Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,703 questions
Is there any approach to replace NAT Gateway?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 70%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Khaleel Shaik
20
Reputation points
We currently have a NAT Gateway configured to manage outbound traffic for one of our Azure App Services. However, since the NAT Gateway is one of the most expensive resources in our setup, we're looking for a more cost-effective alternative that can serve the same purpose. Any suggestions or guidance would be greatly appreciated.
Azure App Service
{count} votes
-
Luke Murray 11,351 Reputation points MVP2025-04-09T08:09:51.65+00:00 You would have to replace NAT Gateway with Application Gateway.
Or use DNS to point to the CNAME of your WebApp.
-
Khaleel Shaik 20 Reputation points
2025-04-09T12:23:58.82+00:00 how does it really help us from SNAT Port exhaust issue in azure app service that is what the reason that we have integrated NAT Gateway, can you please explain a little bit.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 69%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Siva Nair 1,475 Reputation points Microsoft External Staff2025-04-10T05:09:25.65+00:00 Hi Khaleel Shaik,
In addition to Luke Murray response,
we recommend replacing the NAT Gateway with a lightweight Linux VM acting as a NAT instance. This setup uses VNet Integration, a User Defined Route (UDR), and standard Linux NAT capabilities. while maintaining control over outbound IPs from Azure App Services
Do follow configure-virtual-machine-software
- Enable VNet Integration
In the App Service, go to Networking → VNet Integration
Integrate with a VNet and select a dedicated subnet
- Provision the NAT VM
Create a Linux VM (Ubuntu/Debian recommended) in the same VNet or a peered VNet
Assign a Standard SKU Static Public IP
- Enable IP forwarding: example in the document above enable-ip-forwarding-in-the-operating-system
-
- Configure NAT with iptables
- Create a User Defined Route (UDR)
- Create a route table and a route for all traffic:
az network route-table create \ --resource-group test-rg \ --name route-table-nat-hub \ --location eastus2Associate the route table with the subnet used by VNet Integration
- Update NSG Rules (if any)
- Ensure that traffic is allowed:
- From App Service subnet → NAT VM (private IP)
- From NAT VM → Internet
- From Internet → NAT VM (optional, for testing/monitoring)
- we can test it by Deploy an endpoint in the App Service that calls: test-nat-gateway-from-spoke-one
https://whatsmyip.comThis should return the static public IP of the NAT VM, confirming that traffic is routing correctly.
If you have any further assistant, do let me know.
-
Khaleel Shaik 20 Reputation points
2025-04-10T07:30:11.8833333+00:00 Thanks very much @Siva Nair Let me give a try, I hope this should resolve.
-
Siva Nair 1,475 Reputation points Microsoft External Staff
2025-04-11T02:17:42.69+00:00 Hi Khaleel Shaik,
Glad that you find it helpful, if it does do let us know or you need any further assist with it , and if that works as per your expectation, kindly upvote it and please click Accept Answer so that other people who faces similar issue may get benefitted from it.
-
Siva Nair 1,475 Reputation points Microsoft External Staff
2025-04-13T15:23:56.88+00:00 Hi Khaleel Shaik,
Glad that you find it helpful, if it does do let us know or you need any further assist with it , and if that works as per your expectation, kindly upvote it and please click Accept Answer so that other people who faces similar issue may get benefitted from it.
-
Siva Nair 1,475 Reputation points Microsoft External Staff
2025-04-14T05:43:27.58+00:00 Hi Khaleel Shaik,
just checking back to see if you have a resolution yet, do let us know if you need any further assist with it , and if that works as per your expectation, kindly upvote it and please click Accept Answer so that other people who faces similar issue may get benefitted from it.
-
Khaleel Shaik 20 Reputation points
2025-04-23T13:06:37.34+00:00 Hi @Siva Nair
I don't think this will resolve my issue as it looks again integrating NAT gateway in a VM. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 40%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
Bodapati Harish 400 Reputation points Microsoft External Staff2025-04-25T07:31:20.57+00:00 Hello Khaleel Shaik,
If you need to control outbound IPs and avoid SNAT exhaustion, without adding a full NAT VM setup, here are two practical alternatives that you might helpful.
Approach1: Use Azure Load Balancer Instead of NAT Gateway
This can help you keep a static outbound IP and also manage SNAT ports better, at a lower cost.
- Go to your Azure portal and create a Standard Load Balancer.
- Assign a static public IP address to the Load Balancer.
- Under the Load Balancer settings, go to Outbound Rules and set up a rule with higher SNAT ports (e.g.1024).
- Make sure your App Service is integrated with a VNet (via VNet Integration) and is connected to a subnet.
- In the same subnet, create a User Defined Route (UDR) that sends all outbound traffic (
0.0.0.0/0) to the Load Balancer backend IP. - If you're using Network Security Groups (NSGs), update them to allow:
- Traffic from your App Service subnet to the Load Balancer
- Load Balancer to send outbound traffic to the internet
- Test from your App Service (e.g., using
https://ifconfig.me) to confirm it’s using the new static IP.
This setup gives you control over outbound IP while avoiding the higher cost of NAT Gateway.
Approach2: Tweak App Service to Reduce SNAT Usage
If having a fixed outbound IP isn’t a must, you can reduce SNAT usage by adjusting your app or setup a bit.
- Use connection reuse in your app (e.g., HTTP keep-alive)
- Use Service Endpoints or Private Endpoints when talking to Azure resources like SQL, Storage, etc. This avoids SNAT usage altogether
- Scale out the App Service to more instances, this increases available SNAT ports
- Offload outbound-heavy tasks to another service like an Azure Function or Container App, where you can manage outbound IP differently
If your scenario doesn’t strictly require a static IP, the second option is much simpler and cost friendly. But if you do need outbound IP control, the Load Balancer setup is a good balance between features and cost.
I hope this helps! Please let me know if any assistance, I'll happy to assist you further.
-
Bodapati Harish 400 Reputation points Microsoft External Staff
2025-05-02T08:06:00.5866667+00:00 Hello Khaleel Shaik,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Sign in to comment
Sign in to answer