Tutorial: Create a NAT gateway using the Azure CLI
This tutorial shows you how to use Azure Virtual Network NAT service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.
In this tutorial, you learn how to:
- Create a virtual network.
- Create a virtual machine.
- Create a NAT gateway and associate with the virtual network.
- Connect to virtual machine and verify NAT IP address.
Use the Bash environment in Azure Cloud Shell.
If you prefer, install the Azure CLI to run CLI reference commands.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For additional sign-in options, see Sign in with the Azure CLI.
When you're prompted, install Azure CLI extensions on first use. For more information about extensions, see Use extensions with the Azure CLI.
- This quickstart requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a resource group
Create a resource group with az group create. An Azure resource group is a logical container into which Azure resources are deployed and managed.
The following example creates a resource group named myResourceGroupNAT in the eastus2 location:
az group create \ --name myResourceGroupNAT \ --location eastus2
Create the NAT gateway
In this section we create the NAT gateway and supporting resources.
Create public IP address
To access the Internet, you need one or more public IP addresses for the NAT gateway. Use az network public-ip create to create a public IP address resource named myPublicIP in myResourceGroupNAT.
az network public-ip create \ --resource-group myResourceGroupNAT \ --name myPublicIP \ --sku standard \ --allocation static
Create NAT gateway resource
Create a global Azure NAT gateway with az network nat gateway create. The result of this command will create a gateway resource named myNATgateway that uses the public IP address myPublicIP. The idle timeout is set to 10 minutes.
az network nat gateway create \ --resource-group myResourceGroupNAT \ --name myNATgateway \ --public-ip-addresses myPublicIP \ --idle-timeout 10
Create virtual network
Create a virtual network named myVnet with a subnet named mySubnet az network vnet create in the myResourceGroup resource group. The IP address space for the virtual network is 10.1.0.0/16. The subnet within the virtual network is 10.1.0.0/24.
az network vnet create \ --resource-group myResourceGroupNAT \ --location eastus2 \ --name myVnet \ --address-prefix 10.1.0.0/16 \ --subnet-name mySubnet \ --subnet-prefix 10.1.0.0/24
Create bastion host
Create an Azure Bastion host named myBastionHost to access the virtual machine.
Use az network vnet subnet create to create a Azure Bastion subnet.
az network vnet subnet create \ --resource-group myResourceGroupNAT \ --name AzureBastionSubnet \ --vnet-name myVNet \ --address-prefixes 10.1.1.0/24
Create a public IP address for the bastion host with az network public-ip create.
az network public-ip create \ --resource-group myResourceGroupNAT \ --name myBastionIP \ --sku Standard
Use az network bastion create to create the bastion host.
az network bastion create \ --resource-group myResourceGroupNAT \ --name myBastionHost \ --public-ip-address myBastionIP \ --vnet-name myVNet \ --location eastus2
Configure NAT service for source subnet
We'll configure the source subnet mySubnet in virtual network myVnet to use a specific NAT gateway resource myNATgateway with az network vnet subnet update. This command will activate the NAT service on the specified subnet.
az network vnet subnet update \ --resource-group myResourceGroupNAT \ --vnet-name myVnet \ --name mySubnet \ --nat-gateway myNATgateway
All outbound traffic to Internet destinations is now using the NAT gateway. It's not necessary to configure a UDR.
In this section, you'll create a virtual machine to test the NAT gateway to verify the public IP address of the outbound connection.
Create the virtual machine with az vm create.
az vm create \ --name myVM \ --resource-group myResourceGroupNAT \ --admin-username azureuser \ --image win2019datacenter \ --public-ip-address "" \ --subnet mySubnet \ --vnet-name myVNet
Wait for the virtual machine creation to complete before moving on to the next section.
Test NAT gateway
In this section, we'll test the NAT gateway. We'll first discover the public IP of the NAT gateway. We'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.
Sign in to the Azure portal
Find the public IP address for the NAT gateway on the Overview screen. Select All services in the left-hand menu, select All resources, and then select myPublicIP.
Make note of the public IP address:
Select All services in the left-hand menu, select All resources, and then from the resources list, select myVM that is located in the myResourceGroupNAT resource group.
On the Overview page, select Connect, then Bastion.
Select the blue Use Bastion button.
Enter the username and password entered during VM creation.
Open Internet Explorer on myTestVM.
Enter https://whatsmyip.com in the address bar.
Verify the IP address displayed matches the NAT gateway address you noted in the previous step:
Clean up resources
If you're not going to continue to use this application, delete the virtual network, virtual machine, and NAT gateway with the following steps:
az group delete \ --name myResourceGroupNAT
For more information on Azure Virtual Network NAT, see: