In Load balancing rule in the Inbound rules tab, select + Add a load balancing rule.

  23. In Add load balancing rule, enter or select the following information.

    Setting Value
    Name Enter lb-HTTP-rule
    IP Version Select IPv4 or IPv6 depending on your requirements.
    Frontend IP address Select lb-frontend (To be created).
    Backend pool Select lb-backend-pool.
    Protocol Select TCP.
    Port Enter 80.
    Backend port Enter 80.
    Health probe Select Create new.
    In Name, enter lb-health-probe.
    Select TCP in Protocol.
    Leave the rest of the defaults, and select Save.
    Session persistence Select None.
    Idle timeout (minutes) Enter or select 15.
    Enable TCP reset Select checkbox to enable.
    Enable Floating IP Leave the default of unchecked.
    Outbound source network address translation (SNAT) Leave the default of (Recommended) Use outbound rules to provide backend pool members access to the internet.

    For more information about load-balancing rules, see Load-balancing rules.

  24. Select Save.

  25. In Inbound NAT rule in the Inbound rules tab, select + Add an inbound nat rule.

  26. In Add inbound NAT rule, enter or select the following information.

    Setting Value
    Name Enter lb-NAT-rule-VM1-221.
    Target virtual machine Select lb-vm1.
    Network IP configuration Select ipconfig1 (10.0.0.4).
    Frontend IP address Select lb-frontend (To be created).
    Frontend Port Enter 221.
    Service Tag Select Custom.
    Backend port Enter 22.
    Protocol Leave the default of TCP.
    Enable TCP Reset Leave the default of unchecked.
    Idle timeout (minutes) Leave the default 4.
    Enable Floating IP Leave the default of unchecked.

  27. Select Add.

  28. Select + Add an inbound nat rule.

  29. In Add inbound NAT rule, enter or select the following information.

    Setting Value
    Name Enter lb-NAT-rule-VM2-222.
    Target virtual machine Select lb-vm2.
    Network IP configuration Select ipconfig1 (10.0.0.5).
    Frontend IP address Select lb-frontend.
    Frontend Port Enter 222.
    Service Tag Select Custom.
    Backend port Enter 22.
    Protocol Leave the default of TCP.
    Enable TCP Reset Leave the default of unchecked.
    Idle timeout (minutes) Leave the default 4.
    Enable Floating IP Leave the default of unchecked.

  30. Select Add.

  31. Select the blue Review + create button at the bottom of the page.

  32. Select Create.

Create a NAT gateway

In this section, you create a NAT gateway for outbound internet access for resources in the virtual network.

For more information about outbound connections and Azure Virtual Network NAT, see Using Source Network Address Translation (SNAT) for outbound connections and What is Virtual Network NAT?.

  1. In the search box at the top of the portal, enter NAT gateway. Select NAT gateways in the search results.

  2. In NAT gateways, select + Create.

  3. In Create network address translation (NAT) gateway, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select load-balancer-rg.
    Instance details
    NAT gateway name Enter lb-nat-gateway.
    Region Select East US.
    Availability zone Select None.
    Idle timeout (minutes) Enter 15.

  4. Select the Outbound IP tab or select the Next: Outbound IP button at the bottom of the page.

  5. In Outbound IP, select Create a new public IP address next to Public IP addresses.

  6. Enter nat-gw-public-ip in Name in Add a public IP address.

  7. Select OK.

  8. Select the Subnet tab or select the Next: Subnet button at the bottom of the page.

  9. In Virtual network in the Subnet tab, select lb-vnet.

  10. Select backend-subnet under Subnet name.

  11. Select the blue Review + create button at the bottom of the page, or select the Review + create tab.

  12. Select Create.

Install web server

In this section, you'll SSH to the virtual machines through the inbound NAT rules and install a web server.

  1. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

  2. Select load-balancer.

  3. Select Fronted IP configuration in Settings.

  4. In the Frontend IP configuration, make note of the IP address for lb-frontend. In this example, it's 20.99.165.176.

    Screenshot of public IP in Azure portal.

  5. If you're using a Mac or Linux computer, open a Bash prompt. If you're using a Windows computer, open a PowerShell prompt.

  6. At your prompt, open an SSH connection to lb-vm1. Replace the IP address with the address you retrieved in the previous step and port 221 you used for the lb-vm1 inbound NAT rule. Replace the path to the .pem with the path to where the key file was downloaded.

    ssh -i .\Downloads\lb-key-pair.pem azureuser@20.99.165.176 -p 221

    Tip

    The SSH key you created can be used the next time your create a VM in Azure. Just select the Use a key stored in Azure for SSH public key source the next time you create a VM. You already have the private key on your computer, so you won't need to download anything.

  7. From your SSH session, update your package sources and then install the latest NGINX package.

    sudo apt-get -y update
sudo apt-get -y install nginx

  8. Enter Exit to leave the SSH session

  9. At your prompt, open an SSH connection to lb-vm2. Replace the IP address with the address you retrieved in the previous step and port 222 you used for the lb-vm2 inbound NAT rule. Replace the path to the .pem with the path to where the key file was downloaded.

    ssh -i .\Downloads\lb-key-pair.pem azureuser@20.99.165.176 -p 222

  10. From your SSH session, update your package sources and then install the latest NGINX package.

    sudo apt-get -y update
sudo apt-get -y install nginx

  11. Enter Exit to leave the SSH session.

Test the web server

In this section you test the web server by using the public IP address for the load balancer.

  1. Open your web browser.

  2. In the address bar, enter the IP address for the load balancer. In this example, it's 20.99.165.176.

  3. The default NGINX website is displayed.

    Screenshot of testing the NGINX web server.

Clean up resources

If you're not going to continue to use this application, delete the virtual machines and load balancer with the following steps:

  1. In the search box at the top of the portal, enter Resource group. Select Resource groups in the search results.

  2. Select load-balancer-rg in Resource groups.

  3. Select Delete resource group.

  4. Enter load-balancer-rg in TYPE THE RESOURCE GROUP NAME:. Select Delete.

Next steps

Advance to the next article to learn how to create a cross-region load balancer:

Create a multiple virtual machines inbound NAT rule using the Azure portal

Additional resources

Documentation