Default SNAT happens to outbound internet connections from VMs when none of the preferred methods for source address translation are otherwise available. Here, Azure will automatically translate the private IP of the VM to a special public IP pulled from a reserved regional block. While convenient, this method has its downsides, such as implicit internet access, lack of control or visibility over the public IP, and difficulties performing advanced troubleshooting.
Fortunately, Azure provides other choices for allowing VMs to connect to public endpoints, such as instance-level public IPs, outbound rules, the Azure NAT Gateway, and vendor-based solutions, such as Distributed Cloud Firewall for Egress (DCF for Egress) from Aviatrix. The question is: With so many options, which is the right solution for you? The answer is that some choices are better than others, depending on what you want to accomplish. Let’s look at four of these options:
Instance-level public IPs
Instance-level public IPs (IL-PIPs) are special IP addresses in Azure that you assign to a single VM or, more correctly, to a single network interface controller (NIC) that then is assigned to a VM. They are special because they don’t reside within the private IP space of the virtual network (VNet) itself; they instead operate as a regional-level service for private-to-public address translation when a single VM needs to access another public endpoint. IL-PIPs remove a lot of the mystery of the default SNAT feature in Azure: they are purposeful, explicit, and stapled to their parent NIC.
IL-PIPs are best used on network virtual appliances (NVAs) within Azure, such as virtual firewalls and software-defined wide area network (SD-WAN) devices. They are a convenient and easy way for NVAs to provide egress security or hybrid connectivity on behalf of app-level VMs that need to connect to internet destinations. One care here is that unless scaled correctly, IL-PIPs on NVAs are prone to port exhaustion; this is a common scenario when NAT is involved.
IL-PIPs are not ideal for individual VMs that are running application or data workloads due to complexity, lack of security, and cost. It is far better to provide an internet egress de-militarized zone (DMZ) for these VMs to leverage, per the NVA model above, which is a best-practice architecture in Azure.
Fortunately, Azure has several outbound solutions that specifically address this issue. Outbound rules, for example, operate in conjunction with an Azure public load balancer and offer a sophisticated set of parameters for adding additional outbound public IPs and port mappings to tackle almost any egress requirements. Outbound rules are ideal for VMs that are part of a backend pool and need easy and convenient outbound access through the same Azure public load balancer that services their inbound requests.
But not all VMs in Azure are behind a load balancer and not all customers want to configure every public load balancer with outbound rules, especially if they have a large number of public load balancers to deal with. Furthermore, outbound rules are not optimized for customers looking for a VNet-wide solution or quick “one click” deployment. For this reason, Azure offers customers what is sure to be its best solution for egress traffic, which is the Azure NAT Gateway.
Azure NAT Gateway
The Azure NAT Gateway has a lot to offer; it’s simple to configure and deploy, fully managed, and intelligently handles port allocation under the hood so that customers can quickly and easily scale their egress traffic requirements. Even better, it works with both standalone VMs as well as VMs behind load balancers, all without any complicated requirements. Simply deploy the Azure NAT Gateway, assign it one or more PIPs — classless inter-domain routing (CIDR) ranges are indeed supported — point it to the subnets you want to it serve, and you’re off to the races. Finally, Azure NAT Gateway is fully redundant and supports availability zones for high uptimes.
Aviatrix’s Distributed Cloud Firewall for Egress in Azure Marketplace
Even with all these great capabilities, some customers are looking to add additional functionality to their Internet egress strategy. This is where the Azure Marketplace comes in, and one of the most compelling offerings here is the Aviatrix Distributed Cloud Firewall (DCF). Aviatrix DCF features three upgradable tiers of capability, giving customers both choice and control over how they want to deploy and scale their internet egress solution in Azure.
Aviatrix DCF is a unique solution that distributes security across the entire cloud network, which alleviates bottlenecks, improves overall security, and reduces cloud costs. In addition to supporting full automation through Terraform and centralized management through Aviatrix CoPilot, Aviatrix DCF is supported in all Azure regions, including Azure Gov Cloud, as well as other major public clouds.
The Aviatrix DCF for Egress solution starts with the basic NAT tier. This tier provides customers with enterprise-grade dynamic NAT capabilities on a per-VNet basis. The basic NAT tier can be easily and quickly scaled to handle enormous amounts of traffic; it will automatically become the default internet gateway for its resident VNet through cloud-native orchestration.
For customers looking to add additional security, the basic NAT tier can be upgraded to the Aviatrix DCF for Egress tier, which adds support for transport layer security (TSL)/secure sockets layer (SSL) decryption, fully qualified domain name (FQDN) filtering, and intrusion detection. These additional capabilities are a game-changer for customers who need to ensure that all outbound traffic is both trusted and secure. Because public cloud introduces a rapidly changing “endless perimeter” for internet access across the entire network, this distributed approach ensures that all business-critical apps are protected without sacrificing application performance or disrupting your architecture.
In terms of billing, Aviatrix DCF for Egress does not meter on network data, only hourly consumption. This difference can quickly translate into big savings for customers, especially around security costs, which can rapidly spiral out of control in cloud. The billing plan for Aviatrix DCF for Egress ensures your monthly billing will be predictable, which makes your overall cloud expenses easier to control.
Finally, for customers looking for micro-segmentation and app-to-app (east/west) security in Azure, Aviatrix DCF for Egress can be upgraded to the full Aviatrix Distributed Cloud Firewall solution. This solution supports full-scale network security group (NSG) automation and dynamic policy enforcement based on object resource tags in addition to IP addresses. Aviatrix SmartGroups give customers intelligent, centralized policy control across the entire cloud network and even support hybrid policy enforcement over VPN and ExpressRoute.
While platform changes in networking behavior are not always welcome news, rest assured that Azure has a rich set of egress solutions to help you navigate the upcoming change with ease. Regardless of the solution you choose, the result will be an internet egress strategy that is more explicit, easier to see and control, and ultimately more secure. Together, Azure and Aviatrix can help you save money and improve security for outbound internet traffic with Aviatrix Distributed Cloud Firewall for Egress.
Please check out the Aviatrix Guide to Network Security in Azure. With it, you'll learn how Aviatrix's innovative network security solution enhances Azure's native resources and services, optimizing performance and improving security.