+1. Access the **Manage Authentication Policies** task to create a new authentication policy. In the authentication policy, use the authentication allowlist to specify the Azure AD IP range and the security group that is allowed access from this IP range. Save the changes.

+The default steps to [configure the Workday integration system user](../saas-apps/workday-inbound-tutorial.md#configure-integration-system-user-in-workday) grants access to retrieve all users in your Workday tenant. In certain integration scenarios, you may want to limit access. For example, only return users in certain supervisory organizations from the `Get_Workers` API call.

+<!-- Replace timestamps with the UTC time corresponding to the test connection event -->

+<!-- Replace timestamps with the UTC time corresponding to full sync run -->

+<!-- Replace timestamps with the UTC time corresponding to last execution and current execution time -->

+<!-- Replace timestamps with the UTC time corresponding to last execution and current execution time -->

+<!-- Replace timestamps hire date/first day of work -->

+The table provides guidance on mapping configuration to use to retrieve a specific data set.

+| 1 | `Personal Data` | Yes | `wd:Worker_Data/wd:Personal_Data` |

+| 2 | `Employment Data` | Yes | `wd:Worker_Data/wd:Employment_Data` |

+| 3 | `Additional Job Data` | Yes | `wd:Worker_Data/wd:Employment_Data/wd:Worker_Job_Data[@wd:Primary_Job=0]`|

+| 4 | `Organization Data` | Yes | `wd:Worker_Data/wd:Organization_Data` |

+| 5 | `Management Chain Data` | Yes | `wd:Worker_Data/wd:Management_Chain_Data` |

+| 6 | `Supervisory Organization` | Yes | `SUPERVISORY` |

+| 7 | `Company` | Yes | `COMPANY` |

+| 8 | `Business Unit` | No | `BUSINESS_UNIT` |

+| 9 | `Business Unit Hierarchy` | No | `BUSINESS_UNIT_HIERARCHY` |

+| 10 | `Company Hierarchy` | No | `COMPANY_HIERARCHY` |

+| 11 | `Cost Center` | No | `COST_CENTER` |

+| 12 | `Cost Center Hierarchy` | No | `COST_CENTER_HIERARCHY` |

+| 13 | `Fund` | No | `FUND` |

+| 14 | `Fund Hierarchy` | No | `FUND_HIERARCHY` |

+| 15 | `Gift` | No | `GIFT` |

+| 16 | `Gift Hierarchy` | No | `GIFT_HIERARCHY` |

+| 17 | `Grant` | No | `GRANT` |

+| 18 | `Grant Hierarchy` | No | `GRANT_HIERARCHY` |

+| 19 | `Business Site Hierarchy` | No | `BUSINESS_SITE_HIERARCHY` |

+| 20 | `Matrix Organization` | No | `MATRIX` |

+| 21 | `Pay Group` | No | `PAY_GROUP` |

+| 22 | `Programs` | No | `PROGRAMS` |

+| 23 | `Program Hierarchy` | No | `PROGRAM_HIERARCHY` |

+| 24 | `Region` | No | `REGION_HIERARCHY` |

+| 25 | `Location Hierarchy` | No | `LOCATION_HIERARCHY` |

+| 26 | `Account Provisioning Data` | No | `wd:Worker_Data/wd:Account_Provisioning_Data` |

+| 27 | `Background Check Data` | No | `wd:Worker_Data/wd:Background_Check_Data` |

+| 28 | `Benefit Eligibility Data` | No | `wd:Worker_Data/wd:Benefit_Eligibility_Data` |

+| 29 | `Benefit Enrollment Data` | No | `wd:Worker_Data/wd:Benefit_Enrollment_Data` |

+| 30 | `Career Data` | No | `wd:Worker_Data/wd:Career_Data` |

+| 31 | `Compensation Data` | No | `wd:Worker_Data/wd:Compensation_Data` |

+| 32 | `Contingent Worker Tax Authority Data` | No | `wd:Worker_Data/wd:Contingent_Worker_Tax_Authority_Form_Type_Data` |

+| 33 | `Development Item Data` | No | `wd:Worker_Data/wd:Development_Item_Data` |

+| 34 | `Employee Contracts Data` | No | `wd:Worker_Data/wd:Employee_Contracts_Data` |

+| 35 | `Employee Review Data` | No | `wd:Worker_Data/wd:Employee_Review_Data` |

+| 36 | `Feedback Received Data` | No | `wd:Worker_Data/wd:Feedback_Received_Data` |

+| 37 | `Worker Goal Data` | No | `wd:Worker_Data/wd:Worker_Goal_Data` |

+| 38 | `Photo Data` | No | `wd:Worker_Data/wd:Photo_Data` |

+| 39 | `Qualification Data` | No | `wd:Worker_Data/wd:Qualification_Data` |

+| 40 | `Related Persons Data` | No | `wd:Worker_Data/wd:Related_Persons_Data` |

+| 41 | `Role Data` | No | `wd:Worker_Data/wd:Role_Data` |

+| 42 | `Skill Data` | No | `wd:Worker_Data/wd:Skill_Data` |

+| 43 | `Succession Profile Data` | No | `wd:Worker_Data/wd:Succession_Profile_Data` |

+| 44 | `Talent Assessment Data` | No | `wd:Worker_Data/wd:Talent_Assessment_Data` |

+| 45 | `User Account Data` | No | `wd:Worker_Data/wd:User_Account_Data` |

+| 46 | `Worker Document Data` | No | `wd:Worker_Data/wd:Worker_Document_Data` |

+1. Add the following attributes definitions and mark them as "Required". These attributes aren't mapped to any attribute in AD or Azure AD. They serve as signals to the connector to retrieve the Cost Center, Cost Center Hierarchy and Pay Group information.

+1. Once the Cost Center and Pay Group data set is available in the *Get_Workers* response, you can use the XPATH values to retrieve the cost center name, cost center code and pay group.

+* [Scenario 2: Worker employed as CW/FTE today, changes to FTE/CW today](#scenario-2-worker-employed-as-cwfte-today-changes-to-ftecw-today)

+Your HR team may backdate a worker conversion transaction in Workday for valid business reasons. Examples include payroll processing, budget compliance, legal requirements and benefits management. Here's an example to illustrate how provisioning is handled for the scenario.

+* The Azure AD provisioning service detects this change in the Workday transaction log on January 15, 2023. The service automatically provision attributes of the new FTE profile in the next sync cycle.

+#### Scenario 2: Worker employed as CW/FTE today, changes to FTE/CW today

+This scenario is similar to the above scenario, except that instead of backdating the transaction, HR performs a worker conversion that is effective immediately. The Azure AD provisioning service detects this change in the Workday transaction log. In the next sync cycle, the service automatically provisions any associated attributes with an active FTE profile. No changes are required in the provisioning app configuration to handle this scenario.

+* Since Azure AD provisioning service automatically processes future-dated hires, it processes John's new full-time employee worker profile on January 15, and update John's profile in AD with full-time employment details even though he's still a contingent worker.

+ 1. With this configuration, the existing employee/contingent worker record continues to be effective and the provisioning changes happen only on the day of conversion.

+>During initial full sync, you may notice a behavior where the attribute values associated with the previous inactive worker profile flow to the AD account of converted workers. This is temporary and as full sync progresses, it is eventually be overwritten by attribute values from the active worker profile. Once the full sync is complete and the provisioning job reaches steady state, it always picks the active worker profile during incremental sync.

+By default, the Workday connector retrieves attributes associated with the worker's primary job. The connector also supports retrieving `Additional Job Data` associated with international job assignments or secondary jobs.

+Use the steps to retrieve attributes associated with international job assignments:

+* **Wide list of attributes and transformations available** - All header values available are based on standard claims that are issued by Azure AD. All attributes and transformations available for [configuring claims for SAML or OIDC applications](../develop/saml-claims-customization.md#attributes) are also available to be used as header values.

+ - To learn more about the list of attribute available, see [Claims Customizations- Attributes](../develop/saml-claims-customization.md#attributes).

+ - To learn more about the list of transformation available, see [Claims Customizations- Claim Transformations](../develop/saml-claims-customization.md#claim-transformations).

+### Define locations

+1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**.

+1. Choose **New location**.

+1. Give your location a name.

+1. Choose **IP ranges** if you know the specific externally accessible IPv4 address ranges that make up that location or **Countries/Regions**.

+ 1. Provide the **IP ranges** or select the **Countries/Regions** for the location you're specifying.

+ * If you choose Countries/Regions, you can optionally choose to include unknown areas.

+1. Choose **Save**

+- For information about customizing claims, see [Customize claims issued in the SAML token for enterprise applications](saml-claims-customization.md).

+Install-Module Microsoft.Graph

+ Title: Customize app JSON Web Token (JWT) claims (Preview)

+description: Learn how to customize the claims issued by Microsoft identity platform in the JSON web token (JWT) token for enterprise applications.

+# Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview)

+The Microsoft identity platform supports [single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md) with most preintegrated applications in the Azure Active Directory (Azure AD) application gallery and custom applications. When a user authenticates to an application through the Microsoft identity platform using the OIDC protocol, the Microsoft identity platform sends a token to the application. The application validates and uses the token to sign the user in instead of prompting for a username and password.

+These JSON Web tokens (JWT) used by OIDC and OAuth applications (preview) contain pieces of information about the user known as *claims*. A claim is information that an identity provider states about a user inside the token they issue for that user. In an [OIDC response](v2-protocols-oidc.md), claims data is typically contained in the ID Token issued by the identity provider in the form of a JWT.

+## View or edit claims

+To view or edit the claims issued in the JWT to the application, open the application in Azure portal. Then select **Single sign-on** blade in the left-hand menu and open the **Attributes & Claims** section.

+An application may need claims customization for various reasons. For example, when an application requires a different set of claim URIs or claim values. Using the **Attributes & Claims** section, you can add or remove a claim for your application. You can also create a custom claim that is specific for an application based on the use case.

+The following steps describe how to assign a constant value:

+1. In the [Azure portal](https://portal.azure.com/), on the **Attributes & Claims** section, Select **Edit** to edit the claims.

+1. Select the required claim that you want to modify.

+1. Enter the constant value without quotes in the **Source attribute** as per your organization, and then select **Save**.

+The Attributes overview displays the constant value.

+## Special claims transformations

+You can use the following special claims transformations functions.

+| Function | Description |

+|-|-|

+| **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This function extracts only the first part of the user name. For example, `joe_smith` instead of `joe_smith@contoso.com`. |

+| **ToLower()** | Converts the characters of the selected attribute into lowercase characters. |

+| **ToUpper()** | Converts the characters of the selected attribute into uppercase characters. |

+## Add application-specific claims

+To add application-specific claims:

+1. In **User Attributes & Claims**, select **Add new claim** to open the **Manage user claims** page.

+1. Enter the **name** of the claims. The value doesn't strictly need to follow a URI pattern. If you need a URI pattern, you can put that in the **Namespace** field.

+1. Select the **Source** where the claim is going to retrieve its value. You can select a user attribute from the source attribute dropdown or apply a transformation to the user attribute before emitting it as a claim.

+### Claim transformations

+To apply a transformation to a user attribute:

+1. In **Manage claim**, select *Transformation* as the claim source to open the **Manage transformation** page.

+1. Select the function from the transformation dropdown. Depending on the function selected, provide parameters and a constant value to evaluate in the transformation.

+1. **Treat source as multivalued** indicates whether the transform is applied to all values or just the first. By default, the first element in a multi-value claim is applied the transformations. When you check this box, it ensures it's applied to all. This checkbox is only enabled for multi-valued attributes. For example, `user.proxyaddresses`.

+1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case.

+ :::image type="content" source="./media/jwt-claims-customization/sso-saml-multiple-claims-transformation.png" alt-text="Screenshot of claims transformation.":::

+You can use the following functions to transform claims.

+| Function | Description |

+|-|-|

+| **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This function extracts only the first part of the user name. For example, `joe_smith` instead of `joe_smith@contoso.com`. |

+| **Join()** | Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. For NameID claim transformation, the Join() function has specific behavior when the transformation input has a domain part. It removes the domain part from input before joining it with the separator and the selected parameter. For example, if the input of the transformation is `joe_smith@contoso.com` and the separator is `@` and the parameter is `fabrikam.com`, this input combination results in `joe_smith@fabrikam.com`. |

+| **ToLowercase()** | Converts the characters of the selected attribute into lowercase characters. |

+| **ToUppercase()** | Converts the characters of the selected attribute into uppercase characters. |

+| **Contains()** | Outputs an attribute or constant if the input matches the specified value. Otherwise, you can specify another output if there's no match. <br/>For example, if you want to emit a claim where the value is the user's email address if it contains the domain `@contoso.com`, otherwise you want to output the user principal name. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.email<br/>*Value*: "@contoso.com"<br/>Parameter 2 (output): user.email<br/>Parameter 3 (output if there's no match): user.userprincipalname |

+| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with "000", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.employeeid<br/>*Value*: "000"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 |

+| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with "US", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.country<br/>*Value*: "US"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 |

+| **Extract() - After matching** | Returns the substring after it matches the specified value.<br/>For example, if the input's value is `Finance_BSimon`, the matching value is `Finance_`, then the claim's output is `BSimon`. |

+| **Extract() - Before matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is `BSimon_US`, the matching value is `_US`, then the claim's output is `BSimon`. |

+| **Extract() - Between matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is `Finance_BSimon_US`, the first matching value is `Finance_`, the second matching value is `_US`, then the claim's output is `BSimon`. |

+| **ExtractAlpha() - Prefix** | Returns the prefix alphabetical part of the string.<br/>For example, if the input's value is `BSimon_123`, then it returns `BSimon`. |

+| **ExtractAlpha() - Suffix** | Returns the suffix alphabetical part of the string.<br/>For example, if the input's value is `123_Simon`, then it returns `Simon`. |

+| **ExtractNumeric() - Prefix** | Returns the prefix numerical part of the string.<br/>For example, if the input's value is `123_BSimon`, then it returns `123`. |

+| **ExtractNumeric() - Suffix** | Returns the suffix numerical part of the string.<br/>For example, if the input's value is `BSimon_123`, then it returns `123`. |

+| **IfEmpty()** | Outputs an attribute or constant if the input is null or empty.<br/>For example, if you want to output an attribute stored in an extension attribute if the employee ID for a given user is empty. To perform this function, configure the following values:<br/>Parameter 1(input): user.employeeid<br/>Parameter 2 (output): user.extensionattribute1<br/>Parameter 3 (output if there's no match): user.employeeid |

+| **IfNotEmpty()** | Outputs an attribute or constant if the input isn't null or empty.<br/>For example, if you want to output an attribute stored in an extension attribute if the employee ID for a given user isn't empty. To perform this function, you configure the following values:<br/>Parameter 1(input): user.employeeid<br/>Parameter 2 (output): user.extensionattribute1 |

+| **Substring() - Fixed Length** (Preview)| Extracts parts of a string claim type, beginning at the character at the specified position, and returns the specified number of characters.<br/>SourceClaim - The claim source of the transform that should be executed.<br/>StartIndex - The zero-based starting character position of a substring in this instance.<br/>Length - The length in characters of the substring.<br/>For example:<br/>sourceClaim - PleaseExtractThisNow<br/>StartIndex - 6<br/>Length - 11<br/>Output: ExtractThis |

+| **Substring() - EndOfString** (Preview) | Extracts parts of a string claim type, beginning at the character at the specified position, and returns the rest of the claim from the specified start index. <br/>SourceClaim - The claim source of the transform.<br/>StartIndex - The zero-based starting character position of a substring in this instance.<br/>For example:<br/>sourceClaim - PleaseExtractThisNow<br/>StartIndex - 6<br/>Output: ExtractThisNow |

+| **RegexReplace()** (Preview) | RegexReplace() transformation accepts as input parameters:<br/>- Parameter 1: a user attribute as regex input<br/>- An option to trust the source as multivalued<br/>- Regex pattern<br/>- Replacement pattern. The replacement pattern may contain static text format along with a reference that points to regex output groups and more input parameters. |

+If you need other transformations, submit your idea in the [feedback forum in Azure AD](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) under the *SaaS application* category.

+## Regex-based claims transformation

+The following image shows an example of the first level of transformation:

+The following table provides information about the first level of transformations. The actions listed in the table correspond to the labels in the previous image. Select **Edit** to open the claims transformation blade.

+| Action | Field | Description |

+| :-- | :- | :- |

+| 1 | `Transformation` | Select the **RegexReplace()** option from the **Transformation** options to use the regex-based claims transformation method for claims transformation. |

+| 2 | `Parameter 1` | The input for the regular expression transformation. For example, user.mail that has a user email address such as `admin@fabrikam.com`. |

+| 3 | `Treat source as multivalued` | Some input user attributes can be multi-value user attributes. If the selected user attribute supports multiple values and the user wants to use multiple values for the transformation, they need to select **Treat source as multivalued**. If selected, all values are used for the regex match, otherwise only the first value is used. |

+| 4 | `Regex pattern` | A regular expression that is evaluated against the value of user attribute selected as *Parameter 1*. For example, a regular expression to extract the user alias from the user's email address is represented as `(?'domain'^.*?)(?i)(\@fabrikam\.com)$`. |

+| 5 | `Add additional parameter` | More than one user attribute can be used for the transformation. The values of the attributes would then be merged with regex transformation output. Up to five more parameters are supported. |

+| 6 | `Replacement pattern` | The replacement pattern is the text template, which contains placeholders for regex outcome. All group names must be wrapped inside the curly braces such as {group-name}. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and `{domain}` is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

+The following image shows an example of the second level of transformation:

+The following table provides information about the second level of transformations. The actions listed in the table correspond to the labels in the previous image.

+| Action | Field | Description |

+| :-- | :- | :- |

+| 1 | `Transformation` | Regex-based claims transformations aren't limited to the first transformation and can be used as the second level transformation as well. Any other transformation method can be used as the first transformation. |

+| 2 | `Parameter 1` | If **RegexReplace()** is selected as a second level transformation, output of first level transformation is used as an input for the second level transformation. To apply the transformation, the second level regex expression should match the output of the first transformation. |

+| 3 | `Regex pattern` | **Regex pattern** is the regular expression for the second level transformation. |

+| 4 | `Parameter input` | User attribute inputs for the second level transformations. |

+| 5 | `Parameter input` | Administrators can delete the selected input parameter if they don't need it anymore. |

+| 6 | `Replacement pattern` | The replacement pattern is the text template, which contains placeholders for regex outcome group name, input parameter group name, and static text value. All group names must be wrapped inside the curly braces such as `{group-name}`. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and `{domain}` is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

+| 7 | `Test transformation` | The RegexReplace() transformation is evaluated only if the value of the selected user attribute for *Parameter 1* matches with the regular expression provided in the **Regex pattern** textbox. If they don't match, the default claim value is added to the token. To validate regular expression against the input parameter value, a test experience is available within the transform blade. This test experience operates on dummy values only. When more input parameters are used, the name of the parameter is added to the test result instead of the actual value. To access the test section, select **Test transformation**. |

+The following image shows an example of testing the transformations:

+The following table provides information about testing the transformations. The actions listed in the table correspond to the labels in the previous image.

+| Action | Field | Description |

+| :-- | :- | :- |

+| 1 | `Test transformation` | Select the close or (X) button to hide the test section and re-render the **Test transformation** button again on the blade. |

+| 2 | `Test regex input` | Accepts input that is used for the regular expression test evaluation. In case regex-based claims transformation is configured as a second level transformation, provide a value that is the expected output of the first transformation. |

+| 3 | `Run test` | After the test regex input is provided and the **Regex pattern**, **Replacement pattern** and **Input parameters** are configured, the expression can be evaluated by selecting **Run test**. |

+| 4 | `Test transformation result` | If evaluation succeeds, an output of test transformation is rendered against the **Test transformation result** label. |

+| 5 | `Remove transformation` | The second level transformation can be removed by selecting **Remove transformation**. |

+| 6 | `Specify output if no match` | When a regex input value is configured against the *Parameter 1* that doesn't match the **Regular expression**, the transformation is skipped. In such cases, the alternate user attribute can be configured, which is added to the token for the claim by checking **Specify output if no match**. |

+| 7 | `Parameter 3` | If an alternate user attribute needs to be returned when there's no match and **Specify output if no match** is checked, an alternate user attribute can be selected using the dropdown. This dropdown is available against **Parameter 3 (output if no match)**. |

+| 8 | `Summary` | At the bottom of the blade, a full summary of the format is displayed that explains the meaning of the transformation in simple text. |

+| 9 | `Add` | After the configuration settings for the transformation are verified, it can be saved to a claims policy by selecting **Add**. Select **Save** on the **Manage Claim** blade to save the changes. |

+RegexReplace() transformation is also available for the group claims transformations.

+### Transformation validations

+A message provides more information when the following conditions occur after selecting **Add** or **Run test**:

+* Input parameters with duplicate user attributes were used.

+* Unused input parameters found. Defined input parameters should have respective usage into the Replacement pattern text.

+* The provided test regex input doesn't match with the provided regular expression.

+* No sources for the groups in the replacement pattern are found.

+## Emit claims based on conditions

+You can specify the source of a claim based on user type and the group to which the user belongs.

+The user type can be:

+* **Any** - All users are allowed to access the application.

+* **Members**: Native member of the tenant

+* **All guests**: User moved from an external organization with or without Azure AD.

+* **AAD guests**: Guest user belongs to another organization using Azure AD.

+* **External guests**: Guest user belongs to an external organization that doesn't have Azure AD.

+One scenario where the user type is helpful is when the source of a claim is different for a guest and an employee accessing an application. You can specify that if the user is an employee, get the NameID from user.email. If the user is a guest, then the NameID comes from user.extensionattribute1.

+To add a claim condition:

+1. In **Manage claim**, expand the Claim conditions.

+1. Select the user type.

+1. Select the group(s) to which the user should belong. You can select up to 50 unique groups across all claims for a given application.

+1. Select the **Source** where the claim is going to retrieve its value. You can select a user attribute from the source attribute dropdown or apply a transformation to the user attribute before emitting it as a claim.

+The order in which you add the conditions are important. Azure AD first evaluates all conditions with source `Attribute` and then evaluates all conditions with source `Transformation` to decide which value to emit in the claim. Azure AD evaluates conditions with the same source from top to bottom. The claim emits the last value that matches the expression in the claim. Transformations such as `IsNotEmpty` and `Contains` act like restrictions.

+For example, Britta Simon is a guest user in the Contoso tenant. Britta belongs to another organization that also uses Azure AD. Given the following configuration for the Fabrikam application, when Britta tries to sign in to Fabrikam, the Microsoft identity platform evaluates the conditions.

+First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta.

+As another example, consider when Britta Simon tries to sign in using the following configuration. Azure AD first evaluates all conditions with source `Attribute`. The source for the claim is `user.mail` when Britta's user type is **AAD guests**. Next, Azure AD evaluates the transformations. Because Britta is a guest, `user.extensionattribute1` is the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is the new source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta.

+As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. The claim falls back to `user.extensionattribute1` ignoring the condition entry in both cases.

+## Advanced claims options

+Configure advanced claims options for OIDC applications to expose the same claim as SAML tokens. Also for applications that intend to use the same claim for both SAML2.0 and OIDC response tokens.

+Configure advanced claim options by checking the box under **Advanced Claims Options** in the **Manage claims** blade.

+## Next steps

+* Learn more about the [claims and tokens used in Azure AD](security-tokens.md).

+ Title: Customize SAML token claims

+description: Learn how to customize the claims issued by Microsoft identity platform in the SAML token for enterprise applications.

+# Customize claims issued in the SAML token for enterprise applications

+The Microsoft identity platform supports [single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md) with most preintegrated applications in the Azure Active Directory (Azure AD) application gallery and custom applications. When a user authenticates to an application through the Microsoft identity platform using the SAML 2.0 protocol, the Microsoft identity platform sends a token to the application. The application validates and uses the token to sign the user in instead of prompting for a username and password.

+These SAML tokens contain pieces of information about the user known as *claims*. A claim is information that an identity provider states about a user inside the token they issue for that user. In a SAML token, claims data is typically contained in the SAML Attribute Statement. The user's unique ID is typically represented in the SAML Subject, which is also referred to as the name identifier (`nameID`).

+By default, the Microsoft identity platform issues a SAML token to an application that contains a `NameIdentifier` claim with a value of the user's username (also known as the user principal name) in Azure AD, which can uniquely identify the user. The SAML token also contains other claims that include the user's email address, first name, and last name.

+## View or edit claims

+To view or edit the claims issued in the SAML token to the application, open the application in Azure portal. Then open the **Attributes & Claims** section.

+You might need to edit the claims issued in the SAML token for the following reasons:

+* The application requires the `NameIdentifier` or `nameID` claim to be something other than the username (or user principal name) stored in Azure AD.

+* The application has been written to require a different set of claim URIs or claim values.

+## Edit nameID

+To edit the `nameID` (name identifier value) claim:

+1. Open the **Name identifier value** page.

+1. Select the attribute or transformation that you want to apply to the attribute. Optionally, you can specify the format that you want the `nameID` claim to have.

+ :::image type="content" source="./media/saml-claims-customization/saml-sso-manage-user-claims.png" alt-text="Screenshot of editing the nameID (name identifier) value in the Azure portal.":::

+### NameID format

+If the SAML request contains the element `NameIDPolicy` with a specific format, then the Microsoft identity platform honors the format in the request.

+If the SAML request doesn't contain an element for `NameIDPolicy`, then the Microsoft identity platform issues the `nameID` with the format you specify. If no format is specified, the Microsoft identity platform uses the default source format associated with the claim source selected. If a transformation results in a null or illegal value, Azure AD sends a persistent pairwise identifier in the `nameID`.

+From the **Choose name identifier format** dropdown, select one of the options in the following table.

+| `nameID` format | Description |

+||-|

+| **Default** | Microsoft identity platform uses the default source format. |

+| **Persistent** | Microsoft identity platform uses `Persistent` as the `nameID` format. |

+| **Email address** | Microsoft identity platform uses `EmailAddress` as the `nameID` format. |

+| **Unspecified** | Microsoft identity platform uses `Unspecified` as the `nameID` format. |

+|**Windows domain qualified name**| Microsoft identity platform uses the `WindowsDomainQualifiedName` format.|

+Transient `nameID` is also supported, but isn't available in the dropdown and can't be configured on Azure's side. To learn more about the `NameIDPolicy` attribute, see [Single sign-On SAML protocol](single-sign-on-saml-protocol.md).

+### Attributes

+Select the desired source for the `NameIdentifier` (or `nameID`) claim. You can select from the options in the following table.

+| Name | Description |

+||-|

+| `Email` | The email address of the user. |

+| `userprincipalName` | The user principal name (UPN) of the user. |

+| `onpremisessamaccountname` | The SAM account name that has been synced from on-premises Azure AD. |

+| `objectid` | The object ID of the user in Azure AD. |

+| `employeeid` | The employee ID of the user. |

+| `Directory extensions` | The directory extensions [synced from on-premises Active Directory using Azure AD Connect Sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md). |

+| `Extension Attributes 1-15` | The on-premises extension attributes used to extend the Azure AD schema. |

+| `pairwiseid` | The persistent form of user identifier. |

+For more information about identifier values, see the table that lists the valid ID values per source later in this page.

+Any constant (static) value can be assigned to any claim that is defined in Azure AD. Use the following steps to assign a constant value:

+1. In the [Azure portal](https://portal.azure.com/), in the **User Attributes & Claims** section, select **Edit** to edit the claims.

+1. Select the required claim that you want to modify.

+1. Enter the constant value without quotes in the **Source attribute** as per your organization and select **Save**.

+ :::image type="content" source="./media/saml-claims-customization/organization-attribute.png" alt-text="Screenshot of the organization Attributes & Claims section in the Azure portal.":::

+1. The constant value is displayed as shown in the following image.

+ :::image type="content" source="./media/saml-claims-customization/edit-attributes-claims.png" alt-text="Screenshot of editing in the Attributes & Claims section in the Azure portal.":::

+### Directory Schema extensions (Preview)

+You can also configure directory schema extension attributes as non-conditional/conditional attributes in Azure AD. Use the following steps to configure the single or multi-valued directory schema extension attribute as a claim:

+1. In the [Azure portal](https://portal.azure.com/), in the **User Attributes & Claims** section, select **Edit** to edit the claims.

+1. Select **Add new claim** or edit an existing claim.

+ :::image type="content" source="./media/saml-claims-customization/mv-extension-1.jpg" alt-text="Screenshot of the MultiValue extension configuration section in the Azure portal.":::

+1. Select source application from application picker where extension property is defined.

+ :::image type="content" source="./media/saml-claims-customization/mv-extension-2.jpg" alt-text="Screenshot of the source application selection in MultiValue extension configuration section in the Azure portal.":::

+1. Select **Add** to add the selection to the claims.

+<!

+5. To select single or multi-valued directory schema extension attribute as conditional attribute select **Directory schema extension** option from the source dropdown.

+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-3.png" alt-text="Screenshot of the MultiValue extension configuration for conditional claims section in the Azure portal.":::

+>

+5. Click **Save** to commit the changes.

+## Special claims transformations

+You can use the following special claims transformations functions.

+| Function | Description |

+|-|-|

+| **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This function extracts only the first part of the user name being passed through (for example, "joe_smith" instead of joe_smith@contoso.com). |

+| **ToLower()** | Converts the characters of the selected attribute into lowercase characters. |

+| **ToUpper()** | Converts the characters of the selected attribute into uppercase characters. |

+## Add application-specific claims

+To add application-specific claims:

+1. In **User Attributes & Claims**, select **Add new claim** to open the **Manage user claims** page.

+1. Enter the **name** of the claims. The value doesn't strictly need to follow a URI pattern, per the SAML spec. If you need a URI pattern, you can put that in the **Namespace** field.

+1. Select the **Source** where the claim is going to retrieve its value. You can select a user attribute from the source attribute dropdown or apply a transformation to the user attribute before emitting it as a claim.

+### Claim transformations

+To apply a transformation to a user attribute:

+1. In **Manage claim**, select *Transformation* as the claim source to open the **Manage transformation** page.

+1. Select the function from the transformation dropdown. Depending on the function selected, provide parameters and a constant value to evaluate in the transformation.

+1. Select the source of the attribute by clicking on the appropriate radio button. Directory schema extension source is in preview currently.

+ :::image type="content" source="./media/saml-claims-customization/mv-extension-4.png" alt-text="Screenshot of claims transformation.":::

+1. Select the attribute name from the dropdown.

+1. **Treat source as multivalued** is a checkbox indicating whether the transform should be applied to all values or just the first. By default, transformations are only applied to the first element in a multi-value claim, by checking this box it ensures it's applied to all. This checkbox is only be enabled for multi-valued attributes, for example `user.proxyaddresses`.

+1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case.

+You can use the following functions to transform claims.

+| Function | Description |

+|-|-|

+| **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This function extracts only the first part of the user name being passed through (for example, "joe_smith" instead of joe_smith@contoso.com). |

+| **Join()** | Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. For NameID claim transformation, the Join() function has specific behavior when the transformation input has a domain part. It removes the domain part from input before joining it with the separator and the selected parameter. For example, if the input of the transformation is 'joe_smith@contoso.com' and the separator is '@' and the parameter is 'fabrikam.com', this input combination results in 'joe_smith@fabrikam.com'. |

+| **ToLowercase()** | Converts the characters of the selected attribute into lowercase characters. |

+| **ToUppercase()** | Converts the characters of the selected attribute into uppercase characters. |

+| **Contains()** | Outputs an attribute or constant if the input matches the specified value. Otherwise, you can specify another output if there's no match. <br/>For example, if you want to emit a claim where the value is the user's email address if it contains the domain "@contoso.com", otherwise you want to output the user principal name. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.email<br/>*Value*: "@contoso.com"<br/>Parameter 2 (output): user.email<br/>Parameter 3 (output if there's no match): user.userprincipalname |

+| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with "000", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.employeeid<br/>*Value*: "000"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 |

+| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with "US", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.country<br/>*Value*: "US"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 |

+| **Extract() - After matching** | Returns the substring after it matches the specified value.<br/>For example, if the input's value is "Finance_BSimon", the matching value is "Finance_", then the claim's output is "BSimon". |

+| **Extract() - Before matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is "BSimon_US", the matching value is "_US", then the claim's output is "BSimon". |

+| **Extract() - Between matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is "Finance_BSimon_US", the first matching value is "Finance\_", the second matching value is "\_US", then the claim's output is "BSimon". |

+| **ExtractAlpha() - Prefix** | Returns the prefix alphabetical part of the string.<br/>For example, if the input's value is "BSimon_123", then it returns "BSimon". |

+| **ExtractAlpha() - Suffix** | Returns the suffix alphabetical part of the string.<br/>For example, if the input's value is "123_Simon", then it returns "Simon". |

+| **ExtractNumeric() - Prefix** | Returns the prefix numerical part of the string.<br/>For example, if the input's value is "123_BSimon", then it returns "123". |

+| **ExtractNumeric() - Suffix** | Returns the suffix numerical part of the string.<br/>For example, if the input's value is "BSimon_123", then it returns "123". |

+| **IfEmpty()** | Outputs an attribute or constant if the input is null or empty.<br/>For example, if you want to output an attribute stored in an extension attribute if the employee ID for a given user is empty. To perform this function, you configure the following values:<br/>Parameter 1(input): user.employeeid<br/>Parameter 2 (output): user.extensionattribute1<br/>Parameter 3 (output if there's no match): user.employeeid |

+| **IfNotEmpty()** | Outputs an attribute or constant if the input isn't null or empty.<br/>For example, if you want to output an attribute stored in an extension attribute if the employee ID for a given user isn't empty. To perform this function, you configure the following values:<br/>Parameter 1(input): user.employeeid<br/>Parameter 2 (output): user.extensionattribute1 |

+| **Substring() - Fixed Length** (Preview)| Extracts parts of a string claim type, beginning at the character at the specified position, and returns the specified number of characters.<br/>SourceClaim - The claim source of the transform that should be executed.<br/>StartIndex - The zero-based starting character position of a substring in this instance.<br/>Length - The length in characters of the substring.<br/>For example:<br/>sourceClaim - PleaseExtractThisNow<br/>StartIndex - 6<br/>Length - 11<br/>Output: ExtractThis |

+| **Substring() - EndOfString** (Preview) | Extracts parts of a string claim type, beginning at the character at the specified position, and returns the rest of the claim from the specified start index. <br/>SourceClaim - The claim source of the transform that should be executed.<br/>StartIndex - The zero-based starting character position of a substring in this instance.<br/>For example:<br/>sourceClaim - PleaseExtractThisNow<br/>StartIndex - 6<br/>Output: ExtractThisNow |

+| **RegexReplace()** (Preview) | RegexReplace() transformation accepts as input parameters:<br/>- Parameter 1: a user attribute as regex input<br/>- An option to trust the source as multivalued<br/>- Regex pattern<br/>- Replacement pattern. The replacement pattern may contain static text format along with a reference that points to regex output groups and more input parameters.<br/><br/>More instructions about how to use the RegexReplace() transformation are described later in this article. |

+If you need other transformations, submit your idea in the [feedback forum in Azure AD](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) under the *SaaS application* category.

+## Regex-based claims transformation

+The following image shows an example of the first level of transformation:

+The following table provides information about the first level of transformations. The actions listed in the table correspond to the labels in the previous image. Select **Edit** to open the claims transformation blade.

+| Action | Field | Description |

+| :-- | :- | :- |

+| 1 | `Transformation` | Select the **RegexReplace()** option from the **Transformation** options to use the regex-based claims transformation method for claims transformation. |

+| 2 | `Parameter 1` | The input for the regular expression transformation. For example, user.mail that has a user email address such as `admin@fabrikam.com`. |

+| 3 | `Treat source as multivalued` | Some input user attributes can be multi-value user attributes. If the selected user attribute supports multiple values and the user wants to use multiple values for the transformation, they need to select **Treat source as multivalued**. If selected, all values are used for the regex match, otherwise only the first value is used. |

+| 4 | `Regex pattern` | A regular expression that is evaluated against the value of user attribute selected as *Parameter 1*. For example, a regular expression to extract the user alias from the user's email address would be represented as `(?'domain'^.*?)(?i)(\@fabrikam\.com)$`. |

+| 5 | `Add additional parameter` | More than one user attribute can be used for the transformation. The values of the attributes would then be merged with regex transformation output. Up to five more parameters are supported. |

+| 6 | `Replacement pattern` | The replacement pattern is the text template, which contains placeholders for regex outcome. All group names must be wrapped inside the curly braces such as `{group-name}`. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and `{domain}` is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

+The following image shows an example of the second level of transformation:

+The following table provides information about the second level of transformations. The actions listed in the table correspond to the labels in the previous image.

+| Action | Field | Description |

+| :-- | :- | :- |

+| 1 | `Transformation` | Regex-based claims transformations aren't limited to the first transformation and can be used as the second level transformation as well. Any other transformation method can be used as the first transformation. |

+| 2 | `Parameter 1` | If **RegexReplace()** is selected as a second level transformation, output of first level transformation is used as an input for the second level transformation. To apply the transformation, the second level regex expression should match the output of the first transformation. |

+| 3 | `Regex pattern` | **Regex pattern** is the regular expression for the second level transformation. |

+| 4 | `Parameter input` | User attribute inputs for the second level transformations. |

+| 5 | `Parameter input` | Administrators can delete the selected input parameter if they don't need it anymore. |

+| 6 | `Replacement pattern` | The replacement pattern is the text template, which contains placeholders for regex outcome group name, input parameter group name, and static text value. All group names must be wrapped inside the curly braces such as `{group-name}`. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and {domain} is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

+| 7 | `Test transformation` | The RegexReplace() transformation is evaluated only if the value of the selected user attribute for *Parameter 1* matches with the regular expression provided in the **Regex pattern** textbox. If they don't match, the default claim value is added to the token. To validate regular expression against the input parameter value, a test experience is available within the transform blade. This test experience operates on dummy values only. When more input parameters are used, the name of the parameter is added to the test result instead of the actual value. To access the test section, select **Test transformation**. |

+The following image shows an example of testing the transformations:

+The following table provides information about testing the transformations. The actions listed in the table correspond to the labels in the previous image.

+| Action | Field | Description |

+| :-- | :- | :- |

+| 1 | `Test transformation` | Select the close or (X) button to hide the test section and re-render the **Test transformation** button again on the blade. |

+| 2 | `Test regex input` | Accepts input that is used for the regular expression test evaluation. In case regex-based claims transformation is configured as a second level transformation, provide a value that is the expected output of the first transformation. |

+| 3 | `Run test` | After the test regex input is provided and the **Regex pattern**, **Replacement pattern** and **Input parameters** are configured, the expression can be evaluated by selecting **Run test**. |

+| 4 | `Test transformation result` | If evaluation succeeds, an output of test transformation is rendered against the **Test transformation result** label. |

+| 5 | `Remove transformation` | The second level transformation can be removed by selecting **Remove transformation**. |

+| 6 | `Specify output if no match` | When a regex input value is configured against the *Parameter 1* that doesn't match the **Regular expression**, the transformation is skipped. In such cases, the alternate user attribute can be configured, which is added to the token for the claim by checking **Specify output if no match**. |

+| 7 | `Parameter 3` | If an alternate user attribute needs to be returned when there's no match and **Specify output if no match** is checked, an alternate user attribute can be selected using the dropdown. This dropdown is available against **Parameter 3 (output if no match)**. |

+| 8 | `Summary` | At the bottom of the blade, a full summary of the format is displayed that explains the meaning of the transformation in simple text. |

+| 9 | `Add` | After the configuration settings for the transformation are verified, it can be saved to a claims policy by selecting **Add**. Select **Save** on the **Manage Claim** blade to save the changes. |

+RegexReplace() transformation is also available for the group claims transformations.

+### RegexReplace() transformation validations

+When the following conditions occur after **Add** or **Run test** is selected, a message is displayed that provides more information about the issue:

+* Input parameters with duplicate user attributes aren't allowed.

+* Unused input parameters found. Defined input parameters should have respective usage into the Replacement pattern text.

+* The provided test regex input doesn't match with the provided regular expression.

+* The source for the groups into the replacement pattern isn't found.

+## Add the UPN claim to SAML tokens

+The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md#table-2-saml-restricted-claim-set), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](active-directory-optional-claims.md) through **App registrations** in the Azure portal.

+Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token.

+## Emit claims based on conditions

+You can specify the source of a claim based on user type and the group to which the user belongs.

+The user type can be:

+* **Any** - All users are allowed to access the application.

+* **Members**: Native member of the tenant

+* **All guests**: User is brought over from an external organization with or without Azure AD.

+* **AAD guests**: Guest user belongs to another organization using Azure AD.

+* **External guests**: Guest user belongs to an external organization that doesn't have Azure AD.

+One scenario where the user type is helpful is when the source of a claim is different for a guest and an employee accessing an application. You can specify that if the user is an employee, the NameID is sourced from user.email. If the user is a guest, then the NameID is sourced from user.extensionattribute1.

+To add a claim condition:

+1. In **Manage claim**, expand the Claim conditions.

+1. Select the user type.

+1. Select the group(s) to which the user should belong. You can select up to 50 unique groups across all claims for a given application.

+1. Select the **Source** where the claim is going to retrieve its value. You can either select a user attribute from the dropdown for the source attribute or apply a transformation to the user attribute. You can also select a directory schema extension (preview) before emitting it as a claim.

+The order in which you add the conditions are important. Azure AD first evaluates all conditions with source `Attribute` and then evaluates all conditions with source `Transformation` to decide which value to emit in the claim. Conditions with the same source are evaluated from top to bottom. The last value, which matches the expression is emitted in the claim. Transformations such as `IsNotEmpty` and `Contains` act like restrictions.

+For example, Britta Simon is a guest user in the Contoso tenant. Britta belongs to another organization that also uses Azure AD. Given the following configuration for the Fabrikam application, when Britta tries to sign in to Fabrikam, the Microsoft identity platform evaluates the conditions.

+First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta.

+As another example, consider when Britta Simon tries to sign in and the following configuration is used. Azure AD first evaluates all conditions with source `Attribute`. Because Britta's user type is **AAD guests**, `user.mail` is assigned as the source for the claim. Next, Azure AD evaluates the transformations. Because Britta is a guest, `user.extensionattribute1` is now the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is now the source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta.

+As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. In both cases the condition entry is ignored, and the claim falls back to `user.extensionattribute1` instead.

+## Advanced SAML claims options

+Advanced claims options can be configured for SAML2.0 applications to expose the same claim to OIDC tokens and vice versa for applications that intend to use the same claim for both SAML2.0 and OIDC response tokens.

+Advanced claim options can be configured by checking the box under **Advanced SAML Claims Options** in the **Manage claims** blade.

+The following table lists other advanced options that can be configured for an application.

+| Option | Description |

+|--|-|

+| Append application ID to issuer | Automatically adds the application ID to the issuer claim. This option ensures a unique claim value for each instance when there are multiple instances of the same application. This setting is ignored if a custom signing key isn't configured for the application. |

+| Override audience claim | Allows for the overriding of the audience claim sent to the application. The value provided must be a valid absolute URI. This setting is ignored if a custom signing key isn't configured for the application. |

+| Include attribute name format | If selected, Azure Active Directory adds an attribute called `NameFormat` that describes the format of the name to restricted, core, and optional claims for the application. For more information, see, [Claims mapping policy type](reference-claims-mapping-policy-type.md#claim-sets) |

+## Next steps

+* [Configure single sign-on for applications that aren't in the Azure AD application gallery](../manage-apps/configure-saml-single-sign-on.md)

+- [Customize claims issued in the JSON web token (JWT) for enterprise applications](jwt-claims-customization.md)

+### General Availability - System preferred MFA method

+**Type:** Changed feature

+**Service category:** Authentications (Logins)

+**Product capability:** Identity Security & Protection

+Currently, organizations and users rely on a range of authentication methods, each offering varying degrees of security. While Multifactor Authentication (MFA) is crucial, some MFA methods are more secure than others. Despite having access to more secure MFA options, users frequently choose less secure methods for various reasons.

+To address this challenge, we're introducing a new system-preferred authentication method for MFA. When users sign in, the system will determine and display the most secure MFA method that the user has registered. This prompts users to switch from the default method to the most secure option. While users may still choose a different MFA method, they'll always be prompted to use the most secure method first for every session that requires MFA. For more information, see: [System-preferred multifactor authentication - Authentication methods policy](../authentication/concept-system-preferred-multifactor-authentication.md).

+Admins can now define more properties when creating and inviting a user in the Entra admin portal. These improvements bring our UX to parity with our [Create User APIS](/graph/api/user-post-users). Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: [Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).

+Token Protection for sign-in sessions is our first release on a road-map to combat attacks involving token theft and replay. It provides conditional access enforcement of token proof-of-possession for supported clients and services that ensure that access to specified resources is only from a device to which the user has signed in. For more information, see: [Conditional Access: Token protection (preview)](../conditional-access/concept-token-protection.md).

+By default, Microsoft 365 resources for your users are located in the same geo as your Azure AD tenant. For example, if the _Tenant_ is located in North America, then the users' Exchange mailboxes are also located in North America. For a multinational organization, this might not be optimal.

+> As of June 1, 2023, Multi-Geo is available for CSP partners to purchase, at a minimum of 5% of their customerΓÇÖs total Microsoft 365 subscription seats.

+>

+> Multi-Geo is also available to customers with an active Enterprise Agreement. Please talk to your Microsoft representative for details.

+With Azure AD Privileged Identity Management (Azure AD PIM), part of Microsoft Entra, you can manage the built-in Azure resource roles, and custom roles, including (but not limited to):

+ Title: Meet authorization requirements of memorandum 22-09

+description: Learn how to meet authorization requirements outlined in OMB memorandum 22-09.

+This article series has guidance to employ Azure Active Directory (Azure AD) as a centralized identity management system when implementing Zero Trust principles. See, US Office of Management and Budget (OMB) [M 22-09 Memorandum for the Heads of Executive Departments and Agencies](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

+The memo requirements are enforcement types in multifactor authentication policies, and controls for devices, roles, attributes, and privileged access management.

+A memorandum 22-09 requirement is at least one device-based signal for authorization decisions to access a system or application. Enforce the requirement by using Conditional Access. Apply several device signals during the authorization. See the following table for the signal and the requirement to retrieve the signal.

+| Device is managed| Integration with Intune or another mobile device management (MDM) solution supporting integration.

+Hybrid Azure AD joined| Active Directory manages the device, and it qualifies.

+| Device is compliant| Integration with Intune or another MDM solution supporting the integration. See, [Create a compliance policy in Microsoft Intune](/mem/intune/protect/device-compliance-get-started). |

+| Threat signals| Microsoft Defender for Endpoint and other endpoint detection and response (EDR) tools have Azure AD and Intune integrations that send threat signals to deny access. Threat signals support the compliant status signal. |

+| Cross-tenant access policies (public preview)| Trust device signals from devices in other organizations. |

+Use role-based access control (RBAC) to enforce authorizations through role assignments in a particular scope. For example, assign access by using entitlement management features, including access packages and access reviews. Manage authorizations with self-service requests and use automation to manage lifecycle. For example, automatically end access based on criteria.

+Learn more:

+* [What is entitlement management?](../governance/entitlement-management-overview.md)

+* [Create a new access package in entitlement management](../governance/entitlement-management-access-package-create.md)

+* [What are access reviews?](../governance/access-reviews-overview.md)

+Attribute-based access control (ABAC) uses metadata assigned to a user or resource to permit or deny access during authentication. See the following sections to create authorizations by using ABAC enforcements for data and resources through authentication.

+Use attributes assigned to users, stored in Azure AD, to create user authorizations. Users are automatically assigned to dynamic groups based on a rule set you define during group creation. Rules add or remove a user from the group based on rule evaluation against the user and their attributes. We recommend you maintain attributes and don't set static attributes on creation day.

+Learn more: [Create or update a dynamic group in Azure AD](../enterprise-users/groups-create-rule.md)

+With Azure AD, you can integrate authorization to the data. See the following sections to integrate authorization. You can configure authentication in Conditional Access policies: restrict actions users take in an application or on data. These authentication policies are then mapped in the data source.

+Data sources can be Microsoft Office files like Word, Excel, or SharePoint sites mapped to authentication. Use authentication assigned to data in applications. This approach requires integration with the application code and for developers to adopt the capability. Use authentication integration with Microsoft Defender for Cloud Apps to control actions taken on data through session controls.

+Combine dynamic groups with authentication context to control user access mappings between the data and the user attributes.

+Learn more:

+* [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md)

+* [Developer guide to Conditional Access authentication context](../develop/developer-guide-conditional-access-authentication-context.md)

+* [Session policies](/defender-cloud-apps/session-policy-aad)

+Azure includes attribute-based access control (Azure ABAC) for storage. Assign metadata tags on data stored in an Azure Blob Storage account. Assign the metadata to users by using role assignments to grant access.

+Learn more: [What is Azure attribute-based access control?](../../role-based-access-control/conditions-overview.md)

+## Privileged access management

+The memo cites the inefficiency of using of privileged access management tools with single-factor ephemeral credentials to access systems. These technologies include password vaults that accept multifactor authentication sign-in for an admin. These tools generate a password for an alternate account to access the system. System access occurs with a single factor.

+Microsoft tools implement Privileged Identity Management (PIM) for privileged systems with Azure AD as the central identity management system. Enforce multifactor authentication for most privileged systems that are applications, infrastructure elements, or devices.

+Use PIM for a privileged role, when it's implemented with Azure AD identities. Identify privileged systems that require protections to prevent lateral movement.

+Learn more:

+* [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)

+* [Plan a Privileged Identity Management deployment](../privileged-identity-management/pim-deployment-plan.md)

+## Next steps

+* [Meet identity requirements of memorandum 22-09 with Azure Active Directory](memo-22-09-meet-identity-requirements.md)

+* [Memo 22-09 enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md)

+* [Meet multifactor authentication requirements of memorandum 22-09](memo-22-09-multi-factor-authentication.md)

+* [Other areas of Zero Trust addressed in memorandum 22-09](memo-22-09-other-areas-zero-trust.md)

+* [Securing identity with Zero Trust](/security/zero-trust/deploy/identity)

+description: Guidance on meeting enterprise-wide identity management system requirements outlined in OMB memorandum 22-09.

+# Memo 22-09 enterprise-wide identity management system

+[M 22-09 Memorandum for Heads of Executive Departments and Agencies](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) requires agencies to develop a consolidation plan for their identity platforms. The goal is to have as few agency-managed identity systems as possible within 60 days of the publication date (March 28, 2022). There are several advantages to consolidating identity platform:

+* Centralize management of identity lifecycle, policy enforcement, and auditable controls

+* Reduce the need to train resources across multiple systems

+* Enable users to sign in once and then access applications and services in the IT environment

+* Integrate with as many agency applications as possible

+* Use shared authentication services and trust relationships to facilitate integration across agencies

+Use Azure Active Directory (Azure AD) to implement recommendations from memorandum 22-09. Azure AD has identity controls that support Zero Trust initiatives. With Microsoft Office 365 or Azure, Azure AD is an identity provider (IdP). Connect your applications and resources to Azure AD as your enterprise-wide identity system.

+The memo requires users sign in once and then access applications. With Microsoft single sign-on (SSO) users sign in once and then access cloud services and applications. See, [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md).

+Use Azure AD B2B collaboration to meet the requirement of facilitating integration and collaboration across agencies. Users can reside in a Microsoft tenant in the same cloud. Tenants can be on another Microsoft cloud, or in a non-Azure AD tenant (SAML/WS-Fed identity provider).

+With Azure AD cross-tenant access settings, agencies manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds:

+* Limit what Microsoft tenants users can access

+* Settings for external user access, including multifactor authentication enforcement and device signal

+Learn more:

+* [B2B collaboration overview](../external-identities/what-is-b2b.md)

+* [Azure AD B2B in government and national clouds](../external-identities/b2b-government-national-clouds.md)

+* [Federation with SAML/WS-Fed identity providers for guest users](..//external-identities/direct-federation.md)

+To consolidate and use Azure AD as the enterprise-wide identity system, review the assets that are in scope.

+Create an inventory of the applications and services users access. An identity management system protects what it knows.

+Asset classification:

+* The sensitivity of data therein

+* Laws and regulations for confidentiality, integrity, or availability of data and/or information in major systems

+ * Said laws and regulations that apply to system information protection requirements

+For your application inventory, determine applications that use cloud-ready protocols or legacy authentication protocols:

+* Cloud-ready applications support modern protocols for authentication:

+ * SAML

+ * WS-Federation/Trust

+ * OpenID Connect (OIDC)

+ * OAuth 2.0.

+* Legacy authentication applications rely on older or proprietary authentication methods:

+ * Kerberos/NTLM (Windows authentication)

+ * Header-based authentication

+ * LDAP

+ * Basic authentication

+Learn more [Azure AD integrations with authentication protocols](../fundamentals/auth-sync-overview.md

+#### Application and service discovery tools

+Microsoft offers the following tools to support application and service discovery.

+|Usage Analytics for Active Directory Federation Services (AD FS)| Analyzes federated server authentication traffic. See, [Monitor AD FS using Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md)|

+| Microsoft Defender for Cloud Apps| Scans firewall logs to detect cloud apps, infrastructure as a service (IaaS) services, and platform as a service (PaaS) services. Integrate Defender for Cloud Apps with Defender for Endpoint to discovery data analyzed from Windows client devices. See, [Microsoft Defender for Cloud Apps overview](/defender-cloud-apps/what-is-defender-for-cloud-apps)|

+| Application Discovery worksheet| Document the current states of your applications. See, [Application Discovery worksheet](https://download.microsoft.com/download/2/8/3/283F995C-5169-43A0-B81D-B0ED539FB3DD/Application%20Discovery%20worksheet.xlsx)|

+Your apps might be in systems other than Microsoft, and Microsoft tools might not discover those apps. Ensure a complete inventory. Providers need mechanisms to discover applications that use their services.

+#### Prioritize applications for connection

+After you discover the applications in your environment, prioritize them for migration. Consider:

+* Business criticality

+* User profiles

+* Usage

+* Lifespan

+Learn more: [Migrate application authentication to Azure AD](https://aka.ms/migrateapps/whitepaper).

+Connect your cloud-ready apps in priority order. Determine the apps that use legacy authentication protocols.

+For apps that use legacy authentication protocols:

+* For apps with modern authentication, reconfigure them to use Azure AD

+ * Update the application code to use modern protocols by integrating the Microsoft Authentication Library (MSAL)

+ * Use Azure AD Application Proxy or secure hybrid partner access for secure access

+* Decommission access to apps no longer needed, or that aren't supported

+Learn more

+* [Azure AD integrations with authentication protocols](../fundamentals/auth-sync-overview.md)

+* [What is the Microsoft identity platform?](../develop/v2-overview.md)

+* [Secure hybrid access: Protect legacy apps with Azure AD](../manage-apps/secure-hybrid-access.md)

+Part of centralizing an identity management system is enabling users to sign in to physical and virtual devices. You can connect Windows and Linux devices in your centralized Azure AD system, which eliminates multiple, separate identity systems.

+During your inventory and scoping, identify the devices and infrastructure to be integrated with Azure AD. Integration centralizes your authentication and management by using Conditional Access policies with multifactor authentication enforced through Azure AD.

+### Tools to discover devices

+You can use Azure Automation accounts to identify devices through inventory collection connected to Azure Monitor. Microsoft Defender for Endpoint has device inventory features. Discover the devices that have Defender for Endpoint configured and those that don't. Device inventory comes from on-premises systems such as System Center Configuration Manager or other systems that manage devices and clients.

+Learn more:

+* [Manage inventory collection from VMs](../../automation/change-tracking/manage-inventory-vms.md)

+* [Microsoft Defender for Endpoint overview](/microsoft-365/security/defender-endpoint/machines-view-overview)

+* [Introduction to hardware inventory](/mem/configmgr/core/clients/manage/inventory/introduction-to-hardware-inventory)

+### Integrate devices with Azure AD

+Devices integrated with Azure AD are hybrid-joined devices or Azure AD joined devices. Separate device onboarding by client and user devices, and by physical and virtual machines that operate as infrastructure. For more information about deployment strategy for user devices, see the following guidance.

+* [Plan your Azure AD device deployment](../devices/plan-device-deployment.md)

+* [Hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md)

+* [Azure AD joined devices](../devices/concept-azure-ad-join.md)

+* [Log in to a Windows virtual machine in Azure by using Azure AD including passwordless](../devices/howto-vm-sign-in-azure-ad-windows.md)

+* [Log in to a Linux virtual machine in Azure by using Azure AD and OpenSSH](../devices/howto-vm-sign-in-azure-ad-linux.md)

+* [Azure AD join for Azure Virtual Desktop](/azure/architecture/example-scenario/wvd/azure-virtual-desktop-azure-active-directory-join)

+* [Device identity and desktop virtualization](../devices/howto-device-identity-virtual-desktop-infrastructure.md)

+* [Meet identity requirements of memorandum 22-09 with Azure AD](memo-22-09-meet-identity-requirements.md)

+* [Meet multifactor authentication requirements of memorandum 22-09](memo-22-09-multi-factor-authentication.md)

+* [Meet authorization requirements of memorandum 22-09](memo-22-09-authorization.md)

+* [Other areas of Zero Trust addressed in memorandum 22-09](memo-22-09-other-areas-zero-trust.md)

+* [Securing identity with Zero Trust](/security/zero-trust/deploy/identity)

+The [Executive Order on Improving the NationΓÇÖs Cybersecurity (14028)](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity), directs federal agencies to advance security measures that significantly reduce the risk of successful cyberattacks against federal government digital infrastructure. On January 26, 2022, in support of Executive Order (EO) 14028, the [Office of Management and Budget (OMB)](https://www.whitehouse.gov/omb/) released the federal Zero Trust strategy in [M 22-09 Memorandum for Heads of Executive Departments and Agencies](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).

+This article series has guidance to employ Azure Active Directory (Azure AD) as a centralized identity management system when implementing Zero Trust principles, as described in memorandum 22-09.

+Memorandum 22-09 supports Zero Trust initiatives in federal agencies. It has regulatory guidance for federal cybersecurity and data privacy laws. The memo cites the [US Department of Defense (DoD) Zero Trust Reference Architecture](https://cloudsecurityalliance.org/artifacts/dod-zero-trust-reference-architecture/):

+"*The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.*"

+The memo identifies five core goals for federal agencies to reach, organized with the Cybersecurity Information Systems Architecture (CISA) Maturity Model. The CISA Zero Trust model describes five complementary areas of effort, or pillars:

+* Identity

+* Devices

+* Networks

+* Applications and workloads

+* Data

+The pillars intersect with:

+* Visibility

+* Analytics

+* Automation

+* Orchestration

+* Governance

+## Scope of guidance

+Use the article series to build a plan to meet memo requirements. It assumes use of Microsoft 365 products and an Azure AD tenant.

+Learn more: [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md).

+The article series instructions encompass agency investments in Microsoft technologies that align with the memo's identity-related actions.

+* For agency users, agencies employ centralized identity management systems that can be integrated with applications and common platforms

+* Agencies use enterprise-wide, strong multi-factor authentication (MFA)

+ * MFA is enforced at the application layer, not the network layer

+ * For agency staff, contractors, and partners, phishing-resistant MFA is required

+ * For public users, phishing-resistant MFA is an option

+ * Password policies don't require special characters or regular rotation

+* When agencies authorize user access to resources, they consider at least one device-level signal, with identity information about the authenticated user

+* [Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md)

+* [Meet multifactor authentication requirements of memorandum 22-09](memo-22-09-multi-factor-authentication.md)

+* [Meet authorization requirements of memorandum 22-09](memo-22-09-authorization.md)

+* [Other areas of Zero Trust addressed in memorandum 22-09](memo-22-09-other-areas-zero-trust.md)

+* [Securing identity with Zero Trust](/security/zero-trust/deploy/identity)

+- To get started securing your `kubeconfig` file, see [Limit access to cluster configuration file](control-kubeconfig-access.md).

+- To get started with managed identities in AKS, see [Use a managed identity in AKS](./use-managed-identity.md).

+AKS uses a secure tunnel communication to allow the api-server and individual node kubelets to communicate even on separate virtual networks. The tunnel is secured through mTLS encryption. The current main tunnel that is used by AKS is [Konnectivity, previously known as apiserver-network-proxy](https://kubernetes.io/docs/tasks/extend-kubernetes/setup-konnectivity/). Verify all network rules follow the [Azure required network rules and FQDNs](limit-egress-traffic.md).

+ * For more information, see [Disable aad-pod-identity for a specific pod or application](./use-azure-ad-pod-identity.md#clean-up).

+| OSS project | aad-pod-identity | Enables applications to access cloud resources securely with Microsoft Azure Active Directory (Azure AD). | N/A | Steps to grant permission at [Azure AD Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md).

+> Keep the following information in mind when updating your cluster:

+ Title: Use an Azure AD workload identities on Azure Kubernetes Service (AKS)

+description: Learn about Azure Active Directory workload identity for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.

+[auto-rotation]: certificate-rotation.md#certificate-auto-rotation

+| [set-status](set-status-policy.md) | Sets the status code of the response. | No |

+| [set-header](set-header-policy.md) | Sets a header in the response. | No |

+| [set-body](set-body-policy.md) | Sets the body in the response. | No |

+### Usage notes

+- A liquid template doesn't work when specified inside the body (set using `set-body`) of the `return-response` policy. The `return-response` policy cancels the current execution pipeline and removes the request body and response body in the current context. As a result, a liquid template specified inside the policy receives an empty string as its input and won't produce the expected output.

+Apps in App Service are hosted on worker roles. Virtual network integration works by mounting virtual interfaces to the worker roles with addresses in the delegated subnet. The virtual interfaces used aren't resources customers have direct access to. Because the from address is in your virtual network, it can access most things in or through your virtual network like a VM in your virtual network would.

+The virtual network integration feature supports two virtual interfaces per worker. Two virtual interfaces per worker mean two virtual network integrations per App Service plan. In other words, an App Service plan can have virtual network integrations with up to two subnets/virtual networks. The apps in the same App Service plan can only use one of the virtual network integrations to a specific subnet, meaning an app can only have a single virtual network integration at a given time.

+### Network Watcher integration

+Connection troubleshoot and NSG diagnostics will return an error when running check and diagnostic tests.

+ font-size: @(Model.Settings.FontSize)px;

+5. [Convert](https://azure.github.io/kubelogin/cli/convert-kubeconfig.html) the kubelogin to use the appropriate [login mode](https://azure.github.io/kubelogin/concepts/login-modes.html). For example, for [device code login](https://azure.github.io/kubelogin/concepts/login-modes/devicecode.html) with an Azure Active Directory user, the commands would be as follows:

+> If you use private links on the agent, you must **only** add the [private data collection endpoints (DCEs)](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint). The agent does not use the non-private endpoints listed above when using private links/data collection endpoints.

+> [!NOTE]

+> OpenTelemetry announced the [sunsetting of OpenCensus](https://opentelemetry.io/blog/2023/sunsetting-opencensus/). Azure continues to support the Python OpenCensus SDK and will not drop support for it without at least one year of advance notification. A preview of our [OpenTelemetry-based Python offering](opentelemetry-enable.md?tabs=python) is available.

+ $ResourceId = "<ResourceId>" # Resource ID of the DCR to edit

+ $FilePath = "<FilePath>" # Store DCR content in this file

+> * Private Link is not supported with this feature.

+ | Data Manager for Energy | [OEPDataplaneLogs](/azure/azure-monitor/reference/tables/OEPDataplaneLogs) |

+* The [`externaldata` operator](/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuremonitor) isn't supported over a private link because it reads data from storage accounts but doesn't guarantee the storage is accessed privately.

+* The [Azure Data Explorer proxy (ADX proxy)](azure-monitor-data-explorer-proxy.md) allows log queries to query Azure Data Explorer. The ADX proxy isn't supported over a private link because it doesn't guarantee the targeted resource is accessed privately.

+description: Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions.

+Snapshot Debugger currently works for ASP.NET and ASP.NET Core apps that are running on Azure Functions on Windows service plans.

+We recommend that you run your application on the Basic service tier or higher when you use Snapshot Debugger.

+## Prerequisite

+[Enable Application Insights monitoring in your Functions app](../../azure-functions/configure-monitoring.md#add-to-an-existing-function-app)

+To enable Snapshot Debugger in your Functions app, add the `snapshotConfiguration` property to your *host.json* file and redeploy your function. For example:

+Snapshot Debugger is preinstalled as part of the Azure Functions runtime and is disabled by default. Because it's included in the runtime, you don't need to add extra NuGet packages or application settings.

+In the simple .NET Core Function app example that follows, `.csproj`, `{Your}Function.cs`, and `host.json` have Snapshot Debugger enabled:

+`Project.csproj`

+Currently, the only regions that require endpoint modifications are [Azure Government](../../azure-government/compare-azure-government-global-azure.md#application-insights) and [Azure China](/azure/china/resources-developer-guide).

+The following example shows the `host.json` updated with the US Government Cloud agent endpoint:

+Here are the supported overrides of the Snapshot Debugger agent endpoint:

+To disable Snapshot Debugger in your Functions app, update your `host.json` file by setting the `snapshotConfiguration.isEnabled` property to `false`.

+* Generate traffic to your application that can trigger an exception. Then wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+* Customize Snapshot Debugger configuration based on your use case on your Functions app. For more information, see [Snapshot configuration in host.json](../../azure-functions/functions-host-json.md#applicationinsightssnapshotconfiguration).

+ Title: Upgrade Application Insights Snapshot Debugger

+description: Learn how to upgrade the Snapshot Debugger for .NET apps to the latest version on Azure App Services or via NuGet packages.

+# Upgrade the Snapshot Debugger

+To provide the best possible security for your data, Microsoft is moving away from TLS 1.0 and TLS 1.1 because these protocols are vulnerable to determined attackers. If you're using an older version of the site extension, it requires an upgrade to continue working. This article outlines the steps needed to upgrade your instance of Snapshot Debugger to the latest version.

+Depending on how you enabled the Snapshot Debugger, you can follow two primary upgrade paths:

+## Upgrade the site extension

+> Older versions of Application Insights used a private site extension called *Application Insights extension for Azure App Service*. The current Application Insights experience is enabled by setting App Settings to light up a preinstalled site extension.

+> To avoid conflicts, which might cause your site to stop working, delete the private site extension first. See step 4 in the following procedure.

+If you enabled the Snapshot Debugger by using the site extension, you can upgrade by following these steps:

+1. Go to your resource that has Application Insights and Snapshot Debugger enabled. For example, for a web app, go to the Azure App Service resource.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/app-service-resource.png" alt-text="Screenshot that shows an individual App Service resource named DiagService01.":::

+1. After you've moved to your resource, select the **Extensions** pane. Wait for the list of extensions to populate.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/application-insights-site-extension-to-be-deleted.png" alt-text="Screenshot that shows App Service Extensions showing the Application Insights extension for Azure App Service installed.":::

+1. If any version of **Application Insights extension for Azure App Service** is installed, select it and select **Delete**. Confirm **Yes** to delete the extension. Wait for the delete process to finish before you move to the next step.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/application-insights-site-extension-delete.png" alt-text="Screenshot that shows App Service Extensions showing Application Insights extension for Azure App Service with the Delete button.":::

+1. Go to the **Overview** pane of your resource and select **Application Insights**.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/application-insights-button.png" alt-text="Screenshot that shows selecting the Application Insights button.":::

+1. If this is the first time you've viewed the **Application Insights** pane for this app service, you're prompted to turn on Application Insights. Select **Turn on Application Insights**.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/turn-on-application-insights.png" alt-text="Screenshot that shows the Turn on Application Insights button.":::

+1. On the **Application Insights settings** pane, switch the Snapshot Debugger setting toggles to **On** and select **Apply**.

+ If you decide to change *any* Application Insights settings, the **Apply** button is activated.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/view-application-insights-data.png" alt-text="Screenshot that shows Application Insights App Service Configuration page with the Apply button highlighted.":::

+1. After you select **Apply**, you're asked to confirm the changes.

+ > The site restarts as part of the upgrade process.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/apply-monitoring-settings.png" alt-text="Screenshot that shows the App Service Apply monitoring settings prompt.":::

+1. Select **Yes** to apply the changes and wait for the process to finish.

+The site is now upgraded and is ready to use.

+## Upgrade Snapshot Debugger by using SDK/NuGet

+If the application is using a version of `Microsoft.ApplicationInsights.SnapshotCollector` earlier than version 1.3.1, you must upgrade it to a [newer version](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) to continue working.

+ Title: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Services, and Virtual Machines | Microsoft Docs

+description: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Azure Cloud Services, and Azure Virtual Machines.

+# Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Services, and Virtual Machines

+If your ASP.NET or ASP.NET Core application runs in Azure App Service and requires a customized Snapshot Debugger configuration, or a preview version of .NET Core, start with [Enable Snapshot Debugger for .NET apps in Azure App Service](snapshot-debugger-app-service.md).

+If your application runs in Azure Service Fabric, Azure Cloud Services, Azure Virtual Machines, or on-premises machines, you can skip enabling Snapshot Debugger on App Service and follow the guidance in this article.

+Snapshots are collected _only_ on exceptions reported to Application Insights. In some cases (for example, older versions of the .NET platform), you might need to [configure exception collection](../app/asp-net-exceptions.md#exceptions) to see exceptions with snapshots in the portal.

+## Configure snapshot collection for apps by using ASP.NET Core LTS or above

+Snapshots are collected only on exceptions that are reported to Application Insights. You might need to modify your code to report them. The exception handling code depends on the structure of your application. Here's an example:

+- Generate traffic to your application that can trigger an exception. Then wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+ Title: Application Insights Snapshot Debugger for .NET apps

+description: Debug snapshots are automatically collected when exceptions are thrown in production .NET apps.

+When an exception occurs, you can automatically collect a debug snapshot from your live web application. The debug snapshot shows the state of source code and variables at the moment the exception was thrown.

+The Snapshot Debugger in [Application Insights](../app/app-insights-overview.md):

+To use the Snapshot Debugger, you:

+- Include the [Snapshot Collector NuGet package](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) in your application.

+- Configure collection parameters in [`ApplicationInsights.config`](../app/configuration-with-applicationinsights-config.md).

+The Snapshot Debugger is implemented as an [Application Insights telemetry processor](../app/configuration-with-applicationinsights-config.md#telemetry-processors-aspnet). When your application runs, the Snapshot Debugger telemetry processor is added to your application's system-generated logs pipeline.

+Each time your application calls [TrackException](../app/asp-net-exceptions.md#exceptions), the Snapshot Debugger computes a problem ID from the type of exception being thrown and the throwing method.

+Each time your application calls `TrackException`, a counter is incremented for the appropriate problem ID. When the counter reaches the `ThresholdForSnapshotting` value, the problem ID is added to a collection plan.

+The Snapshot Debugger also monitors exceptions as they're thrown by subscribing to the [AppDomain.CurrentDomain.FirstChanceException](/dotnet/api/system.appdomain.firstchanceexception) event. When that event fires, the problem ID of the exception is computed and compared against the problem IDs in the collection plan.

+If there's a match, a snapshot of the running process is created. The snapshot is assigned a unique identifier and the exception is stamped with that identifier. After the `FirstChanceException` handler returns, the thrown exception is processed as normal. Eventually, the exception reaches the `TrackException` method again. It's reported to Application Insights, along with the snapshot identifier.

+Snapshot creation tips:

+ * A process snapshot is a suspended clone of the running process.

+ * Creating the snapshot takes about 10 milliseconds to 20 milliseconds.

+ * The default value for `ThresholdForSnapshotting` is 1. This value is also the minimum. Your app has to trigger the same exception *twice* before a snapshot is created.

+ * Set `IsEnabledInDeveloperMode` to `true` if you want to generate snapshots while you debug in Visual Studio.

+ * The snapshot creation rate is limited by the `SnapshotsPerTenMinutesLimit` setting. By default, the limit is one snapshot every 10 minutes.

+ * No more than 50 snapshots per day can be uploaded.

+## Supported applications and environments

+This section lists the applications and environments that are supported.

+.NET Core versions prior to LTS are out of support and we don't recommend their use.

+* [Azure Functions](snapshot-debugger-function-app.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Service Fabric](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running on Windows Server 2012 R2 or later

+* [Azure Virtual Machines and Azure Virtual Machine Scale Sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running Windows Server 2012 R2 or later

+> Client applications (for example, WPF, Windows Forms, or UWP) aren't supported.

+If you enabled the Snapshot Debugger but you aren't seeing snapshots, see the [Troubleshooting guide](snapshot-debugger-troubleshoot.md).

+Access to snapshots is protected by Azure role-based access control. To inspect a snapshot, you must first be added to the [Application Insights Snapshot Debugger](../../role-based-access-control/role-assignments-portal.md) role. Subscription owners can assign this role to individual users or groups for the target **Application Insights Snapshot**.

+For more information, see [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+> Snapshots might contain personal data or other sensitive information in variable and parameter values. Snapshot data is stored in the same region as your Application Insights resource.

+This section discusses limitations for the Snapshot Debugger.

+Version 15.2 (or above) of Visual Studio 2017 publishes symbols for release builds by default when it publishes to App Service. In prior versions, you must add the following line to your publish profile `.pubxml` file so that symbols are published in release mode:

+For Azure Compute and other types, make sure that the symbol files are in the same folder of the main application .dll (typically, `wwwroot/bin`). Or they must be available on the current path.

+For more information on the different symbol options that are available, see the [Visual Studio documentation](/visualstudio/ide/reference/advanced-build-settings-dialog-box-csharp). For best results, we recommend that you use *Full*, *Portable*, or *Embedded*.

+However, in App Service, the Snapshot Collector can deoptimize throwing methods that are part of its collection plan.

+> Install the Application Insights Site extension in your instance of App Service to get deoptimization support.

+## Release notes for Microsoft.ApplicationInsights.SnapshotCollector

+This article contains the release notes for the `Microsoft.ApplicationInsights.SnapshotCollector` NuGet package for .NET applications, which is used by the Application Insights Snapshot Debugger.

+For bug reports and feedback, [open an issue on GitHub](https://github.com/microsoft/ApplicationInsights-SnapshotCollector).

+Fixed [Exception during native component extraction when using a single file application.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/21)

+- Updated msdia140.dll.

+- Fixed [Hide the IMDS dependency from dependency tracker.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/17).

+- Fixed [ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/19).

+<br>Snapshot Collector used via SDK isn't supported when the Interop feature is enabled. See [More not supported scenarios](snapshot-debugger-troubleshoot.md#not-supported-scenarios).

+Fixed [ArgumentException: Delegates must be of the same type](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/16).

+Fixed [Method not found in WebJobs](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/15).

+Addressed multiple improvements and added support for Azure Active Directory (Azure AD) authentication for Application Insights ingestion.

+- Reduced Snapshot Collector package size by 60% from 10.34 MB to 4.11 MB.

+- Targeted netstandard2.0 only in Snapshot Collector.

+- Bumped Application Insights SDK dependency to 2.15.0.

+- Added back `MinidumpWithThreadInfo` when writing dumps.

+- Added `CompatibilityVersion` to improve synchronization between the Snapshot Collector agent and the Snapshot Uploader on breaking changes.

+- Changed `SnapshotUploader` LogFile naming algorithm to avoid excessive file I/O in App Service.

+- Added pid, role name, and process start time to uploaded blob metadata.

+- Used `System.Diagnostics.Process` where possible in Snapshot Collector and Snapshot Uploader.

+Added Azure AD authentication to `SnapshotCollector`. To learn more about Azure AD authentication in Application Insights, see [Azure AD authentication for Application Insights](../app/azure-ad-authentication.md).

+Fixed [ObjectDisposedException on shutdown](https://github.com/microsoft/ApplicationInsights-dotnet/issues/2097).

+A point release to address a problem discovered in testing the App Service codeless attach scenario.

+The `netcoreapp3.0` target now depends on `Microsoft.ApplicationInsights.AspNetCore` >= 2.1.1 (previously >= 2.1.2).

+- Fixed PDB discovery in the *wwwroot/bin* folder, which was broken when we changed the symbol search algorithm in 1.3.6.

+- Fixed noisy `ExtractWasCalledMultipleTimesException` in telemetry.

+The `netcoreapp2.0` target of `SnapshotCollector` depends on `Microsoft.ApplicationInsights.AspNetCore` >= 2.1.1 (again). This change reverts behavior to how it was before 1.3.5. We tried to upgrade it in 1.3.6, but it broke some App Service scenarios.

+Snapshot Collector reads and parses the `ConnectionString` from the APPLICATIONINSIGHTS_CONNECTION_STRING environment variable or from the `TelemetryConfiguration`. Primarily, it's used to set the endpoint for connecting to the Snapshot service. For more information, see the [Connection strings documentation](../app/sdk-connection-string.md).

+Switched to using `HttpClient` for all targets except `net45` because `WebRequest` was failing in some environments because of an incompatible `SecurityProtocol` (requires TLS 1.2).

+- `SnapshotCollector` now depends on `Microsoft.ApplicationInsights` >= 2.5.1 for all target frameworks. This requirement might be a breaking change if your application depends on an older version of the Microsoft.ApplicationInsights SDK.

+- Removed support for TLS 1.0 and 1.1 in Snapshot Uploader.

+- Period of PDB scans now defaults 24 hours instead of 15 minutes. Configurable via `PdbRescanInterval` on `SnapshotCollectorConfiguration`.

+- PDB scan searches top-level folders only, instead of recursive. This change might be a breaking change if your symbols are in subfolders of the binary folder.

+- Log rotation in `SnapshotUploader` to avoid filling the logs folder with old files.

+- Added symbols to NuGet package.

+- Set more metadata when you upload minidumps.

+- Added an `Initialized` property to `SnapshotCollectorTelemetryProcessor`. It's a `CancellationToken`, which is canceled when the Snapshot Collector is completely initialized and connected to the service endpoint.

+- Snapshots can now be captured for exceptions in dynamically generated methods. An example is the compiled expression trees generated by Entity Framework queries.

+- `AmbiguousMatchException` loading Snapshot Collector due to Status Monitor.

+- `GetSnapshotCollector` extension method now searches all `TelemetrySinks`.

+- Handle `InvalidOperationException` when you're deoptimizing dynamic methods (for example, Entity Framework).

+- Added support for sovereign clouds (older versions won't work in sovereign clouds).

+- Adding Snapshot Collector made easier by using `AddSnapshotCollector()`. For more information, see [Enable Snapshot Debugger for .NET apps in Azure App Service](./snapshot-debugger-app-service.md).

+- Use the FISMA MD5 setting for verifying blob blocks. This setting avoids the default .NET MD5 crypto algorithm, which is unavailable when the OS is set to FIPS-compliant mode.

+- Ignore .NET Framework frames when deoptimizing function calls. This behavior can be controlled by the `DeoptimizeIgnoredModules` configuration setting.

+- Added the `DeoptimizeMethodCount` configuration setting that allows deoptimization of more than one function call.

+- Allowed structured instrumentation keys.

+- Increased Snapshot Uploader robustness. Continue startup even if old uploader logs can't be moved.

+- Reenabled reporting more telemetry when *SnapshotUploader.exe* exits immediately (was disabled in 1.3.3).

+- Simplified internal telemetry.

+- **Experimental feature:** Snappoint collection plans: Add `snapshotOnFirstOccurence`. For more information, see [this GitHub article](https://gist.github.com/alexaloni/5b4d069d17de0dabe384ea30e3f21dfe).

+Fixed bug that was causing *SnapshotUploader.exe* to stop responding and not upload snapshots for .NET Core apps.

+- **Experimental feature:** Snappoint collection plans. For more information, see [this GitHub article](https://gist.github.com/alexaloni/5b4d069d17de0dabe384ea30e3f21dfe).

+- *SnapshotUploader.exe* exits when the runtime unloads the `AppDomain` from which `SnapshotCollector` is loaded, instead of waiting for the process to exit. This action improves the collector reliability when hosted in IIS.

+- Added configuration to allow multiple `SnapshotCollector` instances that are using the same instrumentation key to share the same `SnapshotUploader` process: `ShareUploaderProcess` (defaults to `true`).

+- Reported more telemetry when *SnapshotUploader.exe* exits immediately.

+- Reduced the number of support files *SnapshotUploader.exe* needs to write to disk.

+- Removed support for collecting snapshots with the RtlCloneUserProcess API and only support PssCaptureSnapshots API.

+- Increased the default limit on how many snapshots can be captured in 10 minutes from one to three.

+- Allow *SnapshotUploader.exe* to negotiate TLS 1.1 and 1.2.

+- Reported more telemetry when `SnapshotUploader` logs a warning or an error.

+- Stop taking snapshots when the back-end service reports the daily quota was reached (50 snapshots per day).

+- Added extra check in *SnapshotUploader.exe* to not allow two instances to run in the same time.

+- For applications that target .NET Framework, Snapshot Collector now depends on Microsoft.ApplicationInsights version 2.3.0 or above.

+We believe this change won't be an issue for most applications. Let us know if this change prevents you from using the latest Snapshot Collector.

+- Use `ServerTelemetryChannel` (if available) for more reliable reporting of telemetry.

+- Use `SdkInternalOperationsMonitor` on the initial connection to the Snapshot Debugger service so that it's ignored by dependency tracking.

+- Improved telemetry around initial connection to Snapshot Debugger.

+- Report more telemetry for the:

+ - App Service version.

+ - Azure Functions app.

+Fixed strong-name signing with Snapshot Uploader binaries.

+- The files needed for *SnapshotUploader(64).exe* are now embedded as resources in the main DLL. That means the `SnapshotCollectorFiles` folder is no longer created, which simplifies build and deployment and reduces clutter in Solution Explorer. Take care when you upgrade to review the changes in your `.csproj` file. The `Microsoft.ApplicationInsights.SnapshotCollector.targets` file is no longer needed.

+- Telemetry is logged to your Application Insights resource even if `ProvideAnonymousTelemetry` is set to false. This change is so that we can implement a health check feature in the Azure portal. `ProvideAnonymousTelemetry` affects only the telemetry sent to Microsoft for product support and improvement.

+- When `TempFolder` or `ShadowCopyFolder` are redirected to environment variables, keep the collector idle until those environment variables are set.

+- For applications that connect to the internet via a proxy server, Snapshot Collector now autodetects any proxy settings and passes them on to *SnapshotUploader.exe*.

+- Lower the priority of the `SnapshotUploader` process (where possible). This priority can be overridden via the `IsLowPrioirtySnapshotUploader` option.

+- Added a `GetSnapshotCollector` extension method on `TelemetryConfiguration` for scenarios where you want to configure the Snapshot Collector programmatically.

+- Fixed `NullReferenceException` when exceptions have null or immutable Data dictionaries.

+- Added an `ExcludeFromSnapshotting` extension method on `System.Exception` for scenarios where you know you have a noisy exception and want to avoid creating snapshots for it.

+- Added an `IsEnabledWhenProfiling` configuration property that defaults to true. This is a change from previous versions where snapshot creation was temporarily disabled if the Application Insights Profiler was performing a detailed collection. The old behavior can be recovered by setting this property to `false`.

+- Sign *SnapshotUploader64.exe* properly.

+- Fixed a bug with the expiration time of a collection plan, which could prevent snapshots after 24 hours.

+The biggest change in this version (hence the move to a new minor version number) is a rewrite of the snapshot creation and handling pipeline. In previous versions, this functionality was implemented in native code (*ProductionBreakpoints*.dll* and *SnapshotHolder*.exe*). The new implementation is all managed code with P/Invokes.

+For this first version using the new pipeline, we haven't strayed far from the original behavior. The new implementation allows for better error reporting and sets us up for future improvements.

+- *MinidumpUploader.exe* has been renamed to *SnapshotUploader.exe* (or *SnapshotUploader64.exe*).

+- Log the original folder name (*SnapshotCollectorFiles*) when shadow-copying.

+- Adjusted memory limits for 64-bit processes to prevent site restarts due to OOM.

+- Fixed an issue where snapshots were still collected even after disabling.

+- Improved snapshot speed by removing "Source" from the problem ID.

+- Augmented usage telemetry.

+- Detect and report .NET version and OS.

+- Detect and report more Azure environments (Azure Cloud Services, Azure Service Fabric).

+- Record and report exception metrics (number of first-chance exceptions and the number of `TrackException` calls) in Heartbeat telemetry.

+- Correct handling of `SqlException` where the inner exception (Win32Exception) isn't thrown.

+- Trimmed trailing spaces on symbol folders, which caused an incorrect parse of command-line arguments to the `MinidumpUploader`.

+- Prevented infinite retry of failed connections to the Snapshot Debugger agent's endpoint.

+- Improved the Azure portal snapshot viewing experience.

+Enable the Application Insights Snapshot Debugger for your application:

+* [Azure Functions](snapshot-debugger-function-app.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Service Fabric](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Smart detection](../alerts/proactive-diagnostics.md) automatically discovers performance anomalies.

+The `subscription` and `resourceGroup` elements enable you to specify more validations. The syntax for specifying validations is identical to the custom validation for [text box](microsoft-common-textbox.md). You can also specify `permission` validations on the subscription or resource group.

+The subscription control accepts a list of resource provider namespaces. For example, you can specify **Microsoft.Compute**. It shows an error message when the user selects a subscription that doesn't support the resource provider. The error occurs when the resource provider isn't registered on that subscription, and the user doesn't have permission to register the resource provider.

+The resource group control has an option for `allowExisting`. When `true`, the users can select resource groups that already have resources. This flag is most applicable to solution templates, where default behavior mandates users must select a new or empty resource group. In most other scenarios, specifying this property isn't necessary.

+For `location`, specify the properties for the location control you wish to override. Any properties not overridden are set to their default values. `resourceTypes` accepts an array of strings containing fully qualified resource type names. The location options are restricted to only regions that support the resource types. `allowedValues` accepts an array of region strings. Only those regions appear in the dropdown. You can set both `allowedValues` and `resourceTypes`. The result is the intersection of both lists. Lastly, the `visible` property can be used to conditionally or completely disable the location dropdown. 

+```

+ - **Website name**: Enter a name that meets the criteria specified on the form, like _demotrainingsite_. Your website name should be globally unique across Azure.

+ - **Org admin's mobile number**: Enter a valid mobile phone number including the country/region code, in the format _+1 1234567890_. The phone number is used to sign in to the training site.

+The deployment begins and because many resources are created, the Azure deployment takes about 20 minutes to finish. You can verify the Azure deployments before the website becomes available.

+1. To review the publisher's permissions in the managed resource group, select **Access Control (IAM)** > **Role assignments**.

+The site might respond with a page that the deployment is still processing.

+When you delete the **demo-marketplace-app** resource group, the managed application, managed resource group, and all the Azure resources are deleted.

+- For a description of common properties in UI elements, see [CreateUiDefinition elements](create-uidefinition-elements.md).

+ - **OnOnly** ΓÇô A system assigned identity is assigned to the resource. Users can't edit this value during deployment.

+- For a description of common properties in UI elements, see [CreateUiDefinition elements](create-uidefinition-elements.md).

+* To deploy a managed application, see [Deploy service catalog app through Azure portal](deploy-service-catalog-quickstart.md).

+ Title: Managed app with managed identity

+description: Configure an Azure Managed Application with managed identity for linking to existing resources, managing Azure resources, and providing operational identity for Activity Log.

+# Azure Managed Application with managed identity

+> Managed identity support for Azure Managed Applications is currently in preview. Please use the 2018-09-01-preview api version to utilize managed identity.

+Learn how to configure a managed application to contain a managed identity. A managed identity can be used to allow the customer to grant the managed application access to existing resources. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more about managed identities in Azure Active Directory (Azure AD), see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).

+- A **system-assigned managed identity** is tied to your application and is deleted if your app is deleted. An app can only have one system-assigned managed identity.

+- A **user-assigned managed identity** is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned managed identities.

+## How to use managed identity

+Managed identity enables many scenarios for managed applications. Some common scenarios that can be solved are:

+- Deploying a managed application linked to existing Azure resources. An example is deploying an Azure virtual machine (VM) within the managed application that is attached to an [existing network interface](../../virtual-network/virtual-network-network-interface-vm.md).

+- Granting the managed application and publisher access to Azure resources outside the managed resource group.

+- Providing an operational identity of managed applications for Activity Log and other services within Azure.

+## Adding managed identity

+Creating a managed application with a managed identity requires another property to be set on the Azure resource. The following example shows a sample **identity** property:

+ "type": "SystemAssigned, UserAssigned",

+ "userAssignedIdentities": {

+ "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity": {}

+ }

+There are two common ways to create a managed application with **identity**: [createUiDefinition.json](./create-uidefinition-overview.md) and [Azure Resource Manager templates](../templates/syntax.md). For simple single create scenarios, _createUiDefinition_ should be used to enable managed identity, because it provides a richer experience. However, when dealing with advanced or complex systems that require automated or multiple managed application deployments, templates can be used.

+### Using createUiDefinition

+A managed application can be configured with managed identity through the [createUiDefinition.json](./create-uidefinition-overview.md). In the [outputs section](./create-uidefinition-overview.md#outputs), the key `managedIdentity` can be used to override the identity property of the managed application template. The following sample enables a system-assigned managed identity on the managed application. More complex identity objects can be formed by using _createUiDefinition_ elements to ask the consumer for inputs. These inputs can be used to construct managed applications with user-assigned managed identity.

+ "managedIdentity": { "Type": "SystemAssigned" }

+#### When to use createUiDefinition for managed identity

+The following are some recommendations on when to use _createUiDefinition_ to enable a managed identity on managed applications.

+- The managed application creation goes through the Azure portal or Azure Marketplace.

+- The managed identity requires complex consumer input.

+- The managed identity is needed on creation of the managed application.

+#### Managed identity createUiDefinition control

+The _createUiDefinition.json_ supports a built-in [managed identity control](./microsoft-managedidentity-identityselector.md).

+> Marketplace managed application templates are automatically generated for customers going through the Azure portal create experience.

+> For these scenarios, the `managedIdentity` output key on the _createUiDefinition_ must be used to enabled identity.

+The managed identity can also be enabled through Azure Resource Manager templates. The following sample enables a system-assigned managed identity on the managed application. More complex identity objects can be formed by using Azure Resource Manager template parameters to provide inputs. These inputs can be used to construct managed applications with user-assigned managed identity.

+#### When to use Azure Resource Manager templates for managed identity

+The following are some recommendations on when to use Azure Resource Manager templates for enabling managed identity on managed applications.

+- Managed applications can be programmatically deployed based on a template.

+- Custom role assignments for the managed identity are needed to provision the managed application.

+- The managed application doesn't need the Azure portal and Marketplace creation flow.

+A basic Azure Resource Manager template that deploys a managed application with system-assigned managed identity.

+ {

+ "type": "Microsoft.Solutions/applications",

+ "name": "[parameters('applicationName')]",

+ "apiVersion": "2018-09-01-preview",

+ "location": "[parameters('location')]",

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "properties": {

+ "ManagedResourceGroupId": "[parameters('managedByResourceGroupId')]",

+ "parameters": { }

+ }

+A basic Azure Resource Manager template that deploys a managed application with a user-assigned managed identity.

+ {

+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities",

+ "name": "[parameters('managedIdentityName')]",

+ "apiVersion": "2018-11-30",

+ "location": "[parameters('location')]"

+ },

+ {

+ "type": "Microsoft.Solutions/applications",

+ "name": "[parameters('applicationName')]",

+ "apiVersion": "2018-09-01-preview",

+ "location": "[parameters('location')]",

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('managedIdentityName'))]": {}

+ },

+ "properties": {

+ "ManagedResourceGroupId": "[parameters('managedByResourceGroupId')]",

+ "parameters": { }

+ }

+Once a managed application is granted an identity, it can be granted access to existing Azure resources by creating a role assignment.

+To do so, search for and select the name of the managed application or user-assigned managed identity, and then select **Access control (IAM)**. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+> A user-assigned managed identity must be [configured](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) before deploying the managed application. In addition, linked resource deployment of managed applications is only supported for the _Marketplace_ kind.

+Managed identity can also be used to deploy a managed application that requires access to existing resources during its deployment. When the customer provisions the managed application, user-assigned managed identities can be added to provide more authorizations to the _mainTemplate_ deployment.

+### Authoring the createUiDefinition with a linked resource

+When linking the deployment of the managed application to existing resources, both the existing Azure resource and a user-assigned managed identity with the applicable role assignment on that resource must be provided.

+ A sample _createUiDefinition.json_ that requires two inputs: a network interface resource ID and a user assigned managed identity resource ID.

+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",

+ "handler": "Microsoft.Azure.CreateUIDef",

+ "version": "0.1.2-preview",

+ "parameters": {

+ "basics": [

+ {}

+ ],

+ "steps": [

+ {

+ "name": "managedApplicationSetting",

+ "label": "Managed Application Settings",

+ "subLabel": {

+ "preValidation": "Managed Application Settings",

+ "postValidation": "Done"

+ },

+ "bladeTitle": "Managed Application Settings",

+ "elements": [

+ {

+ "name": "networkInterfaceId",

+ "type": "Microsoft.Common.TextBox",

+ "label": "Network interface resource ID",

+ "defaultValue": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Network/networkInterfaces/existingnetworkinterface",

+ "toolTip": "Must represent the identity as an Azure Resource Manager resource identifer format ex. /subscriptions/sub1/resourcegroups/myGroup/providers/Microsoft.Network/networkInterfaces/networkinterface1",

+ "visible": true

+ },

+ {

+ "name": "userAssignedId",

+ "type": "Microsoft.Common.TextBox",

+ "label": "User-assigned managed identity resource ID",

+ "defaultValue": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity",

+ "toolTip": "Must represent the identity as an Azure Resource Manager resource identifer format ex. /subscriptions/sub1/resourcegroups/myGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",

+ "visible": true

+ }

+ ]

+ }

+ ],

+ "outputs": {

+ "existingNetworkInterfaceId": "[steps('managedApplicationSetting').networkInterfaceId]",

+ "managedIdentity": "[parse(concat('{\"Type\":\"UserAssigned\",\"UserAssignedIdentities\":{',string(steps('managedApplicationSetting').userAssignedId),':{}}}'))]"

+ }

+This _createUiDefinition.json_ generates a create user experience that has two fields. The first field allows the user to enter in the Azure resource ID for the resource being linked to the managed application deployment. The second is for a consumer to enter the user-assigned managed identity Azure resource ID, which has access to the linked Azure resource. The generated experience would look like:

+In addition to updating the _createUiDefinition_, the main template also needs to be updated to accept the passed in linked resource ID. The main template can be updated to accept the new output by adding a new parameter. Since the `managedIdentity` output overrides the value on the generated managed application template, it isn't passed to the main template and shouldn't be included in the parameters section.

+A sample main template that sets the network profile to an existing network interface provided by the _createUiDefinition.json_.

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "existingNetworkInterfaceId": { "type": "string" }

+ },

+ "variables": {

+ },

+ "resources": [

+ {

+ "apiVersion": "2016-04-30-preview",

+ "type": "Microsoft.Compute/virtualMachines",

+ "name": "myLinkedResourceVM",

+ "location": "[resourceGroup().location]",

+ "properties": {

+ …,

+ "networkProfile": {

+ "networkInterfaces": [

+ {

+ "id": "[parameters('existingNetworkInterfaceId')]"

+ ]

+ }

+ }

+ ]

+### Consuming the managed application with a linked resource

+Once the managed application package is created, the managed application can be consumed through the Azure portal. Before it can be consumed, there are several prerequisite steps.

+- The user-assigned managed identity must be [created and given role assignments](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md) to the linked resource.

+- The existing linked resource ID and the user-assigned managed identity ID are provided to the _createUiDefinition_.

+## Accessing the managed identity token

+The token of the managed application can now be accessed through the `listTokens` api from the publisher tenant. An example request might look like:

+ "authorizationAudience": "https://management.azure.com/",

+ "userAssignedIdentities": [

+ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userAssignedIdentityName}"

+ ]

+| Parameter | Required | Description |

+| || |

+| `authorizationAudience` | _no_ | The App ID URI of the target resource. It also is the `aud` (audience) claim of the issued token. The default value is "https://management.azure.com/" |

+| `userAssignedIdentities` | _no_ | The list of user-assigned managed identities to retrieve a token for. If not specified, `listTokens` returns the token for the system-assigned managed identity. |

+ "value": [

+ {

+ "access_token": "eyJ0eXAi…",

+ "expires_in": "2…",

+ "expires_on": "1557…",

+ "not_before": "1557…",

+ "authorizationAudience": "https://management.azure.com/",

+ "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Solutions/applications/{applicationName}",

+ "token_type": "Bearer"

+ }

+ ]

+The response contains an array of tokens under the `value` property:

+| Parameter | Description |

+| | |

+| `access_token` | The requested access token. |

+| `expires_in` | The number of seconds the access token is valid. |

+| `expires_on` | The timespan when the access token expires. This value is represented as the number of seconds from epoch. |

+| `not_before` | The timespan when the access token takes effect. This value is represented as the number of seconds from epoch. |

+| `authorizationAudience` | The `aud` (audience) the access token was request for. This value is the same as what was provided in the `listTokens` request. |

+| `resourceId` | The Azure resource ID for the issued token. This value is either the managed application ID or the user-assigned managed identity ID. |

+| `token_type` | The type of the token. |

+> [How to configure a managed application with a custom provider](../custom-providers/overview.md)

+After validating your portal interface, learn about making your [Azure managed application available in the Marketplace](../../marketplace/azure-app-offer-setup.md).

+Azure Video Indexer is now integrated with Azure Resource Health enabling you to see the health and availability of each of your Azure Video Indexer resources. Azure Resource Health also helps with diagnosing and solving problems and you can set alerts to be notified whenever your resources are affected. For more information, see [Azure Resource Health overview](../service-health/resource-health-overview.md).

+ Title: Enable Public IP on the NSX-T Data Center Edge for Azure VMware Solution

+# Enable Public IP on the NSX-T Data Center Edge for Azure VMware Solution

+In this article, you'll learn how to enable Public IP on the NSX-T Data Center Edge for your Azure VMware Solution.

+Public IP on the NSX-T Data Center Edge is a feature in Azure VMware Solution that enables inbound and outbound internet access for your Azure VMware Solution environment.

+- DDoS Security protection against network traffic in and out of the internet.

+The architecture shows internet access to and from your Azure VMware Solution private cloud using a Public IP directly to the NSX-T Data Center Edge.

+| Private Cloud DNS server | On-premises DNS Server | UDP | 53 | DNS Client - Forward requests from Private Cloud vCenter Server for any on-premises DNS queries (check DNS section below) |

+| HCX Manager | Interconnect (HCX-IX), Network Extension (HCX-NE) | TCP (HTTPS) | 9443 | Send management instructions to the local HCX Interconnect using the REST API. |

+[Full list of VMware HCX port requirements](https://ports.esp.vmware.com/home/VMware-HCX)

+- Private endpoint resources can be created in different subscription as the Batch account, but the subscription must be registered with [**Microsoft.Batch** resource provider](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).

+description: Learn how to mount different kinds of virtual file systems on Batch pool nodes, and how to troubleshoot mounting issues.

+Azure Batch supports mounting cloud storage or an external file system on Windows or Linux compute nodes in Batch pools. When a compute node joins the pool, the virtual file system mounts and acts as a local drive on that node. This article shows you how to mount a virtual file system on a pool of compute nodes by using the [Batch Management Library for .NET](/dotnet/api/overview/azure/batch).

+Mounting the file system to the pool makes accessing data easier and more efficient than requiring tasks to get their own data from a large shared data set. Consider a scenario where multiple tasks need access to a common set of data, like rendering a movie. Each task renders one or more frames at once from the scene files. By mounting a drive that contains the scene files, it's easier for each compute node to access the shared data.

+Also, you can choose the underlying file system to meet performance, throughout, and input/output operations per second (IOPS) requirements. You can independently scale the file system based on the number of compute nodes that concurrently access the data.

+For example, you could use an [Avere vFXT](/azure/avere-vfxt/avere-vfxt-overview) distributed in-memory cache to support large movie-scale renders with thousands of concurrent render nodes that access on-premises source data. Or, for data that's already in cloud-based blob storage, you can use [BlobFuse](/azure/storage/blobs/storage-how-to-mount-container-linux) to mount the data as a local file system. BlobFuse is available only on Linux nodes except Ubuntu 22.04, but [Azure Files](/azure/storage/files/storage-files-introduction) provides a similar workflow and is available on both Windows and Linux.

+## Supported configurations

+You can mount the following types of file systems:

+- Network File System (NFS), including an [Avere vFXT cache](/azure/avere-vfxt/avere-vfxt-overview)

+Batch supports the following virtual file system types for node agents that are produced for their respective publisher and offer.

+| OS Type | Azure Files share | Azure Blob container | NFS mount | CIFS mount |

+||||||

+| Linux | :heavy_check_mark: | :heavy_check_mark:* | :heavy_check_mark: | :heavy_check_mark: |

+| Windows | :heavy_check_mark: | :x: | :x: | :x: |

+\*Azure Blob container isn't supported on Ubuntu 22.04.

+> Mounting a virtual file system isn't supported on Batch pools created before August 8, 2019.

+## Networking requirements

+When you use virtual file mounts with Batch pools in a virtual network, keep the following requirements in mind, and ensure that no required traffic is blocked. For more information, see [Batch pools in a virtual network](batch-virtual-network.md).

+- **Azure Files shares** require TCP port 445 to be open for traffic to and from the `storage` service tag. For more information, see [Use an Azure file share with Windows](/azure/storage/files/storage-how-to-use-files-windows#prerequisites).

+- **Azure Blob containers** require TCP port 443 to be open for traffic to and from the `storage` service tag. Virtual machines (VMs) must have access to `https://packages.microsoft.com` to download the `blobfuse` and `gpg` packages. Depending on your configuration, you might need access to other URLs.

+- **Network File System (NFS)** requires access to port 2049 by default. Your configuration might have other requirements. VMs must have access to the appropriate package manager to download the `nfs-common` (for Debian or Ubuntu) or `nfs-utils` (for CentOS) packages. The URL might vary based on your OS version. Depending on your configuration, you might also need access to other URLs.

+

+ Mounting Azure Blob or Azure Files through NFS might have more networking requirements. For example, your compute nodes might need to use the same virtual network subnet as the storage account.

+- **Common Internet File System (CIFS)** requires access to TCP port 445. VMs must have access to the appropriate package manager to download the `cifs-utils` package. The URL might vary based on your OS version.

+## Mounting configuration and implementation

+To mount a file system on a pool, you create a [MountConfiguration](/dotnet/api/microsoft.azure.batch.mountconfiguration) object that matches your virtual file system: `AzureBlobFileSystemConfiguration`, `AzureFileShareConfiguration`, `NfsMountConfiguration`, or `CifsMountConfiguration`.

+All mount configuration objects need the following base parameters. Some mount configurations have specific parameters for the particular file system, which the [code examples](#example-mount-configurations) present in more detail.

+- **Account name or source** of the storage account.

+- **Relative mount path or source**, the location of the file system to mount on the compute node, relative to the standard *\\fsmounts* directory accessible via `AZ_BATCH_NODE_MOUNTS_DIR`.

+ The exact *\\fsmounts* directory location varies depending on node OS. For example, the location on an Ubuntu node maps to *mnt\batch\tasks\fsmounts*. On a CentOS node, the location maps to *mnt\resources\batch\tasks\fsmounts*.

+- **Mount options or BlobFuse options** that describe specific parameters for mounting a file system.

+When you create the pool and the `MountConfiguration` object, you assign the object to the `MountConfigurationList` property. Mounting for the file system happens when a node joins the pool, restarts, or is reimaged.

+The Batch agent implements mounting differently on Windows and Linux.

+- On Linux, Batch installs the package `cifs-utils`. Then, Batch issues the mount command.

+- On Windows, Batch uses `cmdkey` to add your Batch account credentials. Then, Batch issues the mount command through `net use`. For example:

+ ```powershell

+ net use S: \\<storage-account-name>.file.core.windows.net\<fileshare> /u:AZURE\<storage-account-name> <storage-account-key>

+ ```

+Mounting the file system creates an environment variable `AZ_BATCH_NODE_MOUNTS_DIR`, which points to the location of the mounted file system and log files. You can use the log files for troubleshooting and debugging.

+## Mount an Azure Files share with PowerShell

+You can use [Azure PowerShell](/powershell/) to mount an Azure Files share on a Windows or Linux Batch pool. The following procedure walks you through configuring and mounting an Azure file share file system on a Batch pool.

+> The maximum number of mounted file systems on a pool is 10. For details and other limits, see [Batch service quotas and limits](batch-quota-limit.md#other-limits).

+### Prerequisites

+- An Azure account with an active subscription.

+- [Azure PowerShell](/powershell/azure/install-azure-powershell) installed, or use [Azure Cloud Shell](https://shell.azure.com) and select **PowerShell** for the interface.

+- An existing Batch account with a linked Azure Storage account that has a file share.

+1. Sign in to your Azure subscription, replacing the placeholder with your subscription ID.

+1. Get the context for your Batch account. Replace the `<batch-account-name>` placeholder with your Batch account name.

+1. Create a Batch pool with the following settings. Replace the `<storage-account-name>` , `<storage-account-key>`, and `<file-share-name>` placeholders with the values from the storage account that's linked to your Batch account. Replace the `<pool-name>` placeholder with the name you want for the pool.

+ The following script creates a pool with one Windows Server 2016 Datacenter, Standard_D2_V2 size node, and then mounts the Azure file share to the *S* drive of the node.

+ $fileShareConfig = New-Object -TypeName "Microsoft.Azure.Commands.Batch.Models.PSAzureFileShareConfiguration" -ArgumentList @("<storage-account-name>", "https://<storage-account-name>.file.core.windows.net/batchfileshare1", "S", "<storage-account-key>")

+ New-AzBatchPool -Id "<pool-name>" -VirtualMachineSize "STANDARD_D2_V2" -VirtualMachineConfiguration $configuration -TargetDedicatedComputeNodes 1 -MountConfiguration @($mountConfig) -BatchContext $context

+1. Connect to the node and check that the output file is correct.

+### Access the mounted files

+Azure Batch tasks can access the mounted files by using the drive's direct path, for example:

+```powershell-interactive

+cmd /c "more S:\folder1\out.txt & timeout /t 90 > NULL"

+```

+The Azure Batch agent grants access only for Azure Batch tasks. If you use Remote Desktop Protocol (RDP) to connect to the node, your user account doesn't have automatic access to the mounting drive. When you connect to the node over RDP, you must add credentials for the storage account to access the *S* drive directly.

+Use `cmdkey` to add the credentials. Replace the `<storage-account-name>` and `<storage-account-key`> placeholders with your own information.

+```powershell-interactive

+cmdkey /add:"<storage-account-name>.file.core.windows.net" /user:"Azure\<storage-account-name>" /pass:"<storage-account-key>"

+```

+1. Sign in to your Azure subscription, replacing the placeholder with your subscription ID.

+1. Get the context for your Batch account, replacing the placeholder with your Batch account name.

+1. Create a Batch pool with the following settings. Replace the `<storage-account-name>` , `<storage-account-key>`, and `<file-share-name>` placeholders with the values from the storage account that's linked to your Batch account. Replace the `<pool-name>` placeholder with the name you want for the pool.

+ The following script creates a pool with one Ubuntu 20.04, Standard_DS1_v2 size node, and then mounts the Azure file share to the *S* drive of the node.

+ $fileShareConfig = New-Object -TypeName "Microsoft.Azure.Commands.Batch.Models.PSAzureFileShareConfiguration" -ArgumentList @("<storage-account-name>", https://<storage-account-name>.file.core.windows.net/<file-share-name>, "S", "<storage-account-key>", "-o vers=3.0,dir_mode=0777,file_mode=0777,sec=ntlmssp")

+ $imageReference = New-Object -TypeName "Microsoft.Azure.Commands.Batch.Models.PSImageReference" -ArgumentList @("0001-com-ubuntu-server-focal", "canonical", "20_04-lts", "latest")

+ New-AzBatchPool -Id "<pool-name>" -VirtualMachineSize "Standard_DS1_v2" -VirtualMachineConfiguration $configuration -TargetDedicatedComputeNodes 1 -MountConfiguration @($mountConfig) -BatchContext $Context

+1. Connect to the node and check that the output file is correct.

+### Access the mounted files

+You can access the mounted files by using the environment variable `AZ_BATCH_NODE_MOUNTS_DIR`. For example:

+```bash

+/bin/bash -c 'more $AZ_BATCH_NODE_MOUNTS_DIR/S/folder1/out.txt; sleep 20s'

+```

+Optionally, you can also access the mount files by using the direct path. If you use SSH to connect to the node, you can manually access the *S* drive directly. Use the path */mnt/batch/tasks/fsmounts/S*.

+## Troubleshoot mount issues

+If a mount configuration fails, the compute node fails and the node state is set to **Unusable**. To diagnose a mount configuration failure, inspect the [ComputeNodeError](/rest/api/batchservice/computenode/get#computenodeerror) property for details on the error.

+To get log files for debugging, you can use the [OutputFiles](batch-task-output-files.md#specify-output-files-for-task-output) API to upload the *\*.log* files. The *\*.log* files contain information about the file system mount at the `AZ_BATCH_NODE_MOUNTS_DIR` location. Mount log files have the format: *\<type>-\<mountDirOrDrive>.log* for each mount. For example, a CIFS mount at a mount directory named *test* has a mount log file named: *cifs-test.log*.

+### Investigate mounting errors

+If you get the following error when you try to mount an Azure file share to a Batch node, you can RDP or SSH to the node to check the related log files.

+1. Open the log file *fshare-S.log*, at *D:\batch\tasks\fsmounts*.

+1. Review the error messages, for example:

+1. Troubleshoot the problem by using the [Azure file shares troubleshooter](https://support.microsoft.com/help/4022301/troubleshooter-for-azure-files-shares).

+1. Open the log file *fshare-S.log* at */mnt/batch/tasks/fsmounts*.

+1. Review the error messages, for example `mount error(13): Permission denied`.

+1. Troubleshoot the problem by using [Troubleshoot Azure Files connectivity and access issues (SMB)](/azure/storage/files/files-troubleshoot-smb-connectivity).

+If you can't use RDP or SSH to check the log files on the node, you can upload the logs to your Azure storage account. You can use this method for both Windows and Linux logs.

+1. In the [Azure portal](https://portal.azure.com), search for and select the Batch account that has your pool.

+1. On the Batch account page, select **Pools** from the left navigation.

+1. On the **Pools** page, select the pool's name.

+1. On the pool's page, select **Nodes** from the left navigation.

+1. On the **Nodes** page, select the node's name.

+1. On the node's page, select **Upload batch logs**.

+1. On the **Upload batch logs** pane, select **Pick storage container**.

+1. On the **Storage accounts** page, select a storage account.

+1. On the **Containers** page, select or create a container to upload the files to, and select **Select**.

+1. Select **Start upload**.

+1. When the upload completes, download the files and open *agent-debug.log*.

+1. Review the error messages, for example:

+1. Troubleshoot the problem by using the [Azure file shares troubleshooter](https://support.microsoft.com/help/4022301/troubleshooter-for-azure-files-shares).

+### Manually mount a file share with PowerShell

+If you can't diagnose or fix mounting errors, you can use PowerShell to mount the file share manually instead.

+ New-AzBatchPool -Id "<pool-name>" -VirtualMachineSize "STANDARD_D2_V2" -VirtualMachineConfiguration $configuration -TargetDedicatedComputeNodes 1 -BatchContext $Context

+1. In the [Azure portal](https://portal.azure.com), search for and select the storage account that has your file share.

+1. On the storage account page's menu, select **File shares** from the left navigation.

+1. On the **File shares** page, select the file share you want to mount.

+1. On the file share's page, select **Connect**.

+1. For **Drive letter**, enter the drive you want to use. The default is *Z*.

+1. Select **Show Script**, and copy the PowerShell script for mounting the file share.

+ $imageReference = New-Object -TypeName "Microsoft.Azure.Commands.Batch.Models.PSImageReference" -ArgumentList @("0001-com-ubuntu-server-focal", "canonical", "20_04-lts", "latest")

+ New-AzBatchPool -Id "<pool-name>" -VirtualMachineSize "Standard_DS1_v2" -VirtualMachineConfiguration $configuration -TargetDedicatedComputeNodes 1 -BatchContext $Context

+1. In the [Azure portal](https://portal.azure.com), search for and select the storage account that has your file share.

+1. On the storage account page's menu, select **File shares** from the left navigation.

+1. On the **File shares** page, select the file share you want to mount.

+1. On the file share's page, select **Connect**.

+1. Copy the Linux script for mounting the file share.

+## Example mount configurations

+The following code example configurations demonstrate mounting various file share systems to a pool of compute nodes.

+Azure Files is the standard Azure cloud file system offering. The following configuration mounts an Azure Files share named `<file-share-name>` to the *S* drive. For information about the parameters in the example, see [Mount SMB Azure file share on Windows](/azure/storage/files/storage-how-to-use-files-windows) or [Create an NFS Azure file share and mount it on a Linux VM using the Azure portal](/azure/storage/files/storage-files-how-to-create-nfs-shares).

+ AccountName = "<storage-account-name>",

+ AzureFileUrl = "https://<storage-account-name>.file.core.windows.net/<file-share-name>",

+ AccountKey = "<storage-account-key>",

+Another option is to use Azure Blob storage via [BlobFuse](/azure/storage/blobs/storage-how-to-mount-container-linux). Mounting a blob file system requires either an account key, shared access signature (SAS) key, or managed identity with access to your storage account.

+For information on getting these keys or identity, see the following articles:

+- [Manage storage account access keys](/azure/storage/common/storage-account-keys-manage)

+- [Grant limited access to Azure Storage resources using shared access signatures (SAS)](/azure/storage/common/storage-sas-overview)

+- [Configure managed identities in Batch pools](managed-identity-pools.md)

+ > [!TIP]

+ >If you use a managed identity, ensure that the identity has been [assigned to the pool](managed-identity-pools.md) so that it's available on the VM doing the mounting. The identity must also have the **Storage Blob Data Contributor** role.

+The following configuration mounts a blob file system with BlobFuse options. For illustration purposes, the example shows `AccountKey`, `SasKey` and `IdentityReference`, but you can actually specify only one of these methods.

+ AccountName = "<storage-account-name>",

+ ContainerName = "<container-name>",

+ // Use only one of the following three lines:

+ AccountKey = "<storage-account-key>",

+ SasKey = "<sas-key>",

+ IdentityReference = new ComputeNodeIdentityReference("/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity-name>"),

+ RelativeMountPath = "<relative-mount-path>",

+To get default access to the BlobFuse mounted directory, run the task as an administrator. BlobFuse mounts the directory at the user space, and at pool creation mounts the directory as root. In Linux, all administrator tasks are root. The [FUSE reference page](https://manpages.ubuntu.com/manpages/xenial/man8/mount.fuse.8.html) describes all options for the FUSE module.

+For more information and tips on using BlobFuse, see the following references:

+- [Blobfuse2 project](https://github.com/Azure/azure-storage-fuse)

+- [Blobfuse Troubleshoot FAQ](https://github.com/Azure/azure-storage-fuse/wiki/Blobfuse-Troubleshoot-FAQ)

+- [GitHub issues in the azure-storage-fuse repository](https://github.com/Azure/azure-storage-fuse/issues)

+### NFS

+You can mount NFS shares to pool nodes to allow Batch to access traditional file systems. The setup can be a single NFS server deployed in the cloud or an on-premises NFS server accessed over a virtual network. NFS mounts support [Avere vFXT](/azure/avere-vfxt/avere-vfxt-overview), a distributed in-memory cache for data-intensive high-performance computing (HPC) tasks. NFS mounts also support other standard NFS-compliant interfaces, such as [NFS for Azure Blob](/azure/storage/blobs/network-file-system-protocol-support) and [NFS for Azure Files](/azure/storage/files/storage-files-how-to-mount-nfs-shares).

+The following example shows a configuration for an NFS file system mount:

+ Source = "<source>",

+ RelativeMountPath = "<relative-mount-path>",

+### CIFS

+Mounting [CIFS](/windows/desktop/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) to pool nodes is another way to provide access to traditional file systems. CIFS is a file-sharing protocol that provides an open and cross-platform mechanism for requesting network server files and services. CIFS is based on the enhanced version of the [SMB protocol](/windows-server/storage/file-server/file-server-smb-overview) for internet and intranet file sharing.

+The following example shows a configuration for a CIFS file mount.

+ Username = "<storage-account-name>",

+ RelativeMountPath = "<relative-mount-path>",

+ Source = "<source>",

+ Password = "<storage-account-key>",

+ MountOptions = "-o vers=3.0,dir_mode=0777,file_mode=0777,serverino,domain=<domain-name>"

+- [Mount an Azure Files share with Windows](/azure/storage/files/storage-how-to-use-files-windows)

+- [Mount an Azure Files share with Linux](/azure/storage/files/storage-how-to-use-files-linux)

+- [Blobfuse2 - A Microsoft supported Azure Storage FUSE driver](https://github.com/Azure/azure-storage-fuse)

+- [Network File System overview](/windows-server/storage/nfs/nfs-overview)

+- [Microsoft SMB protocol and CIFS protocol overview](/windows/desktop/fileio/microsoft-smb-protocol-and-cifs-protocol-overview)

+ repository: azure-cognitive-services/speechservices/text-to-speech

+Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-3, Codex and Embeddings model series. In addition, the new GPT-4 and ChatGPT (gpt-35-turbo) model series are now available in preview. These models can be easily adapted to your specific task including but not limited to content generation, summarization, semantic search, and natural language to code translation. Users can access the service through REST APIs, Python SDK, or our web-based interface in the Azure OpenAI Studio.

+## Check image attributes for tag and its corresponding manifest.

+> [!NOTE]

+> * The changeable attributes of tags and manifest are managed separately. That is, setting attribute `deleteEnabled=false` for the tag won't set the same for the corresponding manifest.

+>* Query the attributes using the script below:

+```bash

+registry="myregistry"

+repo="myimage"

+tag="mytag"

+az login

+az acr repository show -n $registry --repository $repo

+az acr manifest show-metadata -r $registry -n "$repo:$tag"

+digest=$(az acr manifest show-metadata -r $registry -n "$repo:$tag" --query digest -o tsv)

+az acr manifest show-metadata -r $registry -n "$repo@$digest"

+```

+ Title: Migrate data using the desktop data migration tool

+description: Use the desktop data migration tool to migrate data from JSON, MongoDB, SQL Server, or Azure Table storage to Azure Cosmos DB.

+# Migrate data to Azure Cosmos DB using the desktop data migration tool

+The [Azure Cosmos DB desktop data migration tool](https://github.com/azurecosmosdb/data-migration-desktop-tool) is an open-source command-line application to import or export data from Azure Cosmos DB. The tool can migrate data to and from many sources and sinks including, but not limited to:

+- Azure Cosmos DB for NoSQL

+- Azure Cosmos DB for MongoDB

+- Azure Cosmos DB for Table

+- Azure Table storage

+- JSON

+- MongoDB

+- SQL Server

+> [!IMPORTANT]

+> For this guide, you will perform a data migration from JSON to Azure Cosmos DB for NoSQL.

+## Prerequisites

+- An existing Azure Cosmos DB for NoSQL account.

+ - If you have an Azure subscription, [create a new account](nosql/how-to-create-account.md?tabs=azure-portal).

+ - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+ - Alternatively, you can [try Azure Cosmos DB free](try-free.md) before you commit.

+- Latest version of [Azure CLI](/cli/azure/install-azure-cli).

+## Install the desktop data migration tool

+First, install the latest version of the desktop data migration tool from the GitHub repository.

+1. In your browser, navigate to the **Releases** section of the repository: [azurecosmosdb/data-migration-desktop-tool/releases](https://github.com/azurecosmosdb/data-migration-desktop-tool/releases).

+1. Download the latest compressed folder for your platform. There are compressed folders for the **win-x64**, **mac-x64**, and **linux-x64** platforms.

+1. Extract the files to an install location on your local machine.

+1. (Optional) Add the desktop data migration tool to the `PATH` environment variable of your local machine.

+## Prepare your migration target

+Next, create a target database and container on the Azure Cosmos DB for NoSQL account.

+### [Azure CLI](#tab/azure-cli)

+1. Open a new terminal. If you haven't already, [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli).

+1. Create new shell variables for the Azure Cosmos DB account's name and resource group.

+ ```azurecli-interactive

+ # Variable for Azure Cosmos DB account name

+ accountName="<name-of-existing-account>"

+

+ # Variable for resource group name

+ resourceGroupName="<name-of-existing-resource-group>"

+ ```

+1. Create a new database using [`az cosmosdb sql database create`](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create). Name the new database `cosmicworks` and configure the database with 400 RU/s of shared throughput.

+ ```azurecli-interactive

+ az cosmosdb sql database create \

+ --resource-group $resourceGroupName \

+ --account-name $accountName \

+ --name cosmicworks \

+ --throughput 400

+ ```

+1. Use [`az cosmosdb sql container create`](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-create) to create a new container named `products` within the `cosmicworks` database. Set the partition key path of the new container to `/category`.

+ ```azurecli-interactive

+ az cosmosdb sql container create \

+ --resource-group $resourceGroupName \

+ --account-name $accountName \

+ --database-name cosmicworks \

+ --name products \

+ --partition-key-path "/category"

+ ```

+1. Find the *primary connection string* from the list of keys for the account with [`az cosmosdb keys list`](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list).

+ ```azurecli-interactive

+ az cosmosdb keys list \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --type connection-strings

+ ```

+1. Record the *primary connection string* value. You use this credential later when migrating data with the tool.

+### [Azure PowerShell](#tab/azure-powershell)

+1. Open a new terminal. If you haven't already, [sign in to the Azure CLI](/cli/azure/authenticate-azure-cli).

+1. Create new variables for the Azure Cosmos DB account's name and resource group.

+ ```azurepowershell-interactive

+ # Variable for Azure Cosmos DB account name

+ $ACCOUNT_NAME = "<name-of-existing-account>"

+

+ # Variable for resource group name

+ $RESOURCE_GROUP_NAME = "<name-of-existing-resource-group>"

+ ```

+1. Create a new database using [`New-AzCosmosDBSqlDatabase`](/powershell/module/az.cosmosdb/new-azcosmosdbsqldatabase). Name the new database `cosmicworks` and configure the database with 400 RU/s of shared throughput.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ AccountName = $ACCOUNT_NAME

+ Name = "cosmicworks"

+ Throughput = 400

+ }

+ New-AzCosmosDBSqlDatabase @parameters

+ ```

+1. Use [`New-AzCosmosDBSqlContainer`](/powershell/module/az.cosmosdb/new-azcosmosdbsqlcontainer) to create a new container named `products` within the `cosmicworks` database. Set the partition key path of the new container to `/category`.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ AccountName = $ACCOUNT_NAME

+ DatabaseName = "cosmicworks"

+ Name = "products"

+ PartitionKeyPath = "/category"

+ PartitionKeyKind = "Hash"

+ }

+ New-AzCosmosDBSqlContainer @parameters

+ ```

+1. Find the *primary connection string* from the list of keys for the account with [`Get-AzCosmosDBAccountKey`](/powershell/module/az.cosmosdb/get-azcosmosdbaccountkey).

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ Type = "ConnectionStrings"

+ }

+ Get-AzCosmosDBAccountKey @parameters

+ ```

+1. Record the *primary connection string* value. You use this credential later when migrating data with the tool.

+## Perform a migration operation

+Now, migrate data from a JSON array to the newly created Azure Cosmos DB for NoSQL container.

+1. Navigate to an empty directory on your local machine. Within that directory, create a new file named **migration-settings.json**.

+1. Within the JSON file, create a new empty JSON object:

+ ```json

+ {}

+ ```

+1. Create a new property named `Source` with the value `json`. Create another new property named `SourceSettings` with an empty object as the value.

+ ```json

+ {

+ "Source": "json",

+ "SourceSettings": {}

+ }

+ ```

+1. Within the `SourceSettings` object, create a new property named `FilePath` with the value set to this URI: [https://raw.githubusercontent.com/azure-samples/cosmos-db-migration-sample-data/main/nosql-data.json](https://github.com/azure-samples/cosmos-db-migration-sample-data/blob/main/nosql-data.json).

+ ```json

+ {

+ "Source": "json",

+ "SourceSettings": {

+ "FilePath": "https://raw.githubusercontent.com/azure-samples/cosmos-db-migration-sample-data/main/nosql-data.json"

+ }

+ }

+ ```

+1. Create another new property named `Sink` with the value `cosmos-nosql`. Also, create a property named `SinkSettings` with an empty object.

+ ```json

+ {

+ "Source": "json",

+ "SourceSettings": {

+ "FilePath": "https://raw.githubusercontent.com/azure-samples/cosmos-db-migration-sample-data/main/nosql-data.json"

+ },

+ "Sink": "cosmos-nosql",

+ "SinkSettings": {

+ }

+ }

+ ```

+1. Within `SinkSettings`, create a property named `ConnectionString` with the *primary connection string* you recorded earlier in this guide as its value.

+ ```json

+ {

+ "Source": "json",

+ "SourceSettings": {

+ "FilePath": "https://raw.githubusercontent.com/azure-samples/cosmos-db-migration-sample-data/main/nosql-data.json"

+ },

+ "Sink": "cosmos-nosql",

+ "SinkSettings": {

+ "ConnectionString": "<connection-string-for-existing-account>"

+ }

+ }

+ ```

+1. Add `Database`, `Container`, and `PartitionKeyPath` properties with `cosmicworks`, `products`, and `/category` as their values respectively.

+ ```json

+ {

+ "Source": "json",

+ "SourceSettings": {

+ "FilePath": "https://raw.githubusercontent.com/azure-samples/cosmos-db-migration-sample-data/main/nosql-data.json"

+ },

+ "Sink": "cosmos-nosql",

+ "SinkSettings": {

+ "ConnectionString": "<connection-string-for-existing-account>",

+ "Database": "cosmicworks",

+ "Container": "products",

+ "PartitionKeyPath": "/category"

+ }

+ }

+ ```

+1. **Save** the **migration-settings.json** file.

+1. Open a new terminal

+1. Run the desktop data migration tool using the `dmt` command.

+ ```terminal

+ dmt

+ ```

+ > [!NOTE]

+ > If you did not add the installation path to your `PATH` environment variable, you may need to specify the full path to the `dmt` executable.

+1. The tool asks for the path to the settings file. Enter the **migration-settings.json** filename here.

+ ```output

+ Path to settings file? (leave empty to skip):

+ ```

+1. The tool now outputs the sources and sinks used by the migration.

+ ```output

+ Using JSON Source

+ Using Cosmos-nosql Sink

+ ```

+## Next steps

+- Review [options for migrating data to Azure Cosmos DB](migration-choices.md).

+|Offline|[Azure Cosmos DB desktop data migration tool](how-to-migrate-desktop-tool.md)|&bull;Azure Cosmos DB for NoSQL<br/>&bull;Azure Cosmos DB for MongoDB<br/>&bull;Azure Cosmos DB for Table<br/>&bull;Azure Table storage<br/>&bull;JSON Files<br/>&bull;MongoDB<br/>&bull;SQL Server<br/>|&bull;Azure Cosmos DB for NoSQL<br/>&bull;Azure Cosmos DB for MongoDB<br/>&bull;Azure Cosmos DB for Table<br/>&bull;Azure Table storage<br/>&bull;JSON Files<br/>&bull;MongoDB<br/>&bull;SQL Server<br/>|&bull; Command-line tool<br/>&bull; Open-source|

+|Offline|[Azure Cosmos DB desktop data migration tool](how-to-migrate-desktop-tool.md)|&bull;Azure Cosmos DB for NoSQL<br/>&bull;Azure Cosmos DB for MongoDB<br/>&bull;Azure Cosmos DB for Table<br/>&bull;Azure Table storage<br/>&bull;JSON Files<br/>&bull;MongoDB<br/>&bull;SQL Server<br/>|&bull;Azure Cosmos DB for NoSQL<br/>&bull;Azure Cosmos DB for MongoDB<br/>&bull;Azure Cosmos DB for Table<br/>&bull;Azure Table storage<br/>&bull;JSON Files<br/>&bull;MongoDB<br/>&bull;SQL Server<br/>|&bull; Command-line tool<br/>&bull; Open-source|

+### API for Gremlin

+### API for Table

+* [Azure Cosmos DB desktop data migration tool](how-to-migrate-desktop-tool.md)

+- Protecting a public IP resource attached to a NAT Gateway isn't supported.

+**(Preview) Suspicious User Agent detected**<br/> (API_AccessFromSuspiciousUserAgent) | The user agent of a request accessing one of your API endpoints contained anomalous values indicative of an attempt at remote code execution. This does not mean that any of your API endpoints have been breached, but it does suggest that an attempted attack is underway. | Execution | Medium

+| [AntiMalware](https://www.microsoft.com/windows/comprehensive-security) | AntiMalware protection in Windows from Windows Defender, that scans source code and breaks the build if malware has been found | Not Open Source |

+| [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/eslint/eslint/blob/main/LICENSE) |

+There are three elements involved when creating and managing custom recommendations:

+- **Recommendation** ΓÇô contains:

+|Required/preferred environmental requirements| This preview includes only AWS and GCP recommendations. <br> This feature will be part of the Defender CSPM plan in the future. |

+| Required roles & permissions | Subscription Owner / Contributor |

+1. In Microsoft Defender for Cloud, select **Environment Settings**.

+1. Select **Standards**.

+1. Select **Create** and then select **Recommendation**.

+1. Select Standards.

+ >The Record field contains the data structure as it is returned from the AWS / GCP API. Use this field to define conditions which will determine if the resource is healthy or unhealthy. <br> You can access internal properties of the Record field using a dot notation. <br>

+| [AntiMalware](https://www.microsoft.com/windows/comprehensive-security) | AntiMalware protection in Windows from Windows Defender, that scans source code and breaks the run if malware has been found | Not Open Source |

+- [Enable enhanced security features](enable-enhanced-security.md). You can enable these for free for 30 days.

+- You must be signed in with an account that has reader access to the policy compliance data. The **Reader** role for the subscription has access to the policy compliance data, but the **Security Reader** role doesn't. At a minimum, you'll need to have **Resource Policy Contributor** and **Security Admin** roles assigned.

+To access Endpoint protection navigate to **Environment settings** > **Defender plans** > **Settings and monitoring**. From here you can set Endpoint protection to **On**. You can also see all of the other components that are managed.

+3. Select **Azure Firewall Flow Trace Log** under **Categories** and any other logs you want to be supported in the firewall.

+> In addition, Azure NAT Gateway integration is not currently supported in secured virtual hub network (vWAN) architectures. You must deploy using a hub virtual network architecture. For detailed guidance on integrating NAT gateway with Azure Firewall in a hub and spoke network architecture refer to the [NAT gateway and Azure Firewall integration tutorial](../virtual-network/nat-gateway/tutorial-hub-spoke-nat-firewall.md). For more information about Azure Firewall architecture options, see [What are the Azure Firewall Manager architecture options?](../firewall-manager/vhubs-and-vnets.md).

+## No inbound connectivity to Standard external Load Balancers (ELB)

+### Cause: Standard load balancers and standard public IP addresses are closed to inbound connections unless opened by Network Security Groups. NSGs are used to explicitly permit allowed traffic. If you don't have an NSG on a subnet or NIC of your virtual machine resource, traffic isn't allowed to reach this resource.

+**Resolution**

+In order to allow the ingress traffic, add a Network Security Group to the Subnet or interface for your virtual resource.

+description: In this article, you learn how to add and remove and inbound NAT rule using the Azure portal, PowerShell and CLI.

+# Manage inbound NAT rules for Azure Load Balancer

+In this article, you learn how to add and remove an inbound NAT rule for both types. You learn how to change the frontend port allocation in a multiple instance inbound NAT rule. You can choose from the Azure portal, PowerShell, or CLI examples.

+- If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+Choose this option to configure a rule for a single VM. Select Azure portal, PowerShell, or CLI for instructions.

+In this example, you create an inbound NAT rule to forward port **500** to backend port **443**.

+In this example, you create an inbound NAT rule to forward port **500** to backend port **443**.

+ --frontend-port-range-end 1000 \

+ --frontend-port-range-start 500

+Choose this option to configure a rule with a range of ports to a backend pool of virtual machines. Select Azure portal, PowerShell, or CLI for instructions.

+In this example, you create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter **Maximum number of machines in backend pool** with a value of **500**. This setting limits the backend pool to **500** virtual machines.

+In this example, you create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter `-FrontendPortRangeEnd` with a value of **1000**. This setting limits the backend pool to **500** virtual machines.

+In this example, you create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter `--frontend-port-range-end` with a value of **1000**. This setting limits the backend pool to **500** virtual machines.

+To accommodate more virtual machines in the backend pool in a multiple instance rule, change the frontend port allocation in the inbound NAT rule. In this example, you change the **Maximum number of machines in backend pool** from **500** to **1000**. This setting increases the maximum number of machines in the backend pool to **1000**.

+To accommodate more virtual machines in the backend pool in a multiple instance rule, change the frontend port allocation in the inbound NAT rule. In this example, you change the parameter `-FrontendPortRangeEnd` to **1500**. This setting increases the maximum number of machines in the backend pool to **1000**.

+To accommodate more virtual machines in the backend pool, change the frontend port allocation in the inbound NAT rule. In this example, you change the parameter `--frontend-port-range-end` to **1500**. This setting increases the maximum number of machines in the backend pool to **1000**

+In this example, you remove an inbound NAT rule.

+In this example, you remove an inbound NAT rule.

+In this example, you remove an inbound NAT rule.

+In this article, you learned how to manage inbound NAT rules for an Azure Load Balancer using the Azure portal, PowerShell and CLI.

+ az group create --name CreateIntLBQS-rg --location eastus

+ az deployment group create --resource-group CreateIntLBQS-rg --template-file main.bicep --parameters adminUsername=AzureAdmin

+ New-AzResourceGroup -Name CreateIntLBQS-rg -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName CreateIntLBQS-rg -TemplateFile ./main.bicep -adminUsername "<admin-user>"

+az resource list --resource-group CreateIntLBQS-rg

+Get-AzResource -ResourceGroupName CreateIntLBQS-rg

+az group delete --name CreateIntLBQS-rg

+Remove-AzResourceGroup -Name CreateIntLBQS-rg

+Before you deploy VMs and test your load balancer, create the supporting virtual network and subnet. The virtual network and subnet contain the resources deployed later in this article.

+In this example, you create an Azure Bastion host. The Azure Bastion host is used later in this article to securely manage the virtual machines and test the load balancer deployment.

+ --backend-pool-name myBackEndPool \

+ --frontend-ip-name myFrontEnd

+description: This quickstart creates an internal Azure load balancer using an Azure Resource Manager template (ARM template).

+If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template opens in the Azure portal.

+1. Select **Save**.

+In this section, you create the two virtual machines for the backend pool of the load balancer.

+for ($i=1; $i -le 2; $i++){

+>[!NOTE]

+> If the Virtual Machine Scale Set behind the Load Balancer is a **Service Fabric Cluster**, migration with this script will take more time. In testing, a 5-node Bronze cluster was unavailable for about 30 minutes and a 5-node Silver cluster was unavailable for about 45 minutes. For Service Fabric clusters that require minimal / no connectivity downtime, adding a new nodetype with Standard Load Balancer and IP resources is a better solution.

+### Will this migration cause downtime to my application?

+Yes, because the Basic Load Balancer needs to be removed before the new Standard Load Balancer can be created, there will be downtime to your application. See [How long does the Upgrade take?](#how-long-does-the-upgrade-take)

+- Instance count of associated Virtual Machine Scale Sets

+- Service Fabric Cluster: Upgrades for Service Fabric Clusters take up to an hour in testing.

+### Image not found

+<!--issueDescription-->

+This issue can happen when the base image you specified can't be found.

+**Potential causes:**

+* You specified the image incorrectly

+* The image you specified doesn't exist in the registry you specified

+**Affected areas (symptoms):**

+* Failure in building environments from UI, SDK, and CLI.

+* Failure in running jobs because it will implicitly build the environment in the first step.

+<!--/issueDescription-->

+**Troubleshooting steps**

+* Ensure that the base image is spelled and formatted correctly

+* Ensure that the base image you're using exists in the registry you specified

+**Resources**

+* [Azure Machine Learning base images](https://github.com/Azure/AzureML-Containers)

+The backup type and frequency is dependent on the backend storage for the servers.

+ ```powershell

+

+ ```bash

+ ```

+ ```bash

+ ```

+ ```config

+ ```config

+ ```bash

+ sudo ln -s /etc/udev/rules.d/75-persistent-net-generator.rules

+ sudo rm -f /etc/udev/rules.d/70-persistent-net.rules

+ ```bash

+ sudo rpm -e --nodeps NetworkManager

+ ```bash

+ sudo vgchange -an <vg-name>

+ sudo lockdev ΓÇôflushbufs <disk-device-name>

+ Title: Manage a NAT gateway

+description: Learn how to create and remove a NAT gateway resource from a virtual network subnet. Add and remove public IP addresses and prefixes used for outbound connectivity.

+# Manage NAT gateway

+Learn how to create and remove a NAT gateway resource from a virtual network subnet. A NAT gateway enables outbound connectivity for resources in an Azure Virtual Network. You can change the public IP addresses and public IP address prefixes associated with the NAT gateway changed after deployment.

+This article explains how to manage the following aspects of NAT gateway:

+- Create a NAT gateway and associate it with an existing subnet.

+- Remove a NAT gateway from an existing subnet and delete the NAT gateway.

+- Add or remove a public IP address or public IP prefix.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An existing Azure Virtual Network with a subnet. For more information, see [Quickstart: Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md).

+ - The example virtual network that is used in this article is named *myVNet*.

+ - The example subnet is named *mySubnet*.

+ - The example NAT gateway is named *myNATgateway*.

+To use Azure PowerShell for this article, you need:

+- Azure PowerShell installed locally or Azure Cloud Shell.

+ If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps).

+ If you run PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+- Ensure that your `Az.Network` module is 4.3.0 or later. To verify the installed module, use the command `Get-InstalledModule -Name "Az.Network"`. If the module requires an update, use the command `Update-Module -Name Az.Network`.

+- Sign in to Azure PowerShell and select the subscription that you want to use. For more information, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

+To use Azure CLI for this article, you need:

+- Azure CLI version 2.31.0 or later. Azure Cloud Shell uses the latest version.

+## Create a NAT gateway and associate it with an existing subnet

+You can create a NAT gateway resource and add it to an existing subnet by using the Azure portal, Azure PowerShell, or the Azure CLI.

+# [**Azure portal**](#tab/manage-nat-portal)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the Azure portal, enter *NAT gateway*. Select **NAT gateways** in the search results.

+1. Select **Create**.

+1. Enter the following information in the **Basics** tab of **Create network address translation (NAT) gateway**.

+ - Select your **Subscription**.

+ - Select your resource group or select **Create new** to create a new resource group.

+ - **NAT gateway name**. Enter *myNATgateway*.

+ - Select your **Region**. This example uses **East US 2**.

+ - Select an **Availability zone**. This example uses **No Zone**. For more information about NAT gateway availability, see [NAT gateway and availability zones](nat-availability-zones.md). |

+ - Select a **TCP idle timeout (minutes)**. This example uses the default of **4**.

+1. Select the **Outbound IP** tab, or select **Next: Outbound IP**.

+1. You can select an existing public IP address or prefix or both to associate with the NAT gateway and enable outbound connectivity.

+ - To create a new public IP for the NAT gateway, select **Create a new public IP address**. Enter *myPublicIP-NAT* in **Name**. Select **OK**.

+ - To create a new public IP prefix for the NAT gateway, select **Create a new public IP prefix**. Enter *myPublicIPPrefix-NAT* in **Name**. Select a **Prefix size**. Select **OK**.

+1. Select the **Subnet** tab, or select **Next: Subnet**.

+1. Select your virtual network. In this example, select **myVNet** in the dropdown list.

+1. Select the checkbox next to **mySubnet**.

+1. Select **Review + create**.

+1. Select **Create**.

+# [**PowerShell**](#tab/manage-nat-powershell)

+### Public IP address

+To create a NAT gateway with a public IP address, run the following PowerShell commands.

+Use the [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress) cmdlet to create a public IP address for the NAT gateway.

+```azurepowershell

+## Create public IP address for NAT gateway ##

+$ip = @{

+ Name = 'myPublicIP-NAT'

+ ResourceGroupName = 'myResourceGroup'

+ Location = 'eastus2'

+ Sku = 'Standard'

+ AllocationMethod = 'Static'

+}

+New-AzPublicIpAddress @ip

+```

+Use the [New-AzNatGateway](/powershell/module/az.network/new-aznatgateway) cmdlet to create a NAT gateway resource and associate the public IP address that you created. Use the [Set-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/set-azvirtualnetworksubnetconfig) cmdlet to configure the NAT gateway for your virtual network subnet.

+```azurepowershell

+## Place the virtual network into a variable. ##

+$net = @{

+ Name = 'myVNet'

+ ResourceGroupName = 'myResourceGroup'

+}

+$vnet = Get-AzVirtualNetwork @net

+## Place the public IP address you created previously into a variable. ##

+$pip = @{

+ Name = 'myPublicIP-NAT'

+ ResourceGroupName = 'myResourceGroup'

+}

+$publicIP = Get-AzPublicIPAddress @pip

+## Create NAT gateway resource ##

+$nat = @{

+ ResourceGroupName = 'myResourceGroupNAT'

+ Name = 'myNATgateway'

+ IdleTimeoutInMinutes = '10'

+ Sku = 'Standard'

+ Location = 'eastus2'

+ PublicIpAddress = $publicIP

+}

+$natGateway = New-AzNatGateway @nat

+## Create the subnet configuration. ##

+$sub = @{

+ Name = 'mySubnet'

+ VirtualNetwork = $vnet

+ NatGateway = $natGateway

+ AddressPrefix = '10.0.2.0/24'

+}

+Set-AzVirtualNetworkSubnetConfig @sub

+## Save the configuration to the virtual network. ##

+$vnet | Set-AzVirtualNetwork

+```

+### Public IP prefix

+To create a NAT gateway with a public IP prefix, use these commands.

+Use the [New-AzPublicIpPrefix](/powershell/module/az.network/new-azpublicipprefix) cmdlet to create a public IP prefix for the NAT gateway.

+```azurepowershell

+## Create public IP prefix for NAT gateway ##

+$ip = @{

+ Name = 'myPublicIPPrefix-NAT'

+ ResourceGroupName = 'myResourceGroup'

+ Location = 'eastus2'

+ Sku = 'Standard'

+ PrefixLength ='29'

+}

+New-AzPublicIpPrefix @ip

+```

+Use the [New-AzNatGateway](/powershell/module/az.network/new-aznatgateway) cmdlet to create a NAT gateway resource and associate the public IP prefix you created. Use the [Set-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/set-azvirtualnetworksubnetconfig) cmdlet to configure the NAT gateway for your virtual network subnet.

+```azurepowershell

+## Place the virtual network into a variable. ##

+$net = @{

+ Name = 'myVNet'

+ ResourceGroupName = 'myResourceGroup'

+}

+$vnet = Get-AzVirtualNetwork @net

+## Place the public IP prefix you created previously into a variable. ##

+$pip = @{

+ Name = 'myPublicIPPrefix-NAT'

+ ResourceGroupName = 'myResourceGroup'

+}

+$publicIPprefix = Get-AzPublicIPPrefix @pip

+## Create NAT gateway resource ##

+$nat = @{

+ ResourceGroupName = 'myResourceGroupNAT'

+ Name = 'myNATgateway'

+ IdleTimeoutInMinutes = '10'

+ Sku = 'Standard'

+ Location = 'eastus2'

+ PublicIpPrefix = $publicIPprefix

+}

+$natGateway = New-AzNatGateway @nat

+## Create the subnet configuration. ##

+$sub = @{

+ Name = 'mySubnet'

+ VirtualNetwork = $vnet

+ NatGateway = $natGateway

+}

+Set-AzVirtualNetworkSubnetConfig @sub

+## Save the configuration to the virtual network. ##

+$vnet | Set-AzVirtualNetwork

+```

+# [**Azure CLI**](#tab/manage-nat-cli)

+### Public IP address

+To create a NAT gateway with a public IP address, use the following commands.

+Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a public IP address for the NAT gateway.

+```azurecli

+az network public-ip create \

+ --resource-group myResourceGroup \

+ --location eastus2 \

+ --name myPublicIP-NAT \

+ --sku standard

+```

+Use [az network nat gateway create](/cli/azure/network/nat/gateway#az-network-nat-gateway-create) to create a NAT gateway resource and associate the public IP address that you created.

+```azurecli

+az network nat gateway create \

+ --resource-group myResourceGroup \

+ --name myNATgateway \

+ --public-ip-addresses myPublicIP-NAT \

+ --idle-timeout 10

+```

+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update) to associate the NAT gateway with your virtual network subnet.

+```azurecli

+az network vnet subnet update \

+ --resource-group myResourceGroup \

+ --vnet-name myVNet \

+ --name mySubnet \

+ --nat-gateway myNATgateway

+```

+### Public IP prefix

+To create a NAT gateway with a public IP prefix, use the following commands.

+Use [az network public-ip prefix create](/cli/azure/network/public-ip/prefix#az-network-public-ip-prefix-create) to create a public IP prefix for the NAT gateway.

+```azurecli

+az network public-ip prefix create \

+ --length 29 \

+ --resource-group myResourceGroup \

+ --location eastus2 \

+ --name myPublicIPprefix-NAT

+```

+Use [az network nat gateway create](/cli/azure/network/nat/gateway#az-network-nat-gateway-create) to create a NAT gateway resource and associate the public IP prefix that you created.

+```azurecli

+az network nat gateway create \

+ --resource-group myResourceGroup \

+ --name myNATgateway \

+ --public-ip-prefixes myPublicIPprefix-NAT \

+ --idle-timeout 10

+```

+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update) to associate the NAT gateway with your virtual network subnet.

+```azurecli

+az network vnet subnet update \

+ --resource-group myResourceGroup \

+ --vnet-name myVNet \

+ --name mySubnet \

+ --nat-gateway myNATgateway

+```

+## Remove a NAT gateway from an existing subnet and delete the resource

+To remove a NAT gateway from an existing subnet, complete the following steps.

+# [**Azure portal**](#tab/manage-nat-portal)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the Azure portal, enter *NAT gateway*. Select **NAT gateways** in the search results.

+1. Select **myNATgateway**.

+1. Under **Settings**, select **Subnets**.

+1. Select **Disassociate** to remove the NAT gateway from the configured subnet.

+You can now associate the NAT gateway with a different subnet or virtual network in your subscription. To delete the NAT gateway resource, complete the following steps.

+1. In the search box at the top of the Azure portal, enter *NAT gateway*. Select **NAT gateways** in the search results.

+1. Select **myNATgateway**.

+1. Select **Delete**.

+1. Select **Yes**.

+# [**PowerShell**](#tab/manage-nat-powershell)

+Removing the NAT gateway from a subnet by using Azure PowerShell isn't currently supported.

+# [**Azure CLI**](#tab/manage-nat-cli)

+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update) to remove the NAT gateway from the subnet.

+```azurecli

+az network vnet subnet update \

+ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé--resource-group myResourceGroup \

+ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé--vnet-name myVNet \

+ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé--name mySubnet \

+ΓÇéΓÇéΓÇéΓÇéΓÇéΓÇé--remove natGateway

+```

+Use [az network nat gateway delete](/cli/azure/network/nat/gateway#az-network-nat-gateway-delete) to delete the NAT gateway resource.

+```azurecli

+az network nat gateway delete \

+ --name myNATgateway \

+ --resource-group myResourceGroup

+```

+> [!NOTE]

+> When you delete a NAT gateway, the public IP address or prefix associated with it isn't deleted.

+## Add or remove a public IP address

+Complete the following steps to add or remove a public IP address from a NAT gateway.

+# [**Azure portal**](#tab/manage-nat-portal)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the Azure portal, enter *Public IP address*. Select **Public IP addresses** in the search results.

+1. Select **Create**.

+1. Enter the following information in **Create public IP address**.

+ | Setting | Value |

+ | - | -- |

+ | Subscription | Select your subscription. |

+ | Resource group | Select your resource group. The example uses **myResourceGroup**. |

+ | Region | Select a region. This example uses **East US 2**. |

+ | Name | Enter *myPublicIP-NAT2*. |

+ | IP version | Select **IPv4**. |

+ | SKU | Select **Standard**. |

+ | Availability zone | Select the default of **Zone-redundant**. |

+ | Tier | Select **Regional**. |

+1. Select **Review + create** and then select **Create**.

+1. In the search box at the top of the Azure portal, enter *NAT gateway*. Select **NAT gateways** in the search results.

+1. Select **myNATgateway**.

+1. Under **Settings**, select **Outbound IP**.

+1. The IP addresses and prefixes associated with the NAT gateway are displayed. Next to **Public IP addresses**, select **Change**.

+1. Next to **Public IP addresses**, select the dropdown for IP addresses. Select the IP address that you created to add to the NAT gateway. To remove an address, unselect it.

+1. Select **OK**.

+1. Select **Save**.

+# [**PowerShell**](#tab/manage-nat-powershell)

+### Add public IP address

+To add a public IP address to the NAT gateway, add it to an array object along with the current IP addresses. The PowerShell cmdlets replace all the addresses.

+In this example, the existing IP address associated with the NAT gateway is named *myPublicIP-NAT*. Replace this value with an array that contains both myPublicIP-NAT and a new IP address. If you have multiple IP addresses already configured, you must also add them to the array.

+Use [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress) to create a new IP address for the NAT gateway.

+```azurepowershell

+## Create public IP address for NAT gateway ##

+$ip = @{

+ Name = 'myPublicIP-NAT2'

+ ResourceGroupName = 'myResourceGroup'

+ Location = 'eastus2'

+ Sku = 'Standard'

+ AllocationMethod = 'Static'

+}

+New-AzPublicIpAddress @ip

+```

+Use [Set-AzNatGateway](/powershell/module/az.network/set-aznatgateway) to add the public IP address to the NAT gateway.

+```azurepowershell

+## Place NAT gateway into a variable. ##

+$ng = @{

+ Name = 'myNATgateway'

+ ResourceGroupName = 'myResourceGroup'

+}

+$nat = Get-AzNatGateway @ng

+## Place the existing public IP address associated with the NAT gateway into a variable. ##

+$ip = @{

+ Name = 'myPublicIP-NAT'

+ ResourceGroupName = 'myResourceGroup'

+}

+$publicIP1 = Get-AzPublicIPaddress @ip

+## Place the public IP address you created previously into a variable. ##

+$ip = @{

+ Name = 'myPublicIP-NAT2'

+ ResourceGroupName = 'myResourceGroup'

+}

+$publicIP2 = Get-AzPublicIPaddress @ip

+## Place the public IP address variables into an array. ##

+$pipArray = $publicIP1,$publicIP2

+## Add the IP address to the NAT gateway. ##

+$nt = @{

+ NatGateway = $nat

+ PublicIpAddress = $pipArray

+}

+Set-AzNatGateway @nt

+```

+### Remove public IP address

+To remove a public IP from a NAT gateway, create an array object that *doesn't* contain the IP address you want to remove. For example, you have a NAT gateway configured with two public IP addresses. You want to remove one of the IP addresses. The IP addresses associated with the NAT gateway are named myPublicIP-NAT and myPublicIP-NAT2. To remove myPublicIP-NAT2, create an array object for the PowerShell command that contains *only* myPublicIP-NAT. When you apply the command, the array is reapplied to the NAT gateway, and myPublicIP-NAT is the only associated public IP address.

+Use [Set-AzNatGateway](/powershell/module/az.network/set-aznatgateway) to remove a public IP address from the NAT gateway.

+```azurepowershell

+## Place NAT gateway into a variable. ##

+$ng = @{

+ Name = 'myNATgateway'

+ ResourceGroupName = 'myResourceGroup'

+}

+$nat = Get-AzNatGateway @ng

+## Place the existing public IP prefix associated with the NAT gateway into a variable. ##

+$ip = @{

+ Name = 'myPublicIP-NAT'

+ ResourceGroupName = 'myResourceGroup'

+}

+$prefixIP1 = Get-AzPublicIPAddress @ip

+## Place the secondary public IP address into a variable. ##

+$ip = @{

+ Name = 'myPublicIP-NAT2'

+ ResourceGroupName = 'myResourceGroup'

+}

+$publicIP2 = Get-AzPublicIPAddress @ip

+## Place ONLY the public IP you wish to keep in the array. ##

+$pipArray = $publicIP1

+## Add the IP address prefix to the NAT gateway. ##

+$nt = @{

+ NatGateway = $nat

+ PublicIpAddress = $pipArray

+}

+Set-AzNatGateway @nt

+```

+# [**Azure CLI**](#tab/manage-nat-cli)

+### Add public IP address

+In this example, the existing public IP address associated with the NAT gateway is named *myPublicIP-NAT*.

+Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a new IP address for the NAT gateway.

+```azurecli

+az network public-ip create \

+ --resource-group myResourceGroup \

+ --location eastus2 \

+ --name myPublicIP-NAT2 \

+ --sku standard

+```

+Use [az network nat gateway update](/cli/azure/network/nat/gateway#az-network-nat-gateway-update) to add the public IP address that you created to the NAT gateway. The Azure CLI command replaces the values. It doesn't add a new value. To add the new IP address to the NAT gateway, you must also include any other IP addresses associated to the NAT gateway.

+```azurecli

+az network nat gateway update \

+ --name myNATgateway \

+ --resource-group myResourceGroup \

+ --public-ip-addresses myPublicIP-NAT myPublicIP-NAT2

+```

+### Remove public IP address

+Use [az network nat gateway update](/cli/azure/network/nat/gateway#az-network-nat-gateway-update) to remove a public IP address from the NAT gateway. The Azure CLI command replaces the values. It doesn't remove a value. To remove a public IP address, include any IP address in the command that you want to keep. Omit the value that you want to remove. For example, you have a NAT gateway configured with two public IP addresses. You want to remove one of the IP addresses. The IP addresses associated with the NAT gateway are named myPublicIP-NAT and myPublicIP-NAT2. To remove myPublicIP-NAT2, omit the name of the IP address from the command. The command reapplies the IP addresses listed in the command to the NAT gateway. It removes any IP address not listed.

+```azurecli

+az network nat gateway update \

+ --name myNATgateway \

+ --resource-group myResourceGroup \

+ --public-ip-addresses myPublicIP-NAT

+```

+## Add or remove a public IP prefix

+Complete the following steps to add or remove a public IP prefix from a NAT gateway.

+# [**Azure portal**](#tab/manage-nat-portal)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the Azure portal, enter *Public IP prefix*. Select **Public IP Prefixes** in the search results.

+1. Select **Create**.

+1. Enter the following information in the **Basics** tab of **Create a public IP prefix**.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select your resource group. This example uses **myResourceGroup**. |

+ | **Instance details** | |

+ | Name | Enter *myPublicIPPrefix-NAT*. |

+ | Region | Select your region. This example uses **East US 2**. |

+ | IP version | Select **IPv4**. |

+ | Prefix ownership | Select **Microsoft owned**. |

+ | Prefix size | Select a prefix size. This example uses **/28 (16 addresses)**. |

+1. Select **Review + create**, then select **Create**.

+1. In the search box at the top of the Azure portal, enter *NAT gateway*. Select **NAT gateways** in the search results.

+1. Select **myNATgateway**.

+1. Under **Settings**, select **Outbound IP**.

+1. The page displays the IP addresses and prefixes associated with the NAT gateway. Next to **Public IP prefixes**, select **Change**.

+1. Next to **Public IP Prefixes**, select the dropdown box. Select the IP address prefix that you created to add the prefix to the NAT gateway. To remove a prefix, unselect it.

+1. Select **OK**.

+1. Select **Save**.

+# [**PowerShell**](#tab/manage-nat-powershell)

+### Add public IP prefix

+To add a public IP prefix to the NAT gateway, add it to an array object along with the current IP prefixes. The PowerShell cmdlets replace all the IP prefixes.

+In this example, the existing public IP prefix associated with the NAT gateway is named *myPublicIPprefix-NAT*. Replace this value with an array that contains both myPublicIPprefix-NAT and a new IP address prefix. If you have multiple IP prefixes already configured, you must also add them to the array.

+Use [New-AzPublicIpPrefix](/powershell/module/az.network/new-azpublicipprefix) to create a new public IP prefix for the NAT gateway.

+```azurepowershell

+## Create public IP prefix for NAT gateway ##

+$ip = @{

+ Name = 'myPublicIPPrefix-NAT2'

+ ResourceGroupName = 'myResourceGroup'

+ Location = 'eastus2'

+ Sku = 'Standard'

+ PrefixLength = '29'

+}

+New-AzPublicIpPrefix @ip

+```

+Use [Set-AzNatGateway](/powershell/module/az.network/set-aznatgateway) to add the public IP prefix to the NAT gateway.

+```azurepowershell

+## Place NAT gateway into a variable. ##

+$ng = @{

+ Name = 'myNATgateway'

+ ResourceGroupName = 'myResourceGroup'

+}

+$nat = Get-AzNatGateway @ng

+## Place the existing public IP prefix associated with the NAT gateway into a variable. ##

+$ip = @{

+ Name = 'myPublicIPprefix-NAT'

+ ResourceGroupName = 'myResourceGroup'

+}

+$prefixIP1 = Get-AzPublicIPPrefix @ip

+## Place the public IP prefix you created previously into a variable. ##

+$ip = @{

+ Name = 'myPublicIPprefix-NAT2'

+ ResourceGroupName = 'myResourceGroup'

+}

+$prefixIP2 = Get-AzPublicIPprefix @ip

+## Place the public IP address variables into an array. ##

+$preArray = $prefixIP1,$prefixIP2

+## Add the IP address prefix to the NAT gateway. ##

+$nt = @{

+ NatGateway = $nat

+ PublicIpPrefix = $preArray

+}

+Set-AzNatGateway @nt

+```

+### Remove public IP prefix

+To remove a public IP prefix from a NAT gateway, create an array object that *doesn't* contain the IP address prefix that you want to remove. For example, you have a NAT gateway configured with two public IP prefixes. You want to remove one of the IP prefixes. The IP prefixes associated with the NAT gateway are named myPublicIPprefix-NAT and myPublicIPprefix-NAT2. To remove myPublicIPprefix-NAT2, create an array object for the PowerShell command that contains *only* myPublicIPprefix-NAT. When you apply the command, the array is reapplied to the NAT gateway, and myPublicIPprefix-NAT is the only prefix associated.

+Use the [Set-AzNatGateway](/powershell/module/az.network/set-aznatgateway) cmdlet to remove a public IP prefix from the NAT gateway.

+```azurepowershell

+## Place NAT gateway into a variable. ##

+$ng = @{

+ Name = 'myNATgateway'

+ ResourceGroupName = 'myResourceGroup'

+}

+$nat = Get-AzNatGateway @ng

+## Place the existing public IP prefix associated with the NAT gateway into a variable. ##

+$ip = @{

+ Name = 'myPublicIPprefix-NAT'

+ ResourceGroupName = 'myResourceGroup'

+}

+$prefixIP1 = Get-AzPublicIPPrefix @ip

+## Place the secondary public IP prefix into a variable. ##

+$ip = @{

+ Name = 'myPublicIPprefix-NAT2'

+ ResourceGroupName = 'myResourceGroup'

+}

+$prefixIP2 = Get-AzPublicIPprefix @ip

+## Place ONLY the prefix you wish to keep in the array. DO NOT ADD THE SECONDARY VARIABLE ##

+$preArray = $prefixIP1

+## Add the IP address prefix to the NAT gateway. ##

+$nt = @{

+ NatGateway = $nat

+ PublicIpPrefix = $preArray

+}

+Set-AzNatGateway @nt

+```

+# [**Azure CLI**](#tab/manage-nat-cli)

+### Add public IP prefix

+In this example, the existing public IP prefix associated with the NAT gateway is named *myPublicIPprefix-NAT*.

+Use [az network public-ip prefix create](/cli/azure/network/public-ip/prefix#az-network-public-ip-prefix-create) to create a public IP prefix for the NAT gateway.

+```azurecli

+az network public-ip prefix create \

+ --length 29 \

+ --resource-group myResourceGroup \

+ --location eastus2 \

+ --name myPublicIPprefix-NAT2

+```

+Use [az network nat gateway update](/cli/azure/network/nat/gateway#az-network-nat-gateway-update) to add the public IP prefix that you created to the NAT gateway. The Azure CLI command replaces values. It doesn't add a value. To add the new IP address prefix to the NAT gateway, you must also include any other IP prefixes associated to the NAT gateway.

+```azurecli

+az network nat gateway update \

+ --name myNATgateway \

+ --resource-group myResourceGroup \

+ --public-ip-prefixes myPublicIPprefix-NAT myPublicIPprefix-NAT2

+```

+### Remove public IP prefix

+Use [az network nat gateway update](/cli/azure/network/nat/gateway#az-network-nat-gateway-update) to remove a public IP prefix from the NAT gateway. The Azure CLI command replaces the values. It doesn't remove a value. To remove a public IP prefix, include any prefix in the command that you wish to keep. Omit the one you want to remove. For example, you have a NAT gateway configured with two public IP prefixes. You want to remove one of the prefixes. The IP prefixes associated with the NAT gateway are named myPublicIPprefix-NAT and myPublicIPprefix-NAT2. To remove myPublicIPprefix-NAT2, omit the name of the IP prefix from the command. The command reapplies the IP prefixes listed in the command to the NAT gateway. It removes any IP address not listed.

+```azurecli

+az network nat gateway update \

+ --name myNATgateway \

+ --resource-group myResourceGroup \

+ --public-ip-prefixes myPublicIPprefix-NAT

+```

+## Next steps

+To learn more about Azure Virtual Network NAT and its capabilities, see the following articles:

+- [What is Azure NAT Gateway?](nat-overview.md)

+- [NAT gateway and availability zones](nat-availability-zones.md)

+- [Design virtual networks with NAT gateway](nat-gateway-resource.md)

+ Title: NAT gateway and availability zones

+description: Key concepts and design guidance on using NAT gateway with availability zones.

+# NAT gateway and availability zones

+NAT gateway is a zonal resource, which means it can be deployed and operate out of individual availability zones. With zone isolation scenarios, you can align your zonal NAT gateway resources with zonally designated IP based resources, such as virtual machines, to provide zone resiliency against outages. Review this document to understand key concepts and fundamental design guidance.

+*Figure 1: Zonal deployment of NAT gateway.*

+NAT gateway can either be designated to a specific zone within a region or to ΓÇÿno zoneΓÇÖ. Which zone property you select for your NAT gateway resource will inform the zone property of the public IP address that can be used for outbound connectivity as well.

+## NAT gateway has built in resiliency

+Virtual networks and their subnets are regional. Subnets aren't restricted to a zone. While NAT gateway is a zonal resource, it's a highly resilient and reliable method by which to connect outbound to the internet from virtual network subnets. NAT gateway uses [software defined networking](/azure-stack/hci/concepts/software-defined-networking) to operate as a fully managed and distributed service. NAT gateway infrastructure has built in redundancy. It can survive multiple infrastructure component failures. Availability zones build on this resiliency with zone isolation scenarios for NAT gateway.

+## Zonal

+You can place your NAT gateway resource in a specific zone for a region. When NAT gateway is deployed to a specific zone, it will provide outbound connectivity to the internet explicitly from that zone. The public IP address or prefix configured to NAT gateway must match the same zone. NAT gateway resources with public IP addresses from a different zone, zone-redundancy or with no zone aren't allowed.

+NAT gateway can provide outbound connectivity for virtual machines from other availability zones different from itself. The virtual machineΓÇÖs subnet needs to be configured to the NAT gateway resource to provide outbound connectivity. Additionally, multiple subnets can be configured to the same NAT gateway resource.

+While virtual machines in subnets from different availability zones can all be configured to a single zonal NAT gateway resource, this configuration doesn't provide the most effective method for ensuring zone-resiliency against zonal outages. For more information on how to safeguard against zonal outages, see [Design considerations](#design-considerations) later in this article.

+## Non-zonal

+If no zone is selected at the time that the NAT gateway resource is deployed, then it's placed in ΓÇÿno zoneΓÇÖ by default. When NAT gateway is placed in **no zone**, Azure places the resource in a zone for you. You won't have visibility into which zone Azure chooses for your NAT gateway. After NAT gateway is deployed, zonal configurations can't be changed. **No zone** NAT gateway resources, while still zonal resources can be associated to public IP addresses from a zone, no zone, or that are zone-redundant.

+## Design considerations

+Now that you understand the zone-related properties for NAT gateway, see the following design considerations to help you design for highly resilient outbound connectivity from Azure virtual networks.

+### Single zonal NAT gateway resource for zone-spanning resources

+A single zonal NAT gateway resource can be configured to either a subnet that contains virtual machines that span across multiple availability zones or to multiple subnets with different zonal virtual machines. When this type of deployment is configured, NAT gateway will provide outbound connectivity to the internet for all subnet resources from the specific zone it's located. If the zone that NAT gateway is deployed in goes down, then outbound connectivity across all virtual machine instances associated with the NAT gateway will also go down. This set up doesn't provide the best method of zone-resiliency.

+*Figure 2: Single zonal NAT gateway resource for multi-zone spanning resources doesn't provide an effective method of zone-resiliency against outages.*

+### Zonal NAT gateway resource for each zone in a region to create zone-resiliency

+A zonal promise for zone isolation scenarios exists when a virtual machine instance using a NAT gateway resource is in the same zone as the NAT gateway resource and its public IP addresses. The pattern you want to use for zone isolation is creating a "zonal stack" per availability zone. This "zonal stack" consists of virtual machine instances, a NAT gateway resource with public IP addresses or prefix on a subnet all in the same zone.

+*Figure 3: Zonal isolation by creating zonal stacks with the same zone NAT gateway, public IPs, and virtual machines provides the best method of ensuring zone resiliency against outages.*

+Failure of outbound connectivity due to a zone outage is isolated to the specific zone affected. The outage won't affect the other zonal stacks where other NAT gateways are deployed with their own subnets and zonal public IPs.

+Creating zonal stacks for each availability zone within a region is the most effective method for building zone-resiliency against outages for NAT gateway.

+### Integration of inbound with a standard load balancer

+If your scenario requires inbound endpoints, you have two options:

+| Option | Pattern | Example | Pro | Con |

+||||||

+| (1) | **Align** the inbound endpoints with the respective **zonal stacks** you're creating for outbound. | Create a standard load balancer with a zonal frontend. | Same failure model for inbound and outbound. Simpler to operate. | Individual IP addresses per zone may need to be masked by a common DNS name. |

+| (2) | **Overlay** the zonal stacks with a cross-zone inbound endpoint. | Create a standard load balancer with a zone-redundant front-end. | Single IP address for inbound endpoint. | Varying models for inbound and outbound. More complex to operate. |

+> [!NOTE]

+> Note that zonal configuration for a load balancer works differently from NAT gateway. The load balancer's availability zone selection is synonymous with its frontend IP configuration's zone selection. For public load balancers, if the public IP in the Load balancer's frontend is zone redundant then the load balancer is also zone-redundant. If the public IP in the load balancer's frontend is zonal, then the load balancer will also be designated to the same zone.

+## Limitations

+* Zones can't be changed, updated, or created for NAT gateway after deployment.

+## Next steps

+* Learn more about [Azure regions and availability zones](../availability-zones/az-overview.md)

+* Learn more about [Azure NAT Gateway](./nat-overview.md)

+* Learn more about [Azure Load balancer](../load-balancer/load-balancer-overview.md)

+ Title: Design virtual networks with NAT gateway

+description: Learn how to design virtual networks that use Network Address Translation (NAT) gateway resources.

+# Design virtual networks with NAT gateway

+NAT gateway provides outbound internet connectivity for one or more subnets of a virtual network. Once NAT gateway is associated to a subnet, NAT gateway provides source network address translation (SNAT) for that subnet. NAT gateway specifies which static IP addresses virtual machines use when creating outbound flows. Static IP addresses come from public IP addresses, public IP prefixes, or both. If a public IP prefix is used, all IP addresses of the entire public IP prefix are consumed by a NAT gateway. A NAT gateway can use up to 16 static IP addresses from either.

+*Figure: NAT gateway for outbound to internet*

+## How to deploy NAT

+Deployments are intentionally made simple:

+NAT gateway:

+- Create a non-zonal or zonal NAT gateway.

+- Assign a public IP address or public IP prefix.

+- If necessary, modify TCP idle timeout (optional). Review [timers](#timers) before you change the default.

+Virtual network:

+- Configure virtual network subnet to use a NAT gateway.

+User-defined routes aren't necessary.

+## Design guidance

+Review this section to familiarize yourself with considerations for designing virtual networks with NAT gateway.

+### Connect to Azure services with Private Link

+Connecting from your Azure virtual network to Azure PaaS services can be done directly over the Azure backbone and bypass the internet. When you bypass the internet to connect to other Azure PaaS services, you free up SNAT ports and reduce the risk of SNAT port exhaustion. [Private Link](../private-link/private-link-overview.md) should be used when possible to connect to Azure PaaS services in order to free up SNAT port inventory.

+Private Link uses the private IP addresses of your virtual machines or other compute resources from your Azure network to directly connect privately and securely to Azure PaaS services over the Azure backbone. See a list of [available Azure services](../private-link/availability.md) that are supported by Private Link.

+### Connect to the internet with NAT gateway

+NAT gateway is recommended for all production workloads where you need to connect to a public endpoint over the internet. Outbound connectivity takes place right away upon deployment of a NAT gateway with a subnet and at least one public IP address. No additional routing configurations are required to start connecting outbound with NAT gateway. NAT gateway becomes the default route to the internet after association to a subnet.

+In the presence of other outbound configurations within a virtual network, such as Load balancer or instance-level public IPs (IL PIPs), NAT gateway takes precedence for outbound connectivity. All new outbound initiated and return traffic starts using NAT gateway. There's no down time on outbound connectivity after adding NAT gateway to a subnet with existing outbound configurations.

+### Coexistence of outbound and inbound connectivity

+NAT gateway, load balancer and instance-level public IPs are flow direction aware. NAT gateway can coexist in the same virtual network as a load balancer and instance-level public IPs to provide outbound and inbound connectivity seamlessly. Inbound traffic through a load balancer or instance-level public IPs is translated separately from outbound traffic through NAT gateway.

+The following examples demonstrate co-existence of a load balancer or instance-level public IPs with a NAT gateway. Inbound traffic traverses the load balancer or public IP. Outbound traffic traverses the NAT gateway.

+#### NAT and VM with an instance-level public IP

+*Figure: NAT gateway and VM with an instance level public IP*

+| Direction | Resource |

+|::|::|

+| Inbound | VM with instance-level public IP |

+| Outbound | NAT gateway |

+VM will use NAT gateway for outbound. Inbound originated isn't affected.

+#### NAT and VM with a standard public load balancer

+*Figure: NAT gateway and VM with a standard public load balancer*

+| Direction | Resource |

+|::|::|

+| Inbound | Standard public load balancer |

+| Outbound | NAT gateway |

+Any outbound configuration from a load-balancing rule or outbound rules is superseded by NAT gateway. Inbound originated isn't affected.

+#### NAT and VM with an instance-level public IP and a standard public load balancer

+*Figure: Virtual Network NAT and VM with an instance-level public IP and a standard public load balancer*

+| Direction | Resource |

+|::|::|

+| Inbound | VM with instance-level public IP and a standard public load balancer |

+| Outbound | NAT gateway |

+Any outbound configuration from a load-balancing rule or outbound rules is superseded by NAT gateway. The VM will also use NAT gateway for outbound. Inbound originated isn't affected.

+### Monitor outbound network traffic with NSG flow logs

+A network security group allows you to filter inbound and outbound traffic to and from a virtual machine. To monitor outbound traffic flowing from the virtual machine behind your NAT gateway, enable NSG flow logs.

+To learn more about NSG flow logs, see [NSG Flow Log Overview](../network-watcher/network-watcher-nsg-flow-logging-overview.md).

+For guides on how to enable NSG flow logs, see [Enabling NSG Flow Logs](../network-watcher/network-watcher-nsg-flow-logging-overview.md#enabling-nsg-flow-logs).

+## Performance

+Each NAT gateway can provide up to 50 Gbps of throughput. This data throughput includes data processed both outbound and inbound through a NAT gateway resource. You can split your deployments into multiple subnets and assign each subnet or group of subnets a NAT gateway to scale out.

+NAT gateway can support up to 50,000 concurrent connections per public IP address **to the same destination endpoint** over the internet for TCP and UDP. The total number of connections that NAT gateway can support at any given time is up to 2 million. NAT gateway can process 1M packets per second and scale up to 5M packets per second.

+Review the following section for details and the [troubleshooting article](./troubleshoot-nat.md) for specific problem resolution guidance.

+## Scalability

+Scaling NAT gateway is primarily a function of managing the shared, available SNAT port inventory. NAT gateway needs sufficient SNAT port inventory for expected peak outbound flows for all subnets that are attached to a NAT gateway. You can use public IP addresses, public IP prefixes, or both to create SNAT port inventory.

+A single NAT gateway can scale up to 16 IP addresses. Each NAT gateway public IP address provides 64,512 SNAT ports to make outbound connections. NAT gateway can scale up to over 1 million SNAT ports. TCP and UDP are separate SNAT port inventories and are unrelated to NAT gateway.

+> [!NOTE]

+> If you assign a public IP prefix, the entire public IP prefix is used. You can't assign a public IP prefix and then break out individual IP addresses to assign to other resources. If you want to assign individual IP addresses from a public IP prefix to multiple resources, you need to create individual public IP addresses and assign them as needed instead of using the public IP prefix itself.

+When you scale your workload, assume that each flow requires a new SNAT port, and then scale the total number of available IP addresses for outbound traffic. Carefully consider the scale you're designing for, and then allocate IP addresses quantities accordingly.

+SNAT maps private addresses in your subnet to one or more public IP addresses attached to NAT gateway, rewriting the source address and source port in the process. SNAT ports sent to different destinations will most likely be reused when possible. As SNAT port exhaustion approaches, flows may not succeed.

+For a SNAT example, see [SNAT fundamentals](#source-network-address-translation).

+## Protocols

+NAT gateway interacts with IP and IP transport headers of UDP and TCP flows. NAT gateway is agnostic to application layer payloads. Other IP protocols aren't supported.

+## Source Network Address Translation

+### Fundamentals

+Source Network Address Translation (SNAT) rewrites the source of a flow to originate from a different IP address and/or port. Typically, SNAT is used when a private network needs to connect to a public host over the internet. SNAT allows multiple VM instances within the private VNet to use the same single Public IP address or set of IP addresses (prefix) to connect to the internet.

+NAT gateway uses SNAT to translate the private IP address and port of a virtual machine to a static public IP address and port. Traffic is translated before leaving the virtual network for the Internet. Each new connection to the same destination endpoint uses a different SNAT port so that connections can be distinguished from one another. SNAT port exhaustion occurs when a source endpoint has run out of available SNAT ports to differentiate between new connections.

+### Example SNAT flows for NAT gateway

+NAT gateway provides a many to one configuration in which multiple virtual machine instances within a NAT gatway configured subnet can use the same public IP address to connect outbound.

+In the following table, two different virtual machines (10.0.0.1 and 10.2.0.1) makes connections to https://microsoft.com destination IP 23.53.254.142. When NAT gateway is configured with public IP address 65.52.1.1, each virtual machine's source IPs are translated into NAT gateway's public IP address and a SNAT port:

+| Flow | Source tuple | Source tuple after SNAT | Destination tuple |

+|::|::|::|::|

+| 1 | 10.0.0.1: 4283 | **65.52.1.1: 1234** | 23.53.254.142: 80 |

+| 2 | 10.0.0.1: 4284 | **65.52.1.1: 1235** | 23.53.254.142: 80 |

+| 3 | 10.2.0.1: 5768 | **65.52.1.1: 1236** | 23.53.254.142: 80 |

+"IP masquerading" or "port masquerading" is the act of replacing the private IP and port with the public IP and port before connecting to the internet. Multiple private resources can be masqueraded behind the same public IP of NAT gateway.

+### NAT gateway dynamically allocates SNAT ports

+NAT gateway dynamically allocates SNAT ports across a subnet's private resources such as virtual machines. SNAT port inventory is made available by attaching public IP addresses to NAT gateway. All available SNAT ports can be used on-demand by any virtual machine in subnets configured with NAT gateway:

+*Figure: NAT gateway on-demand outbound SNAT*

+Pre-allocation of SNAT ports to each virtual machine is required for other SNAT methods. This pre-allocation of SNAT ports can cause SNAT port exhaustion on some virtual machines while others still have available SNAT ports for connecting outbound. With NAT gateway, pre-allocation of SNAT ports isn't required, which means SNAT ports aren't left unused by VMs not actively needing them.

+*Figure: Differences in exhaustion scenarios*

+After a SNAT port is released, it's available for use by any VM on subnets configured with NAT. On-demand allocation allows dynamic and divergent workloads on subnets to use SNAT ports as needed. As long as SNAT ports are available, SNAT flows will succeed.

+### Source (SNAT) port reuse

+NAT gateway selects a port at random out of the available inventory of ports to make new outbound connections. If NAT gateway doesn't find any available SNAT ports, then it will reuse a SNAT port. A SNAT port can be reused when connecting to a different destination IP and port as shown in the following table with this extra flow.

+| Flow | Source tuple | Source tuple after SNAT | Destination tuple |

+|::|::|::|::|

+| 4 | 10.0.0.1: 4285 | 65.52.1.1: **1234** | 23.53.254.143: 80 |

+A NAT gateway will translate flow 4 to a SNAT port that may already be in use for other destinations as well (see flow 1 from previous table). See [Scale NAT gateway](#scalability) for more discussion on correctly sizing your IP address provisioning.

+Don't take a dependency on the specific way source ports are assigned in the above example. The preceding is an illustration of the fundamental concept only.

+## Timers

+### Port Reuse Timers

+Port reuse timers determine the amount of time after a connection closes that a source port is in hold down before it can be reused to go to the same destination endpoint by NAT gateway.

+The following table provides information about when a TCP port becomes available for reuse to the same destination endpoint by NAT gateway.

+| Timer | Description | Value |

+||||

+| TCP FIN | After a connection is closed by a TCP FIN packet, a 65-second timer is activated that holds down the SNAT port. The SNAT port will be available for reuse after the timer ends. | 65 seconds |

+| TCP RST | After a connection is closed by a TCP RST packet (reset), a 16-second timer is activated that holds down the SNAT port. When the timer ends, the port is available for reuse. | 16 seconds |

+| TCP half open | During connection establishment where one connection endpoint is waiting for acknowledgment from the other endpoint, a 30-second timer is activated. If no traffic is detected, the connection will close. Once the connection has closed, the source port is available for reuse to the same destination endpoint. | 30 seconds |

+For UDP traffic, after a connection has closed, the port will be in hold down for 65 seconds before it's available for reuse.

+### Idle Timeout Timers

+| Timer | Description | Value |

+||||

+| TCP idle timeout | TCP connections can go idle when no data is transmitted between either endpoint for a prolonged period of time. A timer can be configured from 4 minutes (default) to 120 minutes (2 hours) to time out a connection that has gone idle. Traffic on the flow will reset the idle timeout timer. | Configurable; 4 minutes (default) - 120 minutes |

+| UDP idle timeout | UDP connections can go idle when no data is transmitted between either endpoint for a prolonged period of time. UDP idle timeout timers are 4 minutes and are **not configurable**. Traffic on the flow will reset the idle timeout timer. | **Not configurable**; 4 minutes |

+> [!NOTE]

+> These timer settings are subject to change. The values are provided to help with troubleshooting and you should not take a dependency on specific timers at this time.

+### Timer considerations

+Design recommendations for configuring timers:

+- In an idle connection scenario, NAT gateway holds onto SNAT ports until the connection idle times out. Because long idle timeout timers can unnecessarily increase the likelihood of SNAT port exhaustion, it isn't recommended to increase the TCP idle timeout duration to longer than the default time of 4 minutes. If a flow never goes idle, then it will not be impacted by the idle timer.

+- TCP keepalives can be used to provide a pattern of refreshing long idle connections and endpoint liveness detection. TCP keepalives appear as duplicate ACKs to the endpoints, are low overhead, and invisible to the application layer.

+- UDP idle timeout timers aren't configurable, UDP keepalives should be used to ensure that the idle timeout value isn't reached, and that the connection is maintained. Unlike TCP connections, a UDP keepalive enabled on one side of the connection only applies to traffic flow in one direction. UDP keepalives must be enabled on both sides of the traffic flow in order to keep the traffic flow alive.

+## Limitations

+- Basic load balancers and basic public IP addresses aren't compatible with NAT. Use standard SKU load balancers and public IPs instead.

+

+ - To upgrade a load balancer from basic to standard, see [Upgrade Azure Public Load Balancer](../load-balancer/upgrade-basic-standard.md)

+

+ - To upgrade a public IP address from basic to standard, see [Upgrade a public IP address](../virtual-network/ip-services/public-ip-upgrade-portal.md)

+- NAT gateway doesn't support ICMP

+- IP fragmentation isn't available for NAT gateway.

+## Next steps

+- Review [Azure NAT Gateway](nat-overview.md).

+- Learn about [metrics and alerts for NAT gateway](nat-metrics.md).

+- Learn how to [troubleshoot NAT gateway](troubleshoot-nat.md).

+ Title: Metrics and alerts for Azure NAT Gateway

+description: Understand Azure Monitor metrics and alerts available for NAT gateway.

+# Customer intent: As an IT administrator, I want to understand available Azure Monitor metrics and alerts for Virtual Network NAT.

+# Azure NAT Gateway metrics and alerts

+This article provides an overview of all NAT gateway metrics and diagnostic capabilities. This article provides general guidance on how to use metrics and alerts to monitor, manage, and [troubleshoot](troubleshoot-nat.md) your NAT gateway resource.

+Azure NAT Gateway provides the following diagnostic capabilities:

+- Multi-dimensional metrics and alerts through Azure Monitor. You can use these metrics to monitor and manage your NAT gateway and to assist you in troubleshooting issues.

+- Network Insights: Azure Monitor Insights provides you with visual tools to view, monitor, and assist you in diagnosing issues with your NAT gateway resource. Insights provide you with a topological map of your Azure setup and metrics dashboards.

+*Figure: Azure NAT Gateway for outbound to Internet*

+## Metrics overview

+NAT gateway resources provide the following multi-dimensional metrics in Azure Monitor:

+| Metric | Description | Recommended aggregation | Dimensions |

+|||||

+| Bytes | Bytes processed inbound and outbound | Sum | Direction (In; Out), Protocol (6 TCP; 17 UDP) |

+| Packets | Packets processed inbound and outbound | Sum | Direction (In; Out), Protocol (6 TCP; 17 UDP) |

+| Dropped packets | Packets dropped by the NAT gateway | Sum | / |

+| SNAT Connection Count | Number of new SNAT connections over a given interval of time | Sum | Connection State (Attempted, Established, Failed, Closed, Timed Out), Protocol (6 TCP; 17 UDP) |

+| Total SNAT connection count | Total number of active SNAT connections | Sum | Protocol (6 TCP; 17 UDP) |

+| Data path availability (Preview) | Availability of the data path of the NAT gateway. Used to determine whether the NAT gateway endpoints are available for outbound traffic flow. | Avg | Availability (0, 100) |

+## Where to find my NAT gateway metrics

+NAT gateway metrics can be found in the following locations in the Azure portal.

+- **Metrics** page under **Monitoring** from a NAT gateway's resource page.

+- **Insights** page under **Monitoring** from a NAT gateway's resource page.

+ :::image type="content" source="./media/nat-metrics/nat-insights-metrics.png" alt-text="Screenshot of the insights and metrics options in NAT gateway overview.":::

+- Azure Monitor page under **Metrics**.

+ :::image type="content" source="./media/nat-metrics/azure-monitor.png" alt-text="Screenshot of the metrics section of Azure Monitor.":::

+To view any one of your metrics for a given NAT gateway resource:

+1. Select the NAT gateway resource you would like to monitor.

+2. In the **Metric** drop-down menu, select one of the provided metrics.

+3. In the **Aggregation** drop-down menu, select the recommended aggregation listed in the [metrics overview](#metrics-overview) table.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-1.png" alt-text="Screenshot of the metrics setup configuration in NAT gateway resource.":::

+4. To adjust the time frame over which the chosen metric is presented on the metrics graph or to adjust how frequently the chosen metric is measured, select the **Time** window in the top right corner of the metrics page and make your adjustments.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-2.png" alt-text="Screenshot of the metrics time setup configuration in NAT gateway resource.":::

+## How to use NAT gateway metrics

+### Bytes

+The **Bytes** metric shows you the amount of data going outbound through NAT gateway and returning inbound in response to an outbound connection.

+Use this metric for the following measurements:

+- Assess the amount of data being processed through NAT gateway to connect outbound or return inbound.

+To view the amount of data sent in one or both directions when connecting outbound through NAT gateway:

+1. Select the NAT gateway resource you would like to monitor.

+2. In the **Metric** drop-down menu, select the **Bytes** metric.

+3. In the **Aggregation** drop-down menu, select **Sum**.

+4. Select to **Add filter**.

+5. In the **Property** drop-down menu, select **Direction (Out | In)**.

+6. In the **Values** drop-down menu, select **Out**, **In**, or both.

+7. To see data processed inbound or outbound as their own individual lines in the metric graph, select **Apply splitting**.

+8. In the **Values** drop-down menu, select **Direction (Out | In)**.

+### Packets

+The packets metric shows you the number of data packets transmitted through the NAT gateway.

+Use this metric to:

+

+- To confirm that traffic is being sent through your NAT gateway to go outbound to the internet or return inbound.

+- To assess the amount of traffic being directed through your NAT gateway resource outbound or inbound (when in response to an outbound directed flow).

+To view the number of packets sent in one or both directions when connecting outbound through NAT gateway, follow the same steps in the [Bytes](#bytes) section.

+### Dropped packets

+The dropped packets metric shows you the number of data packets dropped by NAT gateway when directing traffic outbound or inbound in response to an outbound connection.

+Use this metric to:

+- Assess whether or not you're nearing or possibly experiencing SNAT exhaustion with a given NAT gateway resource. Check to see if periods of dropped packets coincide with periods of failed SNAT connections with the [SNAT Connection Count](#snat-connection-count) metric.

+- Help assess if you're experiencing a pattern of failed outbound connections.

+Reasons for why you may see dropped packets:

+- If you're seeing a high rate of dropped packets, it may be due to outbound connectivity failure. Connectivity failure may happen for various reasons. See the NAT gateway [troubleshooting guide](./troubleshoot-nat.md) to help you further diagnose.

+### SNAT connection count

+The SNAT connection count metric shows you the number of new SNAT connections within a specified time frame. This metric can be broken out to view different connection states including: attempted, established, failed, closed, and timed out connections. A failed connection volume greater than zero may indicate SNAT port exhaustion.

+Use this metric to:

+- Evaluate the health of your outbound connections.

+- Assess whether or not you're nearing or possibly experiencing SNAT port exhaustion.

+- Evaluate whether your NAT gateway resource should be scaled out further by adding more public IPs.

+- Assess if you're experiencing a pattern of failed outbound connections.

+To view the connection state of your connections:

+1. Select the NAT gateway resource you would like to monitor.

+2. In the **Metric** drop-down menu, select the **SNAT Connection Count** metric.

+3. In the **Aggregation** drop-down menu, select **Sum**.

+4. Select to **Add filter**.

+5. In the **Property** drop-down menu, select **Connection State**.

+6. In the **Values** drop-down menu, select **Attempted**, **Failed**, or both.

+7. To see attempted and failed connections as their own individual lines in the metric graph, select **Apply splitting**.

+8. In the **Values** drop-down menu, select **Connection State**.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-3.png" alt-text="Screenshot of the metrics configuration.":::

+### Total SNAT connection count

+The **Total SNAT connection count** metric shows you the total number of active SNAT connections over a period of time.

+You can use this metric to:

+- Assess if you're nearing the connection limit of your NAT gateway resource.

+- Help assess if you're experiencing a pattern of failed outbound connections.

+Reasons for why you may see failed connections:

+- If you're seeing a pattern of failed connections for your NAT gateway resource, there could be multiple possible reasons. See the NAT gateway [troubleshooting guide](./troubleshoot-nat.md) to help you further diagnose.

+### Data path availability

+The data path availability metric measures the status of the NAT gateway resource over time. This metric informs on whether or not NAT gateway is available for directing outbound traffic to the internet. This metric is a reflection of the health of the Azure infrastructure.

+You can use this metric to:

+- Monitor the availability of your NAT gateway resource.

+- Investigate the platform where your NAT gateway is deployed and determine if itΓÇÖs healthy.

+- Isolate whether an event is related to your NAT gateway or to the underlying data plane.

+Reasons for why you may see a drop in data path availability include:

+- An infrastructure outage has occurred.

+- There aren't healthy VMs available in your NAT gateway configured subnet. For more information, see the NAT gateway [troubleshooting guide](./troubleshoot-nat.md).

+## Alerts

+Alerts can be configured in Azure Monitor for each of the preceding metrics. These alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address potential issues with your NAT gateway resource.

+For more information about how metric alerts work, see [Azure Monitor Metric Alerts](../azure-monitor/alerts/alerts-metric-overview.md). See guidance below on how to configure some common and recommended types of alerts for your NAT gateway.

+### Alerts for data path availability droppage

+If the datapath of your NAT gateway resource begins to experience drops in availability, you can set up an alert to be fired when it hits a specific threshold in availability.

+The recommended guidance is to alert on NAT gatewayΓÇÖs datapath availability when it drops below 90% over a 15 minute period. This configuration will be indicative of a NAT gateway resource going into a degraded state.

+To set up a datapath availability alert, follow these steps:

+1. From the NAT gateway resource page, select **Alerts**.

+2. Select **Create alert rule**.

+3. From the signal list, select **Datapath Availability**.

+4. From the **Operator** drop-down menu, select **Less than**.

+5. From the **Aggregation type** drop-down menu, select **Average**.

+6. In the **Threshold value** box, enter **90%** as the value that the datapath availability must drop below before an alert is fired.

+7. From the **Unit** drop-down menu, select **Count**.

+8. From the **Aggregation granularity (Period)** drop-down menu, select **15 minutes**.

+9. Create an **Action** for your alert by providing a name, notification type, and type of action that is performed when the alert is triggered.

+10. Before deploying your action, **test the action group**.

+11. Select **Create** to create the alert rule.

+>[!NOTE]

+>Aggregation granularity is the period of time over which the datapath availability is measured to determine if it has dropped below the threshold value.

+Setting the aggregation granularity to less than 5 minutes may trigger false positive alerts that detect noise in the datapath.

+### Alerts for SNAT port exhaustion

+Use the **SNAT connection count** metric and alerts to help determine if you're experiencing SNAT port exhaustion. A failed connection volume greater than zero may indicate SNAT port exhaustion. You may need to investigate further to determine the root cause of these failures.

+To create the alert, use the following steps:

+1. From the NAT gateway resource page, select **Alerts**.

+2. Select **Create alert rule**.

+3. From the signal list, select **SNAT Connection Count**.

+4. From the **Aggregation type** drop-down menu, select **Total**.

+5. From the **Operator** drop-down menu, select **Greater than**.

+6. From the **Unit** drop-down menu, select **Count**.

+7. In the **Threshold value** box, enter 0.

+8. In the Split by dimensions section, select **Connection State** under Dimension name.

+9. Under Dimension values, select **Failed** connections.

+8. From the When to evaluate section, select **1 minute** under the **Check every** drop-down menu.

+9. For the lookback period, select **5 minutes** from the drop-down menu options.

+9. Create an **Action** for your alert by providing a name, notification type, and type of action that is performed when the alert is triggered.

+10. Before deploying your action, **test the action group**.

+11. Select **Create** to create the alert rule.

+>[!NOTE]

+>SNAT port exhaustion on your NAT gateway resource is uncommon. If you see SNAT port exhaustion, your NAT gateway's idle timeout timer may be holding on to SNAT ports too long or your may need to scale with additional public IPs. To troubleshoot these kinds of issues, refer to the [NAT gateway connectivity troubleshooting guide](./troubleshoot-nat-connectivity.md#snat-exhaustion-due-to-nat-gateway-configuration).

+## Network Insights

+[Azure Monitor Network Insights](../network-watcher/network-insights-overview.md) allows you to visualize your Azure infrastructure setup and to review all metrics for your NAT gateway resource from a pre-configured metrics dashboard. These visual tools help you diagnose and troubleshoot any issues with your NAT gateway resource.

+### View the topology of your Azure architectural setup

+To view a topological map of your setup in Azure:

+1. From your NAT gatewayΓÇÖs resource page, select **Insights** from the **Monitoring** section.

+2. On the landing page for **Insights**, you'll see a topology map of your NAT gateway setup. This map will show you the relationship between the different components of your network (subnets, virtual machines, public IP addresses).

+3. Hover over any component in the topology map to view configuration information.

+ :::image type="content" source="./media/nat-metrics/nat-insights.png" alt-text="Screenshot of the Insights section of NAT gateway.":::

+### View all NAT gateway metrics in a dashboard

+The metrics dashboard can be used to better understand the performance and health of your NAT gateway resource. The metrics dashboard shows a view of all metrics for NAT gateway on a single page.

+- All NAT gateway metrics can be viewed in a dashboard when selecting **Show Metrics Pane**.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-pane.png" alt-text="Screenshot of the show metrics pane.":::

+- A full page view of all NAT gateway metrics can be viewed when selecting **View Detailed Metrics**.

+ :::image type="content" source="./media/nat-metrics/detailed-metrics.png" alt-text="Screenshot of the view detailed metrics.":::

+For more information on what each metric is showing you and how to analyze these metrics, see [How to use NAT gateway metrics](#how-to-use-nat-gateway-metrics).

+## Next steps

+* Learn about [Azure NAT Gateway](nat-overview.md)

+* Learn about [NAT gateway resource](nat-gateway-resource.md)

+* Learn about [Azure Monitor](../azure-monitor/overview.md)

+* Learn about [troubleshooting NAT gateway resources](troubleshoot-nat.md).

+ Title: What is Azure NAT Gateway?

+description: Overview of Azure NAT Gateway features, resources, architecture, and implementation. Learn how Azure NAT Gateway works and how to use NAT gateway resources in Azure.

+# What is Azure NAT Gateway?

+Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. Azure NAT Gateway simplifies outbound Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses the NAT gateway's static public IP addresses.

+*Figure: Azure NAT Gateway*

+## Azure NAT Gateway benefits

+### Security

+With a NAT gateway, individual VMs or other compute resources, don't need public IP addresses and can remain private. Resources without a public IP address can still reach external sources outside the virtual network with NAT gateway's static public IP addresses or prefixes. You can associate a public IP prefix to ensure that a contiguous set of IPs will be used for outbound. Destination firewall rules can be configured based on this predictable IP list.

+### Resiliency

+Azure NAT Gateway is a fully managed and distributed service. It doesn't depend on individual compute instances such as VMs or a single physical gateway device. A NAT gateway always has multiple fault domains and can sustain multiple failures without service outage. Software defined networking makes a NAT gateway highly resilient.

+### Scalability

+NAT gateway is scaled out from creation. There isn't a ramp up or scale-out operation required. Azure manages the operation of NAT gateway for you.

+A NAT gateway resource can be associated to a subnet and can be used by all compute resources in that subnet. All subnets in a virtual network can use the same NAT gateway resource. Outbound connectivity can be scaled out by assigning up to 16 IP addresses to NAT gateway. When a NAT gateway is associated to a public IP prefix, it automatically scales to the number of IP addresses needed for outbound.

+### Performance

+Azure NAT Gateway is a software defined networking service. A NAT gateway won't affect the network bandwidth of your compute resources. Learn more about [NAT gateway's performance](nat-gateway-resource.md#performance).

+## Azure NAT Gateway basics

+### Outbound connectivity

+* NAT gateway is the recommended method for outbound connectivity. NAT gateway doesn't have the same limitations of SNAT port exhaustion as does [default outbound access](../virtual-network/ip-services/default-outbound-access.md) and [outbound rules of a load balancer](../load-balancer/outbound-rules.md).

+* NAT gateway allows flows to be created from the virtual network to the services outside your virtual network. Return traffic from the internet is only allowed in response to an active flow. Services outside your virtual network canΓÇÖt initiate an inbound connection through NAT gateway.

+ * To migrate outbound access to a NAT gateway from default outbound access or load balancer outbound rules, see [Migrate outbound access to Azure NAT Gateway](./tutorial-migrate-outbound-nat.md).

+* NAT gateway takes precedence over other outbound scenarios (including Load balancer and instance-level public IP addresses) and replaces the default Internet destination of a subnet.

+* When NAT gateway is configured to a virtual network where standard Load balancer with outbound rules already exists, NAT gateway will take over all outbound traffic moving forward. There will be no drops in traffic flow for existing connections on Load balancer. All new connections will use NAT gateway.

+* Presence of custom UDRs for virtual appliances and ExpressRoute override NAT gateway for directing internet bound traffic (route to the 0.0.0.0/0 address prefix).

+* The order of operations for outbound connectivity follows this order of precedence:

+Virtual appliance UDR / ExpressRoute >> NAT gateway >> Instance-level public IP addresses on virtual machines >> Load balancer outbound rules >> default system

+* NAT gateway supports TCP and UDP protocols only. ICMP isn't supported.

+* NAT gateway will send a TCP Rest (RST) packet to the connection endpoint that attempts to communicate on a connection flow that does not exist. This connection flow may no longer exist if the NAT gateway idle timeout was reached or the connection was closed earlier. When the NAT gateway TCP RST packet is received by the connection endpoint, this signifies that the connection is no longer usable.

+### NAT gateway configurations

+* Outbound connectivity can be defined for each subnet with a NAT gateway. All outbound traffic for the subnet is processed by the NAT gateway without any customer configuration.

+* A NAT gateway canΓÇÖt span multiple virtual networks.

+* Multiple subnets within the same virtual network can either use different NAT gateways or the same NAT gateway.

+* Multiple NAT gateways canΓÇÖt be attached to a single subnet.

+* A NAT gateway canΓÇÖt be deployed in a [gateway subnet](../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub).

+* A NAT gateway resource can use up to 16 IP addresses in any combination of:

+ * Public IP addresses

+ * Public IP prefixes

+ * Public IP addresses and prefixes derived from custom IP prefixes (BYOIP), to learn more, see [Custom IP address prefix (BYOIP)](../virtual-network/ip-services/custom-ip-address-prefix.md).

+* NAT gateway canΓÇÖt be associated to an IPv6 public IP address or IPv6 public IP prefix. It can be associated to a dual stack subnet, but will only be able to direct outbound traffic with an IPv4 address. To set up a dual stack outbound configuration, see [dual stack outbound connectivity with NAT gateway and Load balancer](/azure/virtual-network/nat-gateway/tutorial-dual-stack-outbound-nat-load-balancer?tabs=dual-stack-outbound-portal).

+* NAT gateway can be associated to an Azure Firewall subnet in a hub virtual network and provide outbound connectivity from spoke virtual networks peered to the hub. To learn more, see [Azure Firewall integration with NAT gateway](../firewall/integrate-with-nat-gateway.md).

+### Availability zones

+* A NAT gateway can be created in a specific availability zone or placed in 'no zone'.

+* NAT gateway can be isolated in a specific zone when you create [zone isolation scenarios](./nat-availability-zones.md). This deployment is called a zonal deployment. After NAT gateway is deployed, the zone selection can't be changed.

+* NAT gateway is placed in 'no zone' by default. A [non-zonal NAT gateway](./nat-availability-zones.md#non-zonal) is placed in a zone for you by Azure.

+### NAT gateway and basic SKU resources

+* NAT gateway is compatible with standard SKU public IP addresses or public IP prefix resources or a combination of both. You can use a public IP prefix directly or distribute the public IP addresses of the prefix across multiple NAT gateway resources. The NAT gateway will groom all traffic to the range of IP addresses of the prefix.

+* Basic resources, such as basic load balancer or basic public IPs aren't compatible with NAT gateway. Basic resources must be placed on a subnet not associated to a NAT gateway. Basic load balancer and basic public IP can be upgraded to standard to work with a NAT gateway

+

+ * Upgrade a load balancer from basic to standard, see [Upgrade a public basic Azure Load Balancer](../load-balancer/upgrade-basic-standard.md).

+ * Upgrade a public IP from basic to standard, see [Upgrade a public IP address](../virtual-network/ip-services/public-ip-upgrade-portal.md).

+### NAT gateway timers

+* NAT gateway holds on to SNAT ports after a connection closes before it's available to reuse to connect to the same destination endpoint over the internet. SNAT port reuse timer durations for TCP traffic vary depending on how the connection closes. To learn more, see [Port Reuse Timers](./nat-gateway-resource.md#port-reuse-timers).

+* A default TCP idle timeout of 4 minutes is used and can be increased to up to 120 minutes. Any activity on a flow can also reset the idle timer, including TCP keepalives. To learn more, see [Idle Timeout Timers](./nat-gateway-resource.md#idle-timeout-timers).

+* UDP traffic has an idle timeout timer of 4 minutes that can't be changed.

+

+* UDP traffic has a port reset timer of 65 seconds for which a port is in hold down before it's available for reuse to the same destination endpoint.

+## Pricing and SLA

+For Azure NAT Gateway pricing, see [NAT gateway pricing](https://azure.microsoft.com/pricing/details/virtual-network/#pricing).

+For information on the SLA, see [SLA for Azure NAT Gateway](https://azure.microsoft.com/support/legal/sla/virtual-network-nat/v1_0/).

+## Next steps

+* To create and validate a NAT gateway, see [Quickstart: Create a NAT gateway using the Azure portal](quickstart-create-nat-gateway-portal.md).

+* To view a video on more information about Azure NAT Gateway, see [How to get better outbound connectivity using an Azure NAT gateway](https://www.youtube.com/watch?v=2Ng_uM0ZaB4).

+* Learn about the [NAT gateway resource](./nat-gateway-resource.md).

+* [Learn module: Introduction to Azure NAT Gateway](/training/modules/intro-to-azure-virtual-network-nat).

+* To learn more about architecture options for Azure NAT Gateway, see [Azure Well-Architected Framework review of an Azure NAT gateway](/azure/architecture/networking/guide/well-architected-network-address-translation-gateway).

+ Title: 'Create a NAT gateway - Bicep'

+description: This quickstart shows how to create a NAT gateway using Bicep.

+# Customer intent: I want to create a NAT gateway using Bicep so that I can provide outbound connectivity for my virtual machines.

+# Quickstart: Create a NAT gateway - Bicep

+Get started with Azure NAT Gateway using Bicep. This Bicep file deploys a virtual network, a NAT gateway resource, and Ubuntu virtual machine. The Ubuntu virtual machine is deployed to a subnet that is associated with the NAT gateway resource.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/nat-gateway-1-vm/).

+This Bicep file is configured to create a:

+* Virtual network

+* NAT gateway resource

+* Ubuntu virtual machine

+The Ubuntu VM is deployed to a subnet that's associated with the NAT gateway resource.

+Nine Azure resources are defined in the Bicep file:

+* **[Microsoft.Network/networkSecurityGroups](/azure/templates/microsoft.network/networksecuritygroups)**: Creates a network security group.

+* **[Microsoft.Network/networkSecurityGroups/securityRules](/azure/templates/microsoft.network/networksecuritygroups/securityrules)**: Creates a security rule.

+* **[Microsoft.Network/publicIPAddresses](/azure/templates/microsoft.network/publicipaddresses)**: Creates a public IP address.

+* **[Microsoft.Network/publicIPPrefixes](/azure/templates/microsoft.network/publicipprefixes)**: Creates a public IP prefix.

+* **[Microsoft.Compute/virtualMachines](/azure/templates/Microsoft.Compute/virtualMachines)**: Creates a virtual machine.

+* **[Microsoft.Network/virtualNetworks](/azure/templates/microsoft.network/virtualnetworks)**: Creates a virtual network.

+* **[Microsoft.Network/natGateways](/azure/templates/microsoft.network/natgateways)**: Creates a NAT gateway resource.

+* **[Microsoft.Network/virtualNetworks/subnets](/azure/templates/microsoft.network/virtualnetworks/subnets)**: Creates a virtual network subnet.

+* **[Microsoft.Network/networkinterfaces](/azure/templates/microsoft.network/networkinterfaces)**: Creates a network interface.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminusername=<admin-name>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -adminusername "<admin-name>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<admin-name\>** with the administrator username for the virtual machine. You'll also be prompted to enter **adminpassword**.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+In this quickstart, you created a:

+* NAT gateway resource

+* Virtual network

+* Ubuntu virtual machine

+The virtual machine is deployed to a virtual network subnet associated with the NAT gateway.

+To learn more about Azure NAT Gateway and Bicep, continue to the following articles.

+* Read an [Overview of Azure NAT Gateway](nat-overview.md)

+* Read about the [NAT Gateway resource](nat-gateway-resource.md)

+* Learn more about [Bicep](../azure-resource-manager/bicep/overview.md)

+ Title: 'Quickstart: Create a NAT gateway - Azure CLI'

+description: Get started creating a NAT gateway using the Azure CLI.

+# Quickstart: Create a NAT gateway using the Azure CLI

+This quickstart shows you how to use the Azure NAT Gateway service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

+## Set parameter values to create resources

+Set the parameter values for use in creating the required resources. The $RANDOM function is used to create unique object names.

+## Create a resource group

+Create a resource group with [az group create](/cli/azure/group#az-group-create). An Azure resource group is a logical container into which Azure resources are deployed and managed.

+## Create the NAT gateway

+In this section we create the NAT gateway and supporting resources.

+### Create public IP address

+To access the Internet, you need one or more public IP addresses for the NAT gateway. Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a public IP address resource.

+### Create NAT gateway resource

+Create a global Azure NAT gateway with [az network nat gateway create](/cli/azure/network/nat#az-network-nat-gateway-create). The result of this command will create a gateway resource that uses the public IP address defined in the previous step. The idle timeout is set to 10 minutes.

+### Create virtual network

+Create a virtual network with a subnet with [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). The IP address space for the virtual network is **10.1.0.0/16**. The subnet within the virtual network is **10.1.0.0/24**.

+### Create bastion host subnet

+Create an Azure Bastion host to access the virtual machine.

+Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) to create an Azure Bastion subnet.

+### Create public IP address for the bastion host

+Create a public IP address for the bastion host with [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create).

+### Create the bastion host

+Use [az network bastion create](/cli/azure/network/bastion#az-network-bastion-create) to create the bastion host.

+### Configure NAT service for source subnet

+Configure the source subnet in virtual network to use a specific NAT gateway resource with [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update). This command will activate the NAT service on the specified subnet.

+All outbound traffic to Internet destinations is now using the NAT gateway. It's not necessary to configure a UDR.

+## Create virtual machine

+Create a virtual machine to test the NAT gateway to verify the public IP address of the outbound connection.

+Create the virtual machine with [az vm create](/cli/azure/vm#az-vm-create).

+Wait for the virtual machine creation to complete before moving on to the next section.

+## Test NAT gateway

+In this section, we'll test the NAT gateway. We'll first discover the public IP of the NAT gateway. We'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. Find the public IP address for the NAT gateway on the **Overview** screen. Select **All services** in the left-hand menu, select **All resources**, and then select **myPublicIP**.

+1. Make note of the public IP address:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Discover public IP address of NAT gateway" border="true":::

+1. Select **All services** in the left-hand menu, select **All resources**, and then from the resources list, select **myVM** that is located in the **myResourceGroupNAT** resource group.

+1. On the **Overview** page, select **Connect**, then **Bastion**.

+1. Select the blue **Use Bastion** button.

+1. Enter the username and password entered during VM creation.

+1. Open **Internet Explorer** on **myTestVM**.

+1. Enter **https://whatsmyip.com** in the address bar.

+1. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Internet Explorer showing external outbound IP" border="true":::

+## Clean up resources

+If you're not going to continue to use this application, delete

+the virtual network, virtual machine, and NAT gateway with the following CLI command:

+```azurecli-interactive

+ az group delete \

+ --name $resourceGroup

+```

+## Next steps

+For more information on Azure NAT Gateway, see:

+> [!div class="nextstepaction"]

+> [Virtual Network NAT overview](nat-overview.md)

+ Title: 'Quickstart: Create a NAT gateway - Azure portal'

+description: This quickstart shows how to create a NAT gateway by using the Azure portal.

+# Quickstart: Create a NAT gateway using the Azure portal

+This quickstart shows you how to use the Azure NAT Gateway service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Create a NAT gateway

+Before you deploy the NAT gateway resource and the other resources, a resource group is required to contain the resources deployed. In the following steps, you'll create a resource group, NAT gateway resource, and a public IP address. You can use one or more public IP address resources, public IP prefixes, or both.

+For information about public IP prefixes and a NAT gateway, see [Manage NAT gateway](./manage-nat-gateway.md?tabs=manage-nat-portal#add-or-remove-a-public-ip-prefix).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+1. Select **+ Create**.

+1. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource Group | Select **Create new**. </br> Enter **myResourceGroupNAT**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway** |

+ | Region | Select **West Europe** |

+ | Availability Zone | Select **No Zone**. |

+ | TCP idle timeout (minutes) | Enter **10**. |

+ For information about availability zones and NAT gateway, see [NAT gateway and availability zones](./nat-availability-zones.md).

+1. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

+1. In the **Outbound IP** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | Public IP addresses | Select **Create a new public IP address**. </br> In **Name**, enter **myPublicIP**. </br> Select **OK**. |

+1. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+1. Select **Create**.

+## Virtual network

+Before you deploy a virtual machine and can use your NAT gateway, you need to create the virtual network. This virtual network will contain the virtual machine created in later steps.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+1. Select **+ Create**.

+1. In **Create virtual network**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet** |

+ | Region | Select **(Europe) West Europe** |

+1. Select the **Security** tab or select the **Next: Security** button at the bottom of the page.

+1. Under **Azure Bastion**, select **Enable Azure Bastion**. Enter this information:

+ | Setting | Value |

+ |--|-|

+ | Azure Bastion name | Enter **myBastionHost** |

+ | Azure Bastion public IP address | Select **New(myVNet-publicipAddress1)** |

+1. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+1. Accept the default IPv4 address space of **10.0.0.0/16**.

+1. In the subnet section in **Subnet name**, select the **default** subnet, then select **Save**.

+1. In **Edit subnet**, enter this information:

+ | Setting | Value |

+ |--|-|

+ | Name| Enter **mySubnet** |

+ | Starting address | Enter **10.0.0.0** |

+ | Subnet size | Select **/24** |

+ | **Security** |

+ | NAT gateway | Select **myNATgateway**. |

+1. Select **Add a subnet** and enter the following information, then select **Add**.

+ | Setting | Value |

+ |--|-|

+ | Subnet template | Select **Azure Bastion** |

+ | Starting address | Enter **10.0.1.0** |

+ | Subnet size | Select **/26** |

+1. Select the **Review + create** tab or select the **Review + create** button.

+1. Select **Create**.

+It can take a few minutes for the deployment of the virtual network to complete. Proceed to the next steps when the deployment completes.

+

+## Virtual machine

+In this section, you'll create a virtual machine to test the NAT gateway and verify the public IP address of the outbound connection.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+1. Select **+ Create** > **Azure virtual machine**.

+1. In the **Create a virtual machine** page in the **Basics** tab, enter, or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM**. |

+ | Region | Select **(Europe) West Europe**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter: Azure Edition - Gen2**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Username | Enter a username for the virtual machine. |

+ | Password | Enter a password. |

+ | Confirm password | Confirm password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+1. Select the **Disks** tab, or select the **Next: Disks** button at the bottom of the page.

+1. Leave the default in the **Disks** tab.

+1. Select the **Networking** tab, or select the **Next: Networking** button at the bottom of the page.

+1. In the **Networking** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet**. |

+ | Subnet | Select **mySubnet (10.1.0.0/24)**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **None**. |

+1. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+1. Select **Create**.

+## Test NAT gateway

+In this section, you'll test the NAT gateway. You'll first discover the public IP of the NAT gateway. You'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+

+1. In the search box at the top of the portal, enter **Public IP**. Select **Public IP addresses** in the search results.

+1. Select **myPublicIP**.

+1. Make note of the public IP address:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Discover public IP address of NAT gateway" border="true":::

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+1. Select **myVM**.

+1. On the **Overview** page, select **Connect**, then **Bastion**.

+1. Enter the username and password entered during VM creation. Select **Connect**.

+1. Open **Microsoft Edge** on **myTestVM**.

+1. Enter **https://whatsmyip.com** in the address bar.

+1. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Internet Explorer showing external outbound IP" border="true":::

+## Clean up resources

+If you're not going to continue to use this application, delete

+the virtual network, virtual machine, and NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+1. Select the **myResourceGroupNAT** resource group.

+1. Select **Delete resource group**.

+1. Enter **myResourceGroupNAT** and select **Delete**.

+## Next steps

+For more information on Azure NAT Gateway, see:

+> [!div class="nextstepaction"]

+> [Azure NAT Gateway overview](nat-overview.md)

+ Title: 'Quickstart: Create a NAT gateway - PowerShell'

+description: Get started creating a NAT gateway using Azure PowerShell.

+# Quickstart: Create a NAT gateway using Azure PowerShell

+This quickstart shows you how to use the Azure NAT Gateway service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure PowerShell installed locally or Azure Cloud Shell

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+## Create a resource group

+Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup). An Azure resource group is a logical container into which Azure resources are deployed and managed.

+The following example creates a resource group named **myResourceGroupNAT** in the **eastus2** location:

+```azurepowershell-interactive

+$rsg = @{

+ Name = 'myResourceGroupNAT'

+ Location = 'eastus2'

+}

+New-AzResourceGroup @rsg

+```

+## Create the NAT gateway

+In this section we create the NAT gateway and supporting resources.

+* To access the Internet, you need one or more public IP addresses for the NAT gateway. Use [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress) to create a public IP address resource named **myPublicIP** in **myResourceGroupNAT**.

+* Create a global Azure NAT gateway with [New-AzNatGateway](/powershell/module/az.network/new-aznatgateway). The result of this command will create a gateway resource named **myNATgateway** that uses the public IP address **myPublicIP**. The idle timeout is set to 10 minutes.

+* Create a virtual network named **myVnet** with a subnet named **mySubnet** using [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig) in the **myResourceGroup** using [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork). The IP address space for the virtual network is **10.1.0.0/16**. The subnet within the virtual network is **10.1.0.0/24**.

+* Create an Azure Bastion host named **myBastionHost** to access the virtual machine. Use [New-AzBastion](/powershell/module/az.network/new-azbastion) to create the bastion host. Create a public IP address for the bastion host with [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress).

+```azurepowershell-interactive

+## Create public IP address for NAT gateway ##

+$ip = @{

+ Name = 'myPublicIP'

+ ResourceGroupName = 'myResourceGroupNAT'

+ Location = 'eastus2'

+ Sku = 'Standard'

+ AllocationMethod = 'Static'

+}

+$publicIP = New-AzPublicIpAddress @ip

+## Create NAT gateway resource ##

+$nat = @{

+ ResourceGroupName = 'myResourceGroupNAT'

+ Name = 'myNATgateway'

+ IdleTimeoutInMinutes = '10'

+ Sku = 'Standard'

+ Location = 'eastus2'

+ PublicIpAddress = $publicIP

+}

+$natGateway = New-AzNatGateway @nat

+## Create subnet config and associate NAT gateway to subnet##

+$subnet = @{

+ Name = 'mySubnet'

+ AddressPrefix = '10.1.0.0/24'

+ NatGateway = $natGateway

+}

+$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet

+## Create Azure Bastion subnet. ##

+$bastsubnet = @{

+ Name = 'AzureBastionSubnet'

+ AddressPrefix = '10.1.1.0/24'

+}

+$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig @bastsubnet

+## Create the virtual network ##

+$net = @{

+ Name = 'myVNet'

+ ResourceGroupName = 'myResourceGroupNAT'

+ Location = 'eastus2'

+ AddressPrefix = '10.1.0.0/16'

+ Subnet = $subnetConfig,$bastsubnetConfig

+}

+$vnet = New-AzVirtualNetwork @net

+## Create public IP address for bastion host. ##

+$ip = @{

+ Name = 'myBastionIP'

+ ResourceGroupName = 'myResourceGroupNAT'

+ Location = 'eastus2'

+ Sku = 'Standard'

+ AllocationMethod = 'Static'

+}

+$publicip = New-AzPublicIpAddress @ip

+## Create bastion host ##

+$bastion = @{

+ ResourceGroupName = 'myResourceGroupNAT'

+ Name = 'myBastion'

+ PublicIpAddress = $publicip

+ VirtualNetwork = $vnet

+}

+New-AzBastion @bastion -AsJob

+```

+## Virtual machine

+In this section, you'll create a virtual machine to test the NAT gateway and verify the public IP address of the outbound connection.

+* Create a network interface with [New-AzNetworkInterface](/powershell/module/az.network/new-aznetworkinterface).

+* Set an administrator username and password for the VM with [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential).

+* Create the virtual machine with:

+ * [New-AzVM](/powershell/module/az.compute/new-azvm)

+ * [New-AzVMConfig](/powershell/module/az.compute/new-azvmconfig)

+ * [Set-AzVMOperatingSystem](/powershell/module/az.compute/set-azvmoperatingsystem)

+ * [Set-AzVMSourceImage](/powershell/module/az.compute/set-azvmsourceimage)

+ * [Add-AzVMNetworkInterface](/powershell/module/az.compute/add-azvmnetworkinterface)

+

+```azurepowershell-interactive

+# Set the administrator and password for the VMs. ##

+$cred = Get-Credential

+## Place the virtual network into a variable. ##

+$vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroupNAT'

+## Create network interface for virtual machine. ##

+$nic = @{

+ Name = "myNicVM"

+ ResourceGroupName = 'myResourceGroupNAT'

+ Location = 'eastus2'

+ Subnet = $vnet.Subnets[0]

+}

+$nicVM = New-AzNetworkInterface @nic

+## Create a virtual machine configuration for VMs ##

+$vmsz = @{

+ VMName = "myVM"

+ VMSize = 'Standard_DS1_v2'

+}

+$vmos = @{

+ ComputerName = "myVM"

+ Credential = $cred

+}

+$vmimage = @{

+ PublisherName = 'MicrosoftWindowsServer'

+ Offer = 'WindowsServer'

+ Skus = '2019-Datacenter'

+ Version = 'latest'

+}

+$vmConfig = New-AzVMConfig @vmsz `

+ | Set-AzVMOperatingSystem @vmos -Windows `

+ | Set-AzVMSourceImage @vmimage `

+ | Add-AzVMNetworkInterface -Id $nicVM.Id

+## Create the virtual machine for VMs ##

+$vm = @{

+ ResourceGroupName = 'myResourceGroupNAT'

+ Location = 'eastus2'

+ VM = $vmConfig

+}

+New-AzVM @vm

+```

+Wait for the virtual machine creation to complete before moving on to the next section.

+## Test NAT gateway

+In this section, we'll test the NAT gateway. We'll first discover the public IP of the NAT gateway. We'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. Find the public IP address for the NAT gateway on the **Overview** screen. Select **All services** in the left-hand menu, select **All resources**, and then select **myPublicIP**.

+2. Make note of the public IP address:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Discover public IP address of NAT gateway" border="true":::

+3. Select **All services** in the left-hand menu, select **All resources**, and then from the resources list, select **myVM** that is located in the **myResourceGroupNAT** resource group.

+4. On the **Overview** page, select **Connect**, then **Bastion**.

+5. Select the blue **Use Bastion** button.

+6. Enter the username and password entered during VM creation.

+7. Open **Internet Explorer** on **myTestVM**.

+8. Enter **https://whatsmyip.com** in the address bar.

+9. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Internet Explorer showing external outbound IP" border="true":::

+## Clean up resources

+If you're not going to continue to use this application, delete

+the virtual network, virtual machine, and NAT gateway with the following steps:

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name 'myResourceGroupNAT' -Force

+```

+## Next steps

+For more information on Azure NAT Gateway, see:

+> [!div class="nextstepaction"]

+> [Azure NAT Gateway overview](nat-overview.md)

+ Title: 'Create a NAT gateway - Resource Manager Template'

+description: This quickstart shows how to create a NAT gateway by using the Azure Resource Manager template (ARM template).

+# Customer intent: I want to create a NAT gateway by using an Azure Resource Manager template so that I can provide outbound connectivity for my virtual machines.

+# Quickstart: Create a NAT gateway - ARM template

+Get started with Azure NAT Gateway by using an Azure Resource Manager template (ARM template). This template deploys a virtual network, a NAT gateway resource, and Ubuntu virtual machine. The Ubuntu virtual machine is deployed to a subnet that is associated with the NAT gateway resource.

+If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template opens in the Azure portal.

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.network%2Fnat-gateway-1-vm%2Fazuredeploy.json)

+## Prerequisites

+# [**Portal**](#tab/create-nat-portal)

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+# [**PowerShell**](#tab/create-nat-powershell)

+- If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Azure PowerShell installed locally or Azure Cloud Shell.

+- Sign in to Azure PowerShell and ensure you've selected the subscription with which you want to use this feature. For more information, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

+- Ensure your `Az.Network` module is 4.3.0 or later. To verify the installed module, use the command `Get-InstalledModule -Name "Az.Network"`. If the module requires an update, use the command `Update-Module -Name Az.Network` if necessary.

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+# [**Azure CLI**](#tab/create-nat-cli)

+ - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- This how-to article requires version 2.31.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+## Review the template

+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/nat-gateway-1-vm).

+This template is configured to create a:

+* Virtual network

+* NAT gateway resource

+* Ubuntu virtual machine

+The Ubuntu VM is deployed to a subnet that's associated with the NAT gateway resource.

+Nine Azure resources are defined in the template:

+* **[Microsoft.Network/networkSecurityGroups](/azure/templates/microsoft.network/networksecuritygroups)**: Creates a network security group.

+* **[Microsoft.Network/networkSecurityGroups/securityRules](/azure/templates/microsoft.network/networksecuritygroups/securityrules)**: Creates a security rule.

+* **[Microsoft.Network/publicIPAddresses](/azure/templates/microsoft.network/publicipaddresses)**: Creates a public IP address.

+* **[Microsoft.Network/publicIPPrefixes](/azure/templates/microsoft.network/publicipprefixes)**: Creates a public IP prefix.

+* **[Microsoft.Compute/virtualMachines](/azure/templates/Microsoft.Compute/virtualMachines)**: Creates a virtual machine.

+* **[Microsoft.Network/virtualNetworks](/azure/templates/microsoft.network/virtualnetworks)**: Creates a virtual network.

+* **[Microsoft.Network/natGateways](/azure/templates/microsoft.network/natgateways)**: Creates a NAT gateway resource.

+* **[Microsoft.Network/virtualNetworks/subnets](/azure/templates/microsoft.network/virtualnetworks/subnets)**: Creates a virtual network subnet.

+* **[Microsoft.Network/networkinterfaces](/azure/templates/microsoft.network/networkinterfaces)**: Creates a network interface.

+## Deploy the template

+# [**Portal**](#tab/create-nat-portal)

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.network%2Fnat-gateway-1-vm%2Fazuredeploy.json)

+## Review deployed resources

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **Resource groups** from the left pane.

+1. Select the resource group that you created in the previous section. The default resource group name is **myResourceGroupNAT**

+1. Verify the following resources were created in the resource group:

+ 

+# [**PowerShell**](#tab/create-nat-powershell)

+```azurepowershell-interactive

+$location = Read-Host -Prompt "Enter the location (i.e. westcentralus)"

+$templateUri = "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/nat-gateway-1-vm/azuredeploy.json"

+$resourceGroupName = "myResourceGroupNAT"

+New-AzResourceGroup -Name $resourceGroupName -Location $location

+New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri

+```

+# [**Azure CLI**](#tab/create-nat-cli)

+```azurecli-interactive

+read -p "Enter the location (i.e. westcentralus): " location

+resourceGroupName="myResourceGroupNAT"

+templateUri="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/nat-gateway-1-vm/azuredeploy.json"

+az group create \

+--name $resourceGroupName \

+--location $location

+az deployment group create \

+--resource-group $resourceGroupName \

+--template-uri $templateUri

+```

+## Clean up resources

+# [**Portal**](#tab/create-nat-portal)

+When no longer needed, delete the resource group, NAT gateway, and all related resources. Select the resource group **myResourceGroupNAT** that contains the NAT gateway, and then select **Delete**.

+# [**PowerShell**](#tab/create-nat-powershell)

+When no longer needed, you can use the [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) command to remove the resource group and all resources contained within.

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name myResourceGroupNAT

+```

+# [**Azure CLI**](#tab/create-nat-cli)

+When no longer needed, you can use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group and all resources contained within.

+```azurecli-interactive

+ az group delete \

+ --name myResourceGroupNAT

+```

+## Next steps

+In this quickstart, you created a:

+* NAT gateway resource

+* Virtual network

+* Ubuntu virtual machine

+The virtual machine is deployed to a virtual network subnet associated with the NAT gateway.

+To learn more about Azure NAT Gateway and Azure Resource Manager, continue to the following articles.

+* Read an [Overview of Azure NAT Gateway](nat-overview.md)

+* Read about the [NAT Gateway resource](nat-gateway-resource.md)

+* Learn more about [Azure Resource Manager](../azure-resource-manager/management/overview.md)

+ Title: Create and configure NAT gateway after moving resources to another region

+description: Learn how to configure a new NAT gateway for resources moved to another region.

+# Create and configure NAT gateway after moving resources to another region

+In this article, learn how to configure a NAT gateway after moving resources to a different region. You might want to move resources to take advantage of a new Azure region that is better suited to your customers' geographical presence, other needs, or to meet internal policy and governance requirements, or to take advantage of your organizationΓÇÖs infrastructure.

+> [!NOTE]

+> NAT gateway instances can't directly be moved from one region to another. A workaround is to use Azure Resource Mover to move all the resources associated with the existing NAT gateway to the new region. You then create a new instance of NAT gateway in the new region and then associate the moved resources with the new instance. After the new NAT gateway is functional in the new region, you delete the old instance in the previous region.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- **Owner** access in the subscription in which resources you want to move are located.

+- Resources from previous region moved to new region. For more information on moving resources to another region, see [Move resources to another region with Azure Resource Mover](../resource-mover/move-region-within-resource-group.md). Follow the steps in that article to move the resources in your previous region that are associated with the NAT gateway. After successful move of the resources, continue with the steps in this article.

+## Create a new NAT gateway

+After you have moved all the resources associated with the original instance of NAT gateway to the new region and verified them, the following steps will enable you to create a new instance of NAT gateway. This new NAT gateway can then be associated with the moved resources.

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways**.

+2. Select **+ Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select the following information in the **Basics** tab.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **myResourceGroup** in **Name**. </br> Select **OK**. </br> Instead, you can select the existing resource group associated with the moved resources in the subscription. |

+ | **Instance details** | |

+ | Name | Enter **myNATgateway**. |

+ | Region | Select the name of the new region. |

+ | Availability Zone | Select **None**. Instead, you can select the zone of the moved resources if applicable. |

+ | Idle timeout (minutes) | Enter **10**. |

+4. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+5. In the **Outbound IP** tab, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | Public IP addresses | Select **Create a new public IP address**. </br> Enter **myNATPublicIP** in **Name**. </br> Select **OK**. </br> Instead, you can select an existing public IP in your subscription if applicable. |

+6. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+7. Select the pull-down box under **Virtual network** in the **Subnet** tab. Select the **Virtual Network** that you **moved** using Azure Resource Mover.

+8. In **Subnet name**, select the **subnet** that you **moved** using Azure Resource Mover.

+9. Select the **Review + create** tab, or select the **Review + create** button at the bottom of the page.

+10. Select **Create**.

+## Test NAT gateway in new region

+For steps on how to test the NAT gateway, see [Quickstart: Create a NAT gateway - Azure portal](quickstart-create-nat-gateway-portal.md#test-nat-gateway).

+## Delete old instance of NAT gateway

+After you have created new NAT gateway and have tested it, you can delete the source resources from the old region. This step will automatically delete the original NAT gateway.

+## Next steps

+For more information on moving resources in Azure, see:

+- [Move NSGs to another region](../virtual-network/move-across-regions-nsg-portal.md).

+- [Move public IP addresses to another region](../virtual-network/move-across-regions-publicip-portal.md).

+- [Move a storage account to another region](../storage/common/storage-account-move.md?tabs=azure-portal)

+ Title: Azure NAT Gateway Resource Health

+description: Understand how to use resource health for NAT gateway.

+# Customer intent: As an IT administrator, I want to understand how to use resource health to monitor NAT gateway.

+# Azure NAT Gateway Resource Health

+This article provides guidance on how to use Azure Resource Health to monitor and troubleshoot connectivity issues with your NAT gateway resource. Resource health provides an automatic check to keep you informed on the current availability of your NAT gateway.

+## Resource health status

+[Azure Resource Health](../service-health/overview.md) provides information about the health of your NAT gateway resource. You can use resource health and Azure monitor notifications to keep you informed on the availability and health status of your NAT gateway resource. Resource health can help you quickly assess whether an issue is due to a problem in your Azure infrastructure or because of an Azure platform event. The resource health of your NAT gateway is evaluated by measuring the data-path availability of your NAT gateway endpoint.

+You can view the status of your NAT gatewayΓÇÖs health status on the **Resource Health** page, found under **Support + troubleshooting** for your NAT gateway resource.

+The health of your NAT gateway resource is displayed as one of the following statuses:

+| Resource health status | Description |

+|||

+| Available | Your NAT gateway resource is healthy and available. |

+| Degraded | Your NAT gateway resource has platform or user initiated events impacting the health of your NAT gateway. The metric for the data-path availability has reported less than 80% but greater than 25% health for the last fifteen minutes. |

+| Unavailable | Your NAT gateway resource is not healthy. The metric for the data-path availability has reported less than 25% for the past 15 minutes. You may experience unavailability of your NAT gateway resource for outbound connectivity. |

+| Unknown | Health status for your NAT gateway resource hasnΓÇÖt been updated or hasnΓÇÖt received information for data-path availability for more than 5 minutes. This state should be transient and will reflect the correct status as soon as data is received. |

+For more information about Azure Resource Health, see [Resource Health overview](../service-health/resource-health-overview.md).

+To view the health of your NAT gateway resource:

+1. From the NAT gateway resource page, under **Support + troubleshooting**, select **Resource health**.

+2. In the health history section, select the drop-down arrows next to dates to get more information on health history events of your NAT gateway resource. You can view up to 30 days of history in the health history section.

+3. Select the **+ Add resource health alert** at the top of the page to set up an alert for a specific health status of your NAT gateway resource.

+## Next steps

+- Learn about [Azure NAT Gateway](./nat-overview.md)

+- Learn about [metrics and alerts for NAT gateway](./nat-metrics.md)

+- Learn about [troubleshooting NAT gateway resources](./troubleshoot-nat.md)

+- Learn about [Azure resource health](../service-health/resource-health-overview.md)

+ Title: Troubleshoot outbound connectivity with Azure services

+description: Troubleshoot issues with NAT gateway and Azure services.

+# Troubleshoot outbound connectivity with NAT gateway and Azure services

+This article provides guidance on how to troubleshoot connectivity issues when using NAT gateway with other Azure services, including:

+* [Azure App Services](#azure-app-services)

+* [Azure Kubernetes Service](#azure-kubernetes-service)

+* [Azure Firewall](#azure-firewall)

+* [Azure Databricks](#azure-databricks)

+## Azure App Services

+### Azure App Services regional Virtual network integration turned off

+NAT gateway can be used with Azure app services to allow applications to make outbound calls from a virtual network. To use this integration between Azure app services and NAT gateway, regional virtual network integration must be enabled. See [how regional virtual network integration works](../app-service/overview-vnet-integration.md#how-regional-virtual-network-integration-works) to learn more.

+To use NAT gateway with Azure App services, follow these steps:

+1. Ensure that your application(s) have virtual network integration configured, see [Enable virtual network integration](../app-service/configure-vnet-integration-enable.md).

+2. Ensure that **Route All** is enabled for your virtual network integration, see [Configure virtual network integration routing](../app-service/configure-vnet-integration-routing.md).

+3. Create a NAT gateway resource.

+4. Create a new public IP address or attach an existing public IP address in your network to NAT gateway.

+5. Assign NAT gateway to the same subnet being used for Virtual network integration with your application(s).

+To see step-by-step instructions on how to configure NAT gateway with virtual network integration, see [Configuring NAT gateway integration](../app-service/networking/nat-gateway-integration.md#configuring-nat-gateway-integration)

+Important notes about the NAT gateway and Azure App Services integration:

+* Virtual network integration doesn't provide inbound private access to your app from the virtual network.

+* Because of the nature of how virtual network integration operates, the traffic from virtual network integration doesn't show up in Azure Network Watcher or NSG flow logs.

+### App services isn't using the NAT gateway public IP address to connect outbound

+App services can still connect outbound to the internet even if VNet integration isn't enabled. By default, apps that are hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. To learn more, see App Services Networking Features.

+If you notice that the IP address used to connect outbound isn't your NAT gateway public IP address or addresses, check that virtual network integration has been enabled. Ensure the NAT gateway is configured to the subnet used for integration with your application(s).

+To validate that web applications are using the NAT gateway public IP, ping a virtual machine on your Web Apps and check the traffic via a network capture.

+## Azure Kubernetes Service

+### How to deploy NAT gateway with AKS clusters

+NAT gateway can be deployed with AKS clusters in order to allow for explicit outbound connectivity. There are two different ways to deploy NAT gateway with AKS clusters:

+1. **Managed NAT gateway**: NAT gateway is provisioned by Azure at the time of the AKS cluster creation and managed by AKS.

+2. **User-Assigned NAT gateway**: NAT gateway is provisioned by you to an existing virtual network for the AKS cluster.

+Learn more at [Managed NAT Gateway](../aks/nat-gateway.md).

+### Can't update my NAT gateway IPs or idle timeout timer for an AKS cluster

+Public IP addresses and the idle timeout timer for NAT gateway can be updated with the az aks update command for a Managed NAT gateway ONLY.

+If you've provisioned a User-Assigned NAT gateway to your AKS subnets, then you can't use the az aks update command to update public IP addresses or the idle timeout timer. A User-Assigned NAT gateway is managed by the user rather than by AKS. You'll need to update these configurations manually on your NAT gateway resource.

+Update your public IP addresses on your User-Assigned NAT gateway with the following steps:

+1. In your resource group, select on your NAT gateway resource in the portal

+2. Under Settings on the left-hand navigation bar, select Outbound IP

+3. To manage your Public IP addresses, select the blue Change

+4. From the Manage public IP addresses and prefixes configuration that slides in from the right, update your assigned public IPs from the drop-down menu or select **Create a new public IP address**.

+5. Once you're done updating your IP configurations, select the OK button at the bottom of the screen.

+6. After the configuration page disappears, select the Save button to save your changes

+7. Use steps 3 - 6 to do the same for public IP prefixes.

+Update your idle timeout timer configuration on your User-Assigned NAT gateway with the following steps:

+1. In your resource group, select on your NAT gateway resource in the portal

+2. Under Settings on the left-hand navigation bar, select Configuration

+3. In the TCP idle timeout (minutes) text bar, adjust the idle timeout timer (the timer can be configured 4 ΓÇô 120 minutes).

+4. Select the Save button when youΓÇÖre done.

+>[!Note]

+>Increasing the TCP idle timeout timer to longer than 4 minutes can increase the risk of SNAT port exhaustion. For more information, see timer considerations.

+## Azure Firewall

+### SNAT exhaustion when connecting outbound with Azure Firewall

+Azure Firewall can provide outbound connectivity to the internet from virtual networks. Azure Firewall provides only 2,496 SNAT ports per public IP address. While Azure Firewall can be associated with up to 250 public IP addresses to handle egress traffic, users may require much fewer public IP addresses for connecting outbound. The requirement for egressing with fewer public IP addresses may be due to various architectural requirements and allowlist limitations by destination endpoints.

+One method by which to provide greater scalability for outbound traffic and also reduce the risk of SNAT port exhaustion is to use NAT gateway in the same subnet with Azure Firewall. To set up NAT gateway in an Azure Firewall subnet, see [integrate NAT gateway with Azure Firewall](/azure/virtual-network/nat-gateway/tutorial-hub-spoke-nat-firewall). See [Scale SNAT ports with Azure NAT Gateway](../firewall/integrate-with-nat-gateway.md) to learn more about how NAT gateway works with Firewall.

+> [!NOTE]

+> NAT gateway is not supported in a vWAN architecture. NAT gateway cannot be configured to an Azure Firewall subnet in a vWAN hub.

+## Azure Databricks

+### How to use NAT gateway to connect outbound from a databricks cluster

+NAT gateway can be used to connect outbound from your databricks cluster when you create your Databricks workspace. NAT gateway can be deployed to your databricks cluster in one of two ways:

+1. By enabling [Secure Cluster Connectivity (No Public IP)](/azure/databricks/security/secure-cluster-connectivity#use-secure-cluster-connectivity) on the default virtual network that Azure Databricks creates, NAT gateway will automatically be deployed for connecting outbound from your workspaceΓÇÖs subnets to the internet. This NAT gateway resource is created within the managed resource group managed by Azure Databricks. You can't modify this resource group or any other resources provisioned in it.

+2. After deploying Azure Databricks workspace in your own VNet (via [VNet injection](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject)), you can deploy and configure NAT gateway to both of your workspaceΓÇÖs subnets to ensure outbound connectivity through the NAT gateway. You can implement this solution using an [Azure template](/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject#advanced-configuration-using-azure-resource-manager-templates) or in the portal.

+## Next steps

+We're always looking to improve the experience of our customers. If you're experiencing issues with NAT gateway that aren't listed or resolved by this article, submit feedback through GitHub via the bottom of this page. We'll address your feedback as soon as possible.

+To learn more about NAT gateway, see:

+* [Azure NAT Gateway](./nat-overview.md)

+* [NAT gateway resource](./nat-gateway-resource.md)

+* [Metrics and alerts for NAT gateway resources](./nat-metrics.md)

+ Title: Troubleshoot Azure NAT Gateway connectivity

+description: Troubleshoot connectivity issues with a NAT gateway.

+# Troubleshoot Azure NAT Gateway connectivity

+This article provides guidance on how to troubleshoot and resolve common outbound connectivity issues with your NAT gateway resource. This article also provides best practices on how to design applications to use outbound connections efficiently.

+## SNAT exhaustion due to NAT gateway configuration

+SNAT exhaustion issues with NAT gateway typically have to do with the configurations on the NAT gateway, such as:

+* NAT gateway not scaled out with enough public IP addresses.

+* NAT gateway's configurable TCP idle timeout timer is set higher than the default value of 4 minutes.

+### NAT gateway not scaled out enough

+Each public IP address provides 64,512 SNAT ports for connecting outbound with NAT gateway. From those available SNAT ports, NAT gateway can support up to 50,000 concurrent connections to the same destination endpoint. If outbound connections are dropping because SNAT ports are being exhausted, then NAT gateway may not be scaled out enough to handle the workload. More public IP addresses on NAT gateway may be required in order to provide more SNAT ports for outbound connectivity.

+The following table describes two common outbound connectivity failure scenarios due to scalability issues and how to validate and mitigate these issues:

+| Scenario | Evidence |Mitigation |

+||||

+| You're experiencing contention for SNAT ports and SNAT port exhaustion during periods of high usage. | You run the following [metrics](nat-metrics.md) in Azure Monitor: **Total SNAT Connection Count**: "Sum" aggregation shows high connection volume. For **SNAT Connection Count**, "Failed" connection state shows transient or persistent failures over time. **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume and connection failures. | Add more public IP addresses or public IP prefixes as need (assign up to 16 IP addresses in total to your NAT gateway). This addition provides more SNAT port inventory and allow you to scale your scenario further. |

+| You have already assigned 16 IP addresses to your NAT gateway and still are experiencing SNAT port exhaustion. | Attempt to add more IP addresses fails. Total number of IP addresses from public IP address or public IP prefix resources exceeds a total of 16. | Distribute your application environment across multiple subnets and provide a NAT gateway resource for each subnet. |

+>[!NOTE]

+>It is important to understand why SNAT exhaustion occurs. Make sure you are using the right patterns for scalable and reliable scenarios. Adding more SNAT ports to a scenario without understanding the cause of the demand should be a last resort. If you do not understand why your scenario is applying pressure on SNAT port inventory, adding more SNAT ports by adding more IP addresses will only delay the same exhaustion failure as your application scales. You may be masking other inefficiencies and anti-patterns. For more information, see [best practices for efficient use of outbound connections](#outbound-connectivity-best-practices).

+### TCP idle timeout timers set higher than the default value

+The NAT gateway TCP idle timeout timer is set to 4 minutes by default but is configurable up to 120 minutes. If the timer is set to a higher value than the default, NAT gateway holds on to flows longer, and can create [extra pressure on SNAT port inventory](./nat-gateway-resource.md#timers).

+The following table describes a scenario where a long TCP idle timeout timer is causing SNAT exhaustion and provides mitigation steps to take:

+| Scenario | Evidence | Mitigation |

+||||

+| You want to ensure that TCP connections stay active for long periods of time without idling and timing out. You increase the TCP idle timeout timer setting. After a period of time, you start to notice that connection failures occur more often. You suspect that you may be exhausting your inventory of SNAT ports since connections are holding on to them longer. | You check the following [NAT gateway metrics](nat-metrics.md) in Azure Monitor to determine if SNAT port exhaustion is happening: **Total SNAT Connection Count**: "Sum" aggregation shows high connection volume. For **SNAT Connection Count**, "Failed" connection state shows transient or persistent failures over time. **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume and connection failures. | Some possible steps you can take to resolve SNAT port exhaustion include: </br></br> **Reduce the TCP idle timeout** to a lower value to free up SNAT port inventory earlier. The TCP idle timeout timer can't be set lower than 4 minutes. </br></br> Consider **[asynchronous polling patterns](/azure/architecture/patterns/async-request-reply)** to free up connection resources for other operations. </br></br> **Use TCP keepalives or application layer keepalives** to avoid intermediate systems timing out. For examples, see [.NET examples](/dotnet/api/system.net.servicepoint.settcpkeepalive). </br></br> Make connections to Azure PaaS services over the Azure backbone using **[Private Link](../private-link/private-link-overview.md)**. The use of private link frees up SNAT ports for outbound connections to the internet. |

+## Connection failures due to idle timeouts

+### TCP idle timeout

+As described in the [TCP timers](#tcp-idle-timeout-timers-set-higher-than-the-default-value) in the previous section, TCP keepalives should be used to refresh idle flows and reset the idle timeout. TCP keepalives only need to be enabled from one side of a connection in order to keep a connection alive from both sides. When a TCP keepalive is sent from one side of a connection, the other side automatically sends an ACK packet. The idle timeout timer is then reset on both sides of the connection. To learn more, see [Timer considerations](./nat-gateway-resource.md#timer-considerations).

+>[!Note]

+>Increasing the TCP idle timeout is a last resort and may not resolve the root cause. A long timeout can cause low-rate failures when timeout expires and introduce delay and unnecessary failures.

+### UDP idle timeout

+UDP idle timeout timers are set to 4 minutes. Unlike TCP idle timeout timers for NAT gateway, UDP idle timeout timers aren't configurable.

+The following table describes a common scenario encountered with connections dropping due to UDP traffic idle timing out and steps to take to mitigate the issue.

+| Scenario | Evidence | Mitigation |

+||||

+| You notice that UDP traffic is dropping connections that need to be maintained for long periods of time. | You check the following [NAT gateway metrics](nat-metrics.md) in Azure Monitor, **Dropped Packets**: "Sum" aggregation shows packets dropping consistent with high connection volume and connection failures. | A few possible mitigation steps that can be taken: - **Enable UDP keepalives**. Keep in mind that when a UDP keepalive is enabled, it's only active for one direction in a connection. The connection can still go idle and time out on the other side of a connection. To prevent a UDP connection from idle time-out, UDP keepalives should be enabled for both directions in a connection flow. - **Application layer keepalives** can also be used to refresh idle flows and reset the idle timeout. Check the server side for what options exist for application specific keepalives. |

+## NAT gateway public IP not being used for outbound traffic

+### VMs hold on to prior SNAT IP with active connection after NAT gateway added to a virtual network

+[NAT gateway](nat-overview.md) becomes the default route to the internet when configured to a subnet. Migration from default outbound access or load balancer to NAT gateway results in new connections immediately using the IP address(es) associated with the NAT gateway resource. If a virtual machine has an established connection during the migration, the connection continues to use the old SNAT IP address that was assigned when the connection was established.

+Test and resolve issues with VMs holding on to old SNAT IP addresses by:

+- Ensure you've established a new connection and that existing connections aren't being reused in the OS or that the browser is caching the connections. For example, when using curl in PowerShell, make sure to specify the -DisableKeepalive parameter to force a new connection. If you're using a browser, connections may also be pooled.

+- It isn't necessary to reboot a virtual machine in a subnet configured to NAT gateway. However, if a virtual machine is rebooted, the connection state is flushed. When the connection state has been flushed, all connections begin using the NAT gateway resource's IP address(es). This behavior is a side effect of the virtual machine reboot and not an indicator that a reboot is required.

+If you're still having trouble, open a support case for further troubleshooting.

+### Virtual appliance UDRs and ExpressRoute override NAT gateway for routing outbound traffic

+When forced tunneling with a custom UDR is enabled to direct traffic to a virtual appliance or VPN through ExpressRoute, the UDR or ExpressRoute takes precedence over NAT gateway for directing internet bound traffic. To learn more, see [custom UDRs](../virtual-network/virtual-networks-udr-overview.md#custom-routes).

+The order of precedence for internet routing configurations is as follows:

+Virtual appliance UDR / ExpressRoute >> NAT gateway >> instance level public IP addresses >> outbound rules on Load balancer >> default outbound access

+Test and resolve issues with a virtual appliance UDR or VPN ExpressRoute overriding your NAT gateway by:

+1. [Testing that the NAT gateway public IP](./quickstart-create-nat-gateway-portal.md#test-nat-gateway) is used for outbound traffic. If a different IP is being used, it could be because of a custom UDR, follow the remaining steps on how to check for and remove custom UDRs.

+2. Check for UDRs in the virtual networkΓÇÖs route table, refer to [view route tables](../virtual-network/manage-route-table.md#view-route-tables).

+3. Remove the UDR from the route table by following [create, change, or delete an Azure route table](../virtual-network/manage-route-table.md#change-a-route-table).

+Once the custom UDR is removed from the routing table, the NAT gateway public IP should now take precedence in routing outbound traffic to the internet.

+### Private IPs are used to connect to Azure services by Private Link

+[Private Link](../private-link/private-link-overview.md) connects your Azure virtual networks privately to Azure PaaS services such as Azure Storage, Azure SQL, or Azure Cosmos DB over the Azure backbone network instead of over the internet. Private Link uses the private IP addresses of virtual machine instances in your virtual network to connect to these Azure platform services instead of the public IP of NAT gateway. As a result, when looking at the source IP address used to connect to these Azure services, you notice that the private IPs of your instances are used. See [Azure services listed here](../private-link/availability.md) for all services supported by Private Link.

+To check which Private Endpoints you have set up with Private Link:

+1. From the Azure portal, search for Private Link in the search box.

+2. In the Private Link center, select Private Endpoints or Private Link services to see what configurations have been set up. For more information, see [Manage private endpoint connections](../private-link/manage-private-endpoint.md#manage-private-endpoint-connections-on-azure-paas-resources).

+Service endpoints can also be used to connect your virtual network to Azure PaaS services. To check if you have service endpoints configured for your virtual network:

+1. From the Azure portal, navigate to your virtual network and select "Service endpoints" from Settings.

+2. All Service endpoints created are listed along with which subnets they're configured. For more information, see [logging and troubleshooting Service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md#logging-and-troubleshooting).

+>[!NOTE]

+>Private Link is the recommended option over Service endpoints for private access to Azure hosted services.

+## Connection failures at the public internet destination

+Connection failures at the internet destination endpoint could be due to multiple possible factors. Factors that can affect connectivity success are:

+* Firewall or other traffic management components at the destination.

+* API rate limiting imposed by the destination side.

+* Volumetric DDoS mitigations or transport layer traffic shaping.

+Use NAT gateway [metrics](nat-metrics.md) in Azure monitor to diagnose connection issues:

+* Look at packet count at the source and the destination (if available) to determine how many connection attempts were made.

+* Look at dropped packets to see how many packets dropped by NAT gateway.

+What else to check for:

+* Check for [SNAT exhaustion](#snat-exhaustion-due-to-nat-gateway-configuration).

+* Validate connectivity to an endpoint in the same region or elsewhere for comparison.

+* If you're creating high volume or transaction rate testing, explore if reducing the rate reduces the occurrence of failures.

+* If changing rate impacts the rate of failures, check if API rate limits, or other constraints on the destination side might have been reached.

+### Other transient outbound connectivity issues

+Outbound Passive FTP may not work for NAT gateway with multiple public IP addresses, depending on your FTP server configuration.

+Passive FTP establishes different connections for control and data channels. When a NAT gateway with multiple public IP addresses sends traffic outbound, it randomly selects one of its public IP addresses for the source IP address. FTP may fail when data and control channels use different source IP addresses, depending on your FTP server configuration.

+To prevent possible passive FTP connection failures, do the following steps:

+1. Check that your NAT gateway is attached to a single public IP address rather than multiple IP addresses or a prefix.

+2. Make sure that the passive port range from your NAT gateway is allowed to pass any firewalls that may be at the destination endpoint.

+### Extra network captures

+If your investigation is inconclusive, open a support case for further troubleshooting and collect the following information for a quicker resolution. Choose a single virtual machine in your NAT gateway configured subnet to perform the following tests:

+* Use **`ps ping`** from one of the backend VMs within the virtual network to test the probe port response (example: **`ps ping 10.0.0.4:3389`**) and record results.

+* If no response is received in these ping tests, run a simultaneous Netsh trace on the backend VM, and the virtual network test VM while you run PsPing then stop the Netsh trace.

+## Outbound connectivity best practices

+Azure monitors and operates its infrastructure with great care. However, transient failures can still occur from deployed applications, there's no guarantee that transmissions are lossless. NAT gateway is the preferred option to connect outbound from Azure deployments in order to ensure highly reliable and resilient outbound connectivity. In addition to using NAT gateway to connect outbound, use the guidance later in the article for how to ensure that applications are using connections efficiently.

+### Modify the application to use connection pooling

+When you pool your connections, you avoid opening new network connections for calls to the same address and port. You can implement a connection pooling scheme in your application where requests are internally distributed across a fixed set of connections and reused when possible. This setup constrains the number of SNAT ports in use and creates a predictable environment. Connection pooling helps reduce latency and resource utilization and ultimately improve the performance of your applications.

+To learn more on pooling HTTP connections, see [Pool HTTP connections](/aspnet/core/performance/performance-best-practices#pool-http-connections-with-httpclientfactory) with HttpClientFactory.

+### Modify the application to reuse connections

+Rather than generating individual, atomic TCP connections for each request, configure your application to reuse connections. Connection reuse results in more performant TCP transactions and is especially relevant for protocols like HTTP/1.1, where connection reuse is the default. This reuse applies to other protocols that use HTTP as their transport such as REST.

+### Modify the application to use less aggressive retry logic

+When SNAT ports are exhausted or application failures occur, aggressive or brute force retries without delay and back-off logic cause exhaustion to occur or persist. You can reduce demand for SNAT ports by using a less aggressive retry logic.

+Depending on the configured idle timeout, if retries are too aggressive, connections may not have enough time to close and release SNAT ports for reuse.

+For extra guidance and examples, see [Retry pattern](../app-service/troubleshoot-intermittent-outbound-connection-errors.md).

+### Use keepalives to reset the outbound idle timeout

+For more information about keepalives, see [TCP idle timeout timers set higher than the default value](#tcp-idle-timeout-timers-set-higher-than-the-default-value).

+### Use Private link to reduce SNAT port usage for connecting to other Azure services

+When possible, Private Link should be used to connect directly from your virtual networks to Azure platform services in order to [reduce the demand](./troubleshoot-nat.md) on SNAT ports. Reducing the demand on SNAT ports can help reduce the risk of SNAT port exhaustion.

+To create a Private Link, see the following Quickstart guides to get started:

+* [Create a Private Endpoint](../private-link/create-private-endpoint-portal.md?tabs=dynamic-ip)

+* [Create a Private Link](../private-link/create-private-link-service-portal.md)

+## Next steps

+We always strive to enhance our customers' experience. If you encounter NAT gateway issues that not addressed or resolved by this article, provide feedback through GitHub at the bottom of this page.

+To learn more about NAT gateway, see:

+* [Azure NAT Gateway](./nat-overview.md)

+* [NAT gateway resource](./nat-gateway-resource.md)

+* [Metrics and alerts for NAT gateway resources](./nat-metrics.md)

+ Title: Troubleshoot Azure NAT Gateway

+description: Troubleshoot issues with NAT Gateway.

+# Troubleshoot Azure NAT Gateway

+This article provides guidance on how to correctly configure your NAT gateway and troubleshoot common configuration and deployment related issues.

+* [NAT gateway configuration basics](#nat-gateway-configuration-basics)

+* [NAT gateway in a failed state](#nat-gateway-in-a-failed-state)

+* [Add or remove NAT gateway](#add-or-remove-nat-gateway)

+* [Add or remove subnet](#add-or-remove-subnet)

+* [Add or remove public IPs](#add-or-remove-public-ip-addresses)

+## NAT gateway configuration basics

+Check the following configurations to ensure that NAT gateway can be used to direct traffic outbound:

+1. At least one public IP address or one public IP prefix is attached to NAT gateway. At least one public IP address must be associated with the NAT gateway for it to provide outbound connectivity.

+2. At least one subnet is attached to a NAT gateway. You can attach multiple subnets to a NAT gateway for going outbound, but those subnets must exist within the same virtual network. NAT gateway can't span beyond a single virtual network.

+3. No [NSG rules](../virtual-network/network-security-groups-overview.md#outbound) or [UDRs](./troubleshoot-nat-connectivity.md#virtual-appliance-udrs-and-expressroute-override-nat-gateway-for-routing-outbound-traffic) are blocking NAT gateway from directing traffic outbound to the internet.

+### How to validate connectivity

+[NAT gateway](./nat-overview.md#azure-nat-gateway-basics) supports IPv4 UDP and TCP protocols. ICMP isn't supported and is expected to fail.

+To validate end-to-end connectivity of NAT gateway, follow these steps:

+1. Validate that your [NAT gateway public IP address is being used](./quickstart-create-nat-gateway-portal.md#test-nat-gateway).

+2. Conduct TCP connection tests and UDP-specific application layer tests.

+3. Look at NSG flow logs to analyze outbound traffic flows from NAT gateway.

+Refer to the table below for which tools to use to validate NAT gateway connectivity.

+| Operating system | Generic TCP connection test | TCP application layer test | UDP |

+|||||

+| Linux | nc (generic connection test) | curl (TCP application layer test) | application specific |

+| Windows | [PsPing](/sysinternals/downloads/psping) | PowerShell [Invoke-WebRequest](/powershell/module/microsoft.powershell.utility/invoke-webrequest) | application specific |

+### How to analyze outbound connectivity

+To analyze outbound traffic from NAT gateway, use NSG flow logs. NSG flow logs provide connection information for your virtual machines. The connection information contains the source IP and port and the destination IP and port and the state of the connection. The traffic flow direction and the size of the traffic in number of packets and bytes sent is also logged. The source IP and port specified in the NSG flow log will be that of the virtual machine and not of the NAT gateway.

+* To learn more about NSG flow logs, see [NSG flow log overview](../network-watcher/network-watcher-nsg-flow-logging-overview.md).

+* For guides on how to enable NSG flow logs, see [Enabling NSG flow logs](../network-watcher/network-watcher-nsg-flow-logging-overview.md#enabling-nsg-flow-logs).

+* For guides on how to read NSG flow logs, see [Working with NSG flow logs](../network-watcher/network-watcher-nsg-flow-logging-overview.md#working-with-flow-logs).

+## NAT gateway in a failed state

+You may experience outbound connectivity failure if your NAT gateway resource is in a failed state. To get your NAT gateway out of a failed state, follow these instructions:

+1. Once you identify the resource that is in a failed state, go to [Azure Resource Explorer](https://resources.azure.com/) and identify the resource in this state.

+2. Update the toggle on the right-hand top corner to Read/Write.

+3. Select on Edit for the resource in failed state.

+4. Select on PUT followed by GET to ensure the provisioning state was updated to Succeeded.

+5. You can then proceed with other actions as the resource is out of failed state.

+## Add or remove NAT gateway

+### Can't delete NAT gateway

+NAT gateway must be detached from all subnets within a virtual network before the resource can be removed or deleted. See [Remove NAT gateway from an existing subnet and delete the resource](./manage-nat-gateway.md?tabs=manage-nat-portal#remove-a-nat-gateway-from-an-existing-subnet-and-delete-the-resource) for step by step guidance.

+## Add or remove subnet

+### NAT gateway can't be attached to subnet already attached to another NAT gateway

+A subnet within a virtual network can't have more than one NAT gateway attached to it for connecting outbound to the internet. An individual NAT gateway resource can be associated to multiple subnets within the same virtual network. NAT gateway can't span beyond a single virtual network.

+### Basic SKU resources can't exist in the same subnet as NAT gateway

+NAT gateway isn't compatible with basic resources, such as Basic Load Balancer or Basic Public IP. Basic resources must be placed on a subnet not associated with a NAT Gateway. Basic Load Balancer and Basic Public IP can be upgraded to standard to work with NAT gateway.

+* To upgrade a basic load balancer to standard, see [upgrade from basic public to standard public load balancer](../load-balancer/upgrade-basic-standard.md).

+* To upgrade a basic public IP to standard, see [upgrade from basic public to standard public IP](../virtual-network/ip-services/public-ip-upgrade-portal.md).

+### NAT gateway can't be attached to a gateway subnet

+NAT gateway can't be deployed in a gateway subnet. A gateway subnet is used by a VPN gateway for sending encrypted traffic between an Azure virtual network and on-premises location. See [VPN gateway overview](../vpn-gateway/vpn-gateway-about-vpngateways.md) to learn more about how gateway subnets are used by VPN gateway.

+### Can't attach NAT gateway to a subnet that contains a virtual machine NIC in a failed state

+When associating a NAT gateway to a subnet that contains a virtual machine network interface (NIC) in a failed state, you'll receive an error message indicating that this action can't be performed. You must first resolve the VM NIC failed state before you can attach a NAT gateway to the subnet.

+To get your virtual machine NIC out of a failed state, you can use one of the two following methods.

+#### Use PowerShell to get your virtual machine NIC out of a failed state

+1. Determine the provisioning state of your NICs using the [Get-AzNetworkInterface PowerShell command](/powershell/module/az.network/get-aznetworkinterface#example-2-get-all-network-interfaces-with-a-specific-provisioning-state) and setting the value of the "provisioningState" to "Succeeded".

+2. Perform [GET/SET PowerShell commands](/powershell/module/az.network/set-aznetworkinterface#example-1-configure-a-network-interface) on the network interface to update the provisioning state.

+3. Check the results of this operation by checking the provisioning state of your NICs again (follow commands from step 1).

+#### Use Azure Resource Explorer to get your virtual machine NIC out of a failed state

+1. Go to [Azure Resource Explorer](https://resources.azure.com/) (recommended to use Microsoft Edge browser)

+2. Expand Subscriptions (takes a few seconds for it to appear on the left)

+3. Expand your subscription that contains the VM NIC in the failed state

+4. Expand resourceGroups

+5. Expand the correct resource group that contains the VM NIC in the failed state

+6. Expand providers

+7. Expand Microsoft.Network

+8. Expand networkInterfaces

+9. Select on the NIC that is in the failed provisioning state

+10. Select the Read/Write button at the top

+11. Select the green GET button

+12. Select the blue EDIT button

+13. Select the green PUT button

+14. Select Read Only button at the top

+15. The VM NIC should now be in a succeeded provisioning state, you can close your browser

+## Add or remove public IP addresses

+### Can't exceed 16 public IP addresses on NAT gateway

+NAT gateway can't be associated with more than 16 public IP addresses. You can use any combination of public IP addresses and prefixes with NAT gateway up to a total of 16 IP addresses. To add or remove a public IP, see [add or remove a public IP address](/azure/virtual-network/nat-gateway/manage-nat-gateway?tabs=manage-nat-portal#add-or-remove-a-public-ip-address).

+The following IP prefix sizes can be used with NAT gateway:

+* /28 (sixteen addresses)

+* /29 (eight addresses)

+* /30 (four addresses)

+* /31 (two addresses)

+### IPv6 coexistence

+[NAT gateway](nat-overview.md) supports IPv4 UDP and TCP protocols. NAT gateway can't be associated to an IPv6 Public IP address or IPv6 Public IP Prefix. NAT gateway can be deployed on a dual stack subnet, but will still only use IPv4 Public IP addresses for directing outbound traffic. Deploy NAT gateway on a dual stack subnet when you need IPv6 resources to exist in the same subnet as IPv4 resources. See [Configure dual stack outbound connectivity with NAT gateway and public Load balancer](/azure/virtual-network/nat-gateway/tutorial-dual-stack-outbound-nat-load-balancer?tabs=dual-stack-outbound-portal) to learn how to provide IPv4 and IPv6 outbound connectivity from your dual stack subnet.

+### Can't use basic SKU public IPs with NAT gateway

+NAT gateway is a standard SKU resource and can't be used with basic SKU resources, including basic public IP addresses. You can upgrade your basic SKU public IP address in order to use with your NAT gateway using the following guidance: [Upgrade a public IP address](../virtual-network/ip-services/public-ip-upgrade-portal.md)

+### Can't mismatch zones of public IP addresses and NAT gateway

+NAT gateway is a [zonal resource](./nat-availability-zones.md) and can either be designated to a specific zone or to ΓÇÿno zoneΓÇÖ. When NAT gateway is placed in ΓÇÿno zoneΓÇÖ, Azure places the NAT gateway into a zone for you, but you don't have visibility into which zone the NAT gateway is located.

+NAT gateway can be used with public IP addresses designated to a specific zone, no zone, all zones (zone-redundant) depending on its own availability zone configuration. Follow guidance below:

+| NAT gateway availability zone designation | Public IP address / prefix designation that can be used |

+|||

+| No zone | Zone-redundant, No zone, or Zonal (the public IP zone designation can be any zone within a region in order to work with a no zone NAT gateway) |

+| Designated to a specific zone | The public IP address zone must match the zone of the NAT gateway |

+>[!NOTE]

+>If you need to know the zone that your NAT gateway resides in, make sure to designate it to a specific availability zone.

+## Next steps

+We're always looking to improve the experience of our customers. If you're experiencing issues with NAT gateway that aren't listed or resolved by this article, submit feedback through GitHub via the bottom of this page. We'll address your feedback as soon as possible.

+To learn more about NAT gateway, see:

+* [Azure NAT Gateway](nat-overview.md)

+* [NAT gateway resource](nat-gateway-resource.md)

+* [Manage NAT gateway](./manage-nat-gateway.md)

+* [Metrics and alerts for NAT gateway resources](nat-metrics.md).

+ Title: 'Tutorial: Configure dual-stack outbound connectivity with a NAT gateway and a public load balancer'

+description: Learn how to configure outbound connectivity for a dual stack network with a NAT gateway and a public load balancer.

+# Tutorial: Configure dual stack outbound connectivity with a NAT gateway and a public load balancer

+In this tutorial, learn how to configure NAT gateway and a public load balancer to a dual stack subnet in order to allow for outbound connectivity for v4 workloads using NAT gateway and v6 workloads using Public Load balancer.

+NAT gateway supports the use of IPv4 public IP addresses for outbound connectivity whereas load balancer supports both IPv4 and IPv6 public IP addresses. When NAT gateway with an IPv4 public IP is present with a load balancer using an IPv4 public IP address, NAT gateway takes precedence over load balancer for providing outbound connectivity. When a NAT gateway is deployed in a dual-stack network with a IPv6 load balancer, IPv4 outbound traffic is handled by the NAT gateway, and IPv6 outbound traffic is handled by the load balancer.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a virtual network

+> * Create a NAT gateway with an IPv4 public address

+> * Add IPv6 to the virtual network

+> * Create a public load balancer with an IPv6 public address

+> * Create a dual-stack virtual machine

+> * Validate outbound connectivity from your dual stack virtual machine

+## Prerequisites

+# [**Portal**](#tab/dual-stack-outbound-portal)

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+# [**CLI**](#tab/dual-stack-outbound--cli)

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- This tutorial requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+## Create virtual network

+In this section, create a virtual network for the virtual machine and load balancer.

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. Sign-in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+1. Select **+ Create**.

+1. In the **Basics** tab of **Create virtual network**, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **TutorialIPv6NATLB-rg**. </br> Select **OK**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet**. |

+ | Region | Select **West US 2**. |

+1. Select the **IP Addresses** tab, or **Next: IP Addresses**.

+1. Leave the default IPv4 address space of **10.1.0.0/16**. If the default is absent or different, enter an IPv4 address space of **10.1.0.0/16**.

+1. Select **default** under **Subnet name**. If default is missing, select **+ Add subnet**.

+1. In **Subnet name**, enter **myBackendSubnet**.

+1. Leave the default IPv4 subnet of **10.1.0.0/24**.

+1. Select **Save**. If creating a subnet, select **Add**.

+1. Select the **Security** tab or select **Next: Security**.

+1. In **BastionHost**, select **Enable**.

+1. Enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Bastion name | **myBastion** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/26**. |

+ | Public IP address | Select **Create new**. </br> Enter **myPublicIP-Bastion** in **Name**. </br> Select **OK**. |

+1. Select the **Review + create**.

+1. Select **Create**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+### Create a resource group

+An Azure resource group is a logical container where Azure resources are deployed and managed.

+Create a resource group with [az group create](/cli/azure/group#az-group-create).

+```azurecli-interactive

+az group create \

+ --name TutorialIPv6NATLB-rg \

+ --location westus2

+```

+### Create network and subnets

+Use [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create) to create the virtual network.

+```azurecli-interactive

+az network vnet create \

+ --resource-group TutorialIPv6NATLB-rg \

+ --location westus2 \

+ --name myVNet \

+ --address-prefixes '10.1.0.0/16'

+```

+Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_create) to create the IPv4 subnet for the virtual network and the Azure Bastion subnet.

+```azurecli-interactive

+az network vnet subnet create \

+ --name myBackendSubnet \

+ --resource-group TutorialIPv6NATLB-rg \

+ --vnet-name myVNet \

+ --address-prefixes '10.1.0.0/24'

+```

+```azurecli-interactive

+az network vnet subnet create \

+ --name AzureBastionSubnet \

+ --resource-group TutorialIPv6NATLB-rg \

+ --vnet-name myVNet \

+ --address-prefixes '10.1.1.0/26'

+```

+### Create bastion host

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a public IP address for the bastion host.

+```azurecli-interactive

+az network public-ip create \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myPublicIP-Bastion \

+ --sku standard \

+ --zone 1 2 3

+```

+Use [az network bastion create](/cli/azure/network/bastion#az_network_bastion_create) to create the bastion host.

+```azurecli-interactive

+az network bastion create \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myBastion \

+ --public-ip-address myPublicIP-Bastion \

+ --vnet-name myVNet \

+ --location westus2

+```

+It takes a few minutes for the bastion host to deploy. You can proceed to the next steps when the virtual network is deployed.

+## Create NAT gateway

+The NAT gateway provides the outbound connectivity for the IPv4 portion of the virtual network. Use the following example to create a NAT gateway.

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+1. Select **+ Create**.

+1. In the **Basics** tab of **Create network address translation (NAT) gateway**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialIPv6NATLB-rg**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select **West US 2**. |

+ | Availability zone | Select a zone or **No Zone**. |

+ | TCP idle timeout (minutes) | Leave the default of **4**. |

+1. Select **Next: Outbound IP**.

+1. In **Public IP addresses**, select **Create a new public IP address**.

+1. Enter **myPublicIP-NAT** in **Name**. Select **OK**.

+1. Select **Next: Subnet**.

+1. In **Virtual network**, select **myVNet**.

+1. In the list of subnets, select the box for **myBackendSubnet**.

+1. Select **Review + create**.

+1. Select **Create**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a public IPv4 address for the NAT gateway.

+```azurecli-interactive

+az network public-ip create \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myPublicIP-NAT \

+ --sku standard \

+ --zone 1 2 3

+```

+Use [az network nat gateway create](/cli/azure/network/nat/gateway#az-network-nat-gateway-create) to create the NAT gateway.

+```azurecli-interactive

+az network nat gateway create \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myNATgateway \

+ --public-ip-addresses myPublicIP-NAT \

+ --idle-timeout 4

+```

+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update) to associate the NAT gateway with **myBackendSubnet**.

+```azurecli-interactive

+az network vnet subnet update \

+ --resource-group TutorialIPv6NATLB-rg \

+ --vnet-name myVNet \

+ --name myBackendSubnet \

+ --nat-gateway myNATgateway

+```

+## Add IPv6 to virtual network

+The addition of IPv6 to the virtual network must be done after the NAT gateway is associated with **myBackendSubnet**. Use the following example to add and IPv6 address space and subnet to the virtual network you created in the previous steps.

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+1. Select **myVNet**.

+1. In **Settings**, select **Address space**.

+1. In the box that displays **Add additional address range**, enter **2404:f800:8000:122::/63**.

+1. Select **Save**.

+1. Select **Subnets** in **Settings**.

+1. Select **myBackendSubnet** in the list of subnets.

+1. Select the box next to **Add IPv6 address space**.

+1. Enter **2404:f800:8000:122::/64** in **IPv6 address space**.

+1. Select **Save**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+Use [az network vnet update](/cli/azure/network/vnet#az-network-vnet-update) to add the IPv6 address space to the virtual network.

+```azurecli-interactive

+az network vnet update \

+ --address-prefixes 10.1.0.0/16 2404:f800:8000:122::/63 \

+ --name myVNet \

+ --resource-group TutorialIPv6NATLB-rg

+```

+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update) to add the IPv6 subnet to the virtual network.

+```azurecli-interactive

+az network vnet subnet update \

+ --address-prefixes 10.1.0.0/24 2404:f800:8000:122::/64 \

+ --name myBackendSubnet \

+ --vnet-name myVNet \

+ --resource-group TutorialIPv6NATLB-rg

+```

+## Create dual-stack virtual machine

+The network configuration of the virtual machine has IPv4 and IPv6 configurations. Create the virtual machine with an internal IPv4 address. Then add the IPv6 configuration to the network interface of the virtual machine.

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+1. Select **+ Create** then **Azure virtual machine**.

+1. In the **Basics** tab of **Create a virtual machine**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialIPv6NATLB-rg**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM**. |

+ | Region | Select **(US) West US 2**. |

+ | Availability options | Leave the default of **No infrastructure redundancy required**. |

+ | Security type | Leave the default of **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter - x64 Gen2**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Confirm password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+1. Select the **Networking** tab, or **Next: Disks** then **Next: Networking**.

+1. In the **Networking tab**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet**. |

+ | Subnet | Select **myBackendSubnet (10.1.0.0/24,2404:f800:8000:122::/64)**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **None**. |

+1. Select **Review + create**.

+1. Select **Create**.

+Wait for the virtual machine to finish deploying before continuing on to the next steps.

+### Add IPv6 to virtual machine

+The support IPv6, the virtual machine must have a IPv6 network configuration added to the network interface. Use the following example to add a IPv6 network configuration to the virtual machine.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+1. Select **myVM**.

+1. In **Settings** select **Networking**.

+1. Select the name of the network interface in the **Network Interface:** field. The name of the network interface is the virtual machine name plus a random number. In this example, it's **myVM202**.

+1. In the network interface properties, select **IP configurations** in **Settings**.

+1. Select **+ Add**.

+1. Enter or select the following information in **Add IP configuration**:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **ipv6config**. |

+ | IP version | Select **IPv6**. |

+1. Leave the rest of the settings at the defaults and select **OK**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+### Create NSG

+Use [az network nsg create](/cli/azure/network/nsg#az-network-nsg-create) to create a network security group for the virtual machine.

+```azurecli-interactive

+az network nsg create \

+ --name myNSG \

+ --resource-group TutorialIPv6NATLB-rg

+```

+Use [az network nsg rule create](/cli/azure/network/nsg/rule#az-network-nsg-rule-create) to create a rule for RDP connectivity to the virtual machine.

+```azurecli-interactive

+az network nsg rule create \

+ --resource-group TutorialIPv6NATLB-rg \

+ --nsg-name myNSG \

+ --name myNSGRuleRDP \

+ --protocol '*' \

+ --direction inbound \

+ --source-address-prefix '*' \

+ --source-port-range '*' \

+ --destination-address-prefix '*' \

+ --destination-port-range 3389 \

+ --access allow \

+ --priority 200

+```

+### Create network interface

+Use [az network nic create](/cli/azure/network/nic#az-network-nic-create) to create the network interface for the virtual machine.

+```azurecli-interactive

+az network nic create \

+ --name myNIC \

+ --resource-group TutorialIPv6NATLB-rg \

+ --vnet-name myVNet \

+ --subnet myBackendSubnet \

+ --private-ip-address-version IPv4

+```

+### Add IPv6 to network interface

+The support IPv6, the virtual machine must have a IPv6 network configuration added to the network interface. IPv6 can't be the primary IP configuration for a virtual machine network interface. For more information, see [Overview of IPv6](../virtual-network/ip-services/ipv6-overview.md).

+Use [az network nic ip-config create](/cli/azure/network/nic/ip-config#az_network_nic_ip_config_create) to add the IPv6 configuration to the network interface.

+```azurecli-interactive

+az network nic ip-config create \

+ --name ipconfig-IPv6 \

+ --nic-name myNIC \

+ --resource-group TutorialIPv6NATLB-rg \

+ --vnet-name myVNet \

+ --subnet myBackendSubnet \

+ --private-ip-address-version IPv6

+```

+### Create the virtual machine

+Use [az vm create](/cli/azure/vm#az-vm-create) to create the virtual machine.

+```azurecli-interactive

+az vm create \

+ --name myVM \

+ --resource-group TutorialIPv6NATLB-rg \

+ --admin-username azureuser \

+ --image Win2022Datacenter \

+ --nics myNIC

+ ```

+## Create public load balancer

+The public load balancer has a front-end IPv6 address and outbound rule for the backend pool of the load balancer. The outbound rule controls the behavior of the external IPv6 connections for virtual machines in the backend pool. Use the following example to create an IPv6 public load balancer.

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+1. Select **+ Create**.

+1. In the **Basics** tab of **Create load balancer**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialIPv6NATLB-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myLoadBalancer**. |

+ | Region | Select **West US 2**. |

+ | SKU | Leave the default of **Standard**. |

+ | Type | Select **Public**. |

+1. Select **Next: Frontend IP configuration**.

+1. Select **+ Add a frontend IP configuration**.

+1. Enter or select the following information in **Add frontend IP configuration**:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **myFrontend-IPv6**. |

+ | IP version | Select **IPv6**. |

+ | IP type | Select **IP address**. |

+ | Public IP address | Select **Create new**. </br> In **Name** enter **myPublicIP-IPv6**. </br> Select **OK**. |

+1. Select **Add**.

+1. Select **Next: Backend pools**.

+1. Select **+ Add a backend pool**.

+1. Enter or select the following information in **Add backend pool**:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **myBackendPool**. |

+ | Virtual network | Select **myVNet (TutorialIPv6NATLB-rg)**. |

+ | Backend Pool Configuration | Leave the default of **NIC**. |

+1. Select **Save**.

+1. Select **Next: Inbound rules** then **Next: Outbound rules**.

+1. Select **Add an outbound rule**.

+1. Enter or select the following information in **Add outbound rule**:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **myOutboundRule**. |

+ | IP Version | Select **IPv6**. |

+ | Frontend IP address | Select **myFrontend-IPv6**. |

+ | Protocol | Leave the default of **All**. |

+ | Idle timeout (minutes) | Leave the default of **4**. |

+ | TCP Reset | Leave the default of **Enabled**. |

+ | Backend pool | Select **myBackendPool**. |

+ | **Port allocation** | |

+ | Port allocation | Select **Manually choose number of outbound ports**. |

+ | **Outbound ports** | |

+ | Choose by | Select **Ports per instance**. |

+ | Ports per instance | Enter **20000**. |

+1. Select **Add**.

+1. Select **Review + create**.

+1. Select **Create**.

+Wait for the load balancer to finish deploying before proceeding to the next steps.

+### Add virtual machine to load balancer

+1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+1. Select **myLoadBalancer**.

+1. In **Settings** select **Backend pools**.

+1. Select **myBackendPool**.

+1. In **Virtual network** select **myVNet (TutorialIPv6NATLB-rg)**.

+1. In **IP configurations** select **+ Add**.

+1. Select the checkbox for **myVM** that corresponds with the **IP configuration** of **ipv6config**. Don't select **ipconfig1**.

+1. Select **Add**.

+1. Select **Save**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a public IPv6 address for the frontend IP address of the load balancer.

+```azurecli-interactive

+az network public-ip create \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myPublicIP-IPv6 \

+ --sku standard \

+ --version IPv6 \

+ --zone 1 2 3

+```

+Use [az network lb create](/cli/azure/network/lb#az-network-lb-create) to create the load balancer.

+```azurecli-interactive

+az network lb create \

+ --name myLoadBalancer \

+ --resource-group TutorialIPv6NATLB-rg \

+ --backend-pool-name myBackendPool \

+ --frontend-ip-name myFrontend-IPv6 \

+ --location westus2 \

+ --public-ip-address myPublicIP-IPv6 \

+ --sku Standard

+```

+Use [az network lb outbound-rule create](/cli/azure/network/lb/outbound-rule#az-network-lb-outbound-rule-create) to create the outbound rule for the backend pool of the load balancer. The outbound rule enables outbound connectivity for virtual machines in the backend pool of the load balancer.

+```azurecli-interactive

+az network lb outbound-rule create \

+ --address-pool myBackendPool \

+ --frontend-ip-configs myFrontend-IPv6 \

+ --lb-name myLoadBalancer \

+ --name myOutBoundRule \

+ --protocol All \

+ --resource-group TutorialIPv6NATLB-rg \

+ --outbound-ports 20000 \

+ --enable-tcp-reset true

+```

+### Add virtual machine to load balancer

+Use [az network nic ip-config address-pool add](/cli/azure/network/nic/ip-config/address-pool#az-network-nic-ip-config-address-pool-add) to add the network interface of the virtual machine to the backend pool of the load balancer.

+```azurecli-interactive

+az network nic ip-config address-pool add \

+ --address-pool myBackendPool \

+ --ip-config-name ipconfig-IPv6 \

+ --nic-name myNIC \

+ --resource-group TutorialIPv6NATLB-rg \

+ --lb-name myLoadBalancer

+```

+## Validate outbound connectivity

+Connect to the virtual machine with Azure Bastion to verify the IPv4 and IPv6 outbound traffic.

+### Obtain IPv4 and IPv6 public IP addresses

+Before you can validate outbound connectivity, make not of the IPv4, and IPv6 public IP addresses you created previously. Use the following example to obtain the public IP addresses.

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. In the search box at the top of the portal, enter **Public IP address**. Select **Public IP addresses** in the search results.

+1. Select **myPublicIP-NAT**.

+1. Make note of the address in **IP address**. In this example, it's **20.230.191.5**.

+1. Return to **Public IP addresses**.

+1. Select **myPublicIP-IPv6**.

+1. Make note of the address in **IP address**. In this example, it's **2603:1030:c02:8::14**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+Use [az network public-ip show](/cli/azure/network/public-ip#az-network-public-ip-show) to obtain the IPv4 and IPv6 public IP addresses.

+### IPv4

+```azurecli-interactive

+az network public-ip show \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myPublicIP-NAT \

+ --query ipAddress \

+ --output tsv

+```

+```output

+azureuser@Azure:~$ az network public-ip show \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myPublicIP-NAT \

+ --query ipAddress \

+ --output tsv

+40.90.217.214

+```

+### IPv6

+```azurecli-interactive

+az network public-ip show \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myPublicIP-IPv6 \

+ --query ipAddress \

+ --output tsv

+```

+```output

+azureuser@Azure:~$ az network public-ip show \

+ --resource-group TutorialIPv6NATLB-rg \

+ --name myPublicIP-IPv6 \

+ --query ipAddress \

+ --output tsv

+2603:1030:c04:3::4d

+```

+Make note of both IP addresses. Use the IPs to verify the outbound connectivity for each stack.

+### Test connectivity

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. Sign-in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+1. Select **myVM**.

+1. In the **Overview** of **myVM**, select **Connect** then **Bastion**.

+1. Enter the username and password you created when you created the virtual machine.

+1. Select **Connect**.

+1. On the desktop of **myVM**, open **Microsoft Edge**.

+1. To confirm the IPv4 address, enter `http://v4.testmyipv6.com` in the address bar.

+1. You should see the IPv4 address displayed. In this example, the IP of **20.230.191.5** is displayed.

+ :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/portal-verify-ipv4.png" alt-text="Screenshot of outbound IPv4 public IP address from portal steps.":::

+1. In the address bar, enter `http://v6.testmyipv6.com`

+1. You should see the IPv6 address displayed. In this example, the IP of **2603:1030:c02:8::14** is displayed.

+ :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/portal-verify-ipv6.png" alt-text="Screenshot of outbound IPv6 public IP address from portal steps.":::

+1. Close the bastion connection to **myVM**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+1. Sign-in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+1. Select **myVM**.

+1. In the **Overview** of **myVM**, select **Connect** then **Bastion**.

+1. Enter the username and password you created when you created the virtual machine.

+1. Select **Connect**.

+1. On the desktop of **myVM**, open **Microsoft Edge**.

+1. To confirm the IPv4 address, enter `http://v4.testmyipv6.com` in the address bar.

+1. You should see the IPv4 address displayed. In this example, the IP of **40.90.217.214** displayed.

+ :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/cli-verify-ipv4.png" alt-text="Screenshot of outbound IPv4 public IP address from CLI steps.":::

+1. In the address bar, enter `http://v6.testmyipv6.com`

+1. You should see the IPv6 address displayed. In this example, the IP of **2603:1030:c04:3::4d** is displayed.

+ :::image type="content" source="./media/tutorial-dual-stack-outbound-nat-load-balancer/cli-verify-ipv6.png" alt-text="Screenshot of outbound IPv6 public IP address from CLI steps.":::

+1. Close the bastion connection to **myVM**.

+## Clean up resources

+When your finished with the resources created in this article, delete the resource group and all of the resources it contains.

+# [**Portal**](#tab/dual-stack-outbound-portal)

+1. In the search box at the top of the portal, enter **TutorialIPv6NATLB-rg**. Select **TutorialIPv6NATLB-rg** in the search results in **Resource groups**.

+1. Select **Delete resource group**.

+1. Enter **TutorialIPv6NATLB-rg** for **TYPE THE RESOURCE GROUP NAME** and select **Delete**.

+# [**CLI**](#tab/dual-stack-outbound--cli)

+Use [az group delete](/cli/azure/group#az-group-delete) to delete the resource group and the resources it contains.

+```azurecli-interactive

+az group delete \

+ --name TutorialIPv6NATLB-rg

+```

+## Next steps

+Advance to the next article to learn how to:

+> [!div class="nextstepaction"]

+> [Integrate NAT gateway in a hub and spoke network](tutorial-hub-spoke-route-nat.md)

+ Title: 'Tutorial: Integrate NAT gateway with Azure Firewall in a hub and spoke network'

+description: Learn how to integrate a NAT gateway and Azure Firewall in a hub and spoke network.

+# Tutorial: Integrate NAT gateway with Azure Firewall in a hub and spoke network for outbound connectivity

+In this tutorial, youΓÇÖll learn how to integrate a NAT gateway with an Azure Firewall in a hub and spoke network

+Azure Firewall provides [2,496 SNAT ports per public IP address](../firewall/integrate-with-nat-gateway.md) configured per backend Virtual Machine Scale Set instance (minimum of two instances). You can associate up to 250 public IP addresses to Azure Firewall. Depending on your architecture requirements and traffic patterns, you may require more SNAT ports than what Azure Firewall can provide. You may also require the use of fewer public IPs while also requiring more SNAT ports. A better method for outbound connectivity is to use NAT gateway. NAT gateway provides 64,512 SNAT ports per public IP address and can be used with up to 16 public IP addresses.

+NAT gateway can be integrated with Azure Firewall by configuring NAT gateway directly to the Azure Firewall subnet in order to provide a more scalable method of outbound connectivity. For production deployments, a hub and spoke network is recommended, where the firewall is in its own virtual network. The workload servers are peered virtual networks in the same region as the hub virtual network where the firewall resides. In this architectural setup, NAT gateway can provide outbound connectivity from the hub virtual network for all spoke virtual networks peered.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a hub virtual network and deploy an Azure Firewall and Azure Bastion during deployment

+> * Create a NAT gateway and associate it with the firewall subnet in the hub virtual network

+> * Create a spoke virtual network

+> * Create a virtual network peering

+> * Create a route table for the spoke virtual network

+> * Create a firewall policy for the hub virtual network

+> * Create a virtual machine to test the outbound connectivity through the NAT gateway

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Create the hub virtual network

+The hub virtual network contains the firewall subnet that is associated with the Azure Firewall and NAT gateway. Use the following example to create the hub virtual network.

+1. Sign in to the [Azure portal](https://portal.azure.com)

+2. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+3. Select **+ Create**.

+4. In the **Basics** tab of **Create virtual network**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **TutorialNATHubSpokeFW-rg**. </br> Select **OK**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet-Hub**. |

+ | Region | Select **South Central US**. |

+5. Select **Next: IP Addresses**.

+6. In the **IP Addresses** tab in **IPv4 address space**, select the trash can to delete the address space that is auto populated.

+7. In **IPv4 address space** enter **10.1.0.0/16**.

+8. Select **+ Add subnet**.

+9. In **Add subnet** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Subnet name | Enter **subnet-private**. |

+ | Subnet address range | Enter **10.1.0.0/24**. |

+10. Select **Add**.

+11. Select **Next: Security**.

+12. In the **Security** tab in **BastionHost**, select **Enable**.

+13. Enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Bastion name | Enter **myBastion**. |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/26**. |

+ | Public IP address | Select **Create new**. </br> In **Name** enter **myPublicIP-Bastion**. </br> Select **OK**. |

+14. In **Firewall** select **Enable**.

+15. Enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Firewall name | Enter **myFirewall**. |

+ | Firewall subnet address space | Enter **10.1.2.0/26**. |

+ | Public IP address | Select **Create new**. </br> In **Name** enter **myPublicIP-Firewall**. </br> Select **OK**. |

+16. Select **Review + create**.

+17. Select **Create**.

+It will take a few minutes for the bastion host and firewall to deploy. When the virtual network is created as part of the deployment, you can proceed to the next steps.

+## Create the NAT gateway

+All outbound internet traffic will traverse the NAT gateway to the internet. Use the following example to create a NAT gateway for the hub and spoke network and associate it with the **AzureFirewallSubnet**.

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+2. Select **+ Create**.

+3. In the **Basics** tab of **Create network address translation (NAT) gateway** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpokeFW-rg**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select **South Central US**. |

+ | Availability zone | Select a **Zone** or **No zone**. |

+ | TCP idle timeout (minutes) | Leave the default of **4**. |

+

+ For more information about availability zones, see [NAT gateway and availability zones](nat-availability-zones.md).

+5. Select **Next: Outbound IP**.

+6. In **Outbound IP** in **Public IP addresses**, select **Create a new public IP address**.

+7. Enter **myPublicIP-NAT** in **Name**.

+8. Select **OK**.

+9. Select **Next: Subnet**.

+10. In **Virtual Network** select **myVNet-Hub**.

+11. Select **AzureFirewallSubnet** in **Subnet name**.

+12. Select **Review + create**.

+13. Select **Create**.

+## Create spoke virtual network

+The spoke virtual network contains the test virtual machine used to test the routing of the internet traffic to the NAT gateway. Use the following example to create the spoke network.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **+ Create**.

+3. In the **Basics** tab of **Create virtual network**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpokeFW-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet-Spoke**. |

+ | Region | Select **South Central US**. |

+4. Select **Next: IP Addresses**.

+5. In the **IP Addresses** tab in **IPv4 address space**, select the trash can to delete the address space that is auto populated.

+6. In **IPv4 address space** enter **10.2.0.0/16**.

+7. Select **+ Add subnet**.

+8. In **Add subnet** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Subnet name | Enter **subnet-private**. |

+ | Subnet address range | Enter **10.2.0.0/24**. |

+9. Select **Add**.

+10. Select **Review + create**.

+12. Select **Create**.

+## Create peering between the hub and spoke

+A virtual network peering is used to connect the hub to the spoke and the spoke to the hub. Use the following example to create a two-way network peering between the hub and spoke.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **myVNet-Hub**.

+3. Select **Peerings** in **Settings**.

+4. Select **+ Add**.

+5. Enter or select the following information in **Add peering**:

+ | Setting | Value |

+ | - | -- |

+ | **This virtual network** | |

+ | Peering link name | Enter **myVNet-Hub-To-myVNet-Spoke**. |

+ | Traffic to remote virtual network | Leave the default of **Allow (default)**. |

+ | Traffic forwarded from remote virtual network | Leave the default of **Allow (default)**. |

+ | Virtual network gateway or Route Server | Leave the default of **None**. |

+ | **Remote virtual network** | |

+ | Peering link name | Enter **myVNet-Spoke-To-myVNet-Hub**. |

+ | Virtual network deployment model | Leave the default of **Resource manager**. |

+ | Subscription | Select your subscription. |

+ | Virtual network | Select **myVNet-Spoke**. |

+ | Traffic to remote virtual network | Leave the default of **Allow (default)**. |

+ | Traffic forwarded from remote virtual network | Leave the default of **Allow (default)**. |

+ | Virtual network gateway or Route Server | Leave the default of **None**. |

+6. Select **Add**.

+7. Select **Refresh** and verify **Peering status** is **Connected**.

+## Create spoke network route table

+A route table will force all traffic leaving the spoke virtual network to the hub virtual network. The route table is configured with the private IP address of the Azure Firewall as the virtual appliance.

+### Obtain private IP address of firewall

+The private IP address of the firewall is needed for the route table created later in this article. Use the following example to obtain the firewall private IP address.

+1. In the search box at the top of the portal, enter **Firewall**. Select **Firewall** in the search results.

+2. Select **myFirewall**.

+3. In the **Overview** of **myFirewall**, note the IP address in the field **Firewall private IP**. The IP address should be **10.1.2.4**.

+### Create route table

+Create a route table to force all inter-spoke and internet egress traffic through the firewall in the hub virtual network.

+1. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+2. Select **+ Create**.

+3. In **Create Route table** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpokeFW-rg**. |

+ | **Instance details** | |

+ | Region | Select **South Central US**. |

+ | Name | Enter **myRouteTable-Spoke**. |

+ | Propagate gateway routes | Select **No**. |

+4. Select **Review + create**.

+5. Select **Create**.

+6. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+7. Select **myRouteTable-Spoke**.

+8. In **Settings** select **Routes**.

+9. Select **+ Add** in **Routes**.

+10. Enter or select the following information in **Add route**:

+ | Setting | Value |

+ | - | -- |

+ | Route name | Enter **Route-To-Hub**. |

+ | Address prefix destination | Select **IP Addresses**. |

+ | Destination IP addresses/CIDR ranges | Enter **0.0.0.0/0**. |

+ | Next hop type | Select **Virtual appliance**. |

+ | Next hop address | Enter **10.1.2.4**. |

+11. Select **Add**.

+12. Select **Subnets** in **Settings**.

+13. Select **+ Associate**.

+14. Enter or select the following information in **Associate subnet**:

+ | Setting | Value |

+ | - | -- |

+ | Virtual network | Select **myVNet-Spoke (TutorialNATHubSpokeFW-rg)**. |

+ | Subnet | Select **subnet-private**. |

+15. Select **OK**.

+## Configure firewall

+Traffic from the spoke through the hub must be allowed through and firewall policy and a network rule. Use the following example to create the firewall policy and network rule.

+### Create firewall policy

+1. In the search box at the top of the portal, enter **Firewall**. Select **Firewalls** in the search results.

+2. Select **myFirewall**.

+3. In the **Overview** select **Migrate to firewall policy**.

+4. In **Migrate to firewall policy** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpokeFW-rg**. |

+ | **Policy details** | |

+ | Name | Enter **myFirewallPolicy**. |

+ | Region | Select **South Central US**. |

+5. Select **Review + create**.

+6. Select **Create**.

+### Configure network rule

+1. In the search box at the top of the portal, enter **Firewall**. Select **Firewall Policies** in the search results.

+2. Select **myFirewallPolicy**.

+3. In **Settings** select **Network rules**.

+4. Select **+ Add a rule collection**.

+5. In **Add a rule collection** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **SpokeToInternet**. |

+ | Rule collection type | Select **Network**. |

+ | Priority | Enter **100**. |

+ | Rule collection action | Select **Allow**. |

+ | Rule collection group | Select **DefaultNetworkRuleCollectionGroup**. |

+ | Rules | |

+ | Name | Enter **AllowWeb**. |

+ | Source type | **IP Address**. |

+ | Source | Enter **10.2.0.0/24**. |

+ | Protocol | Select **TCP**. |

+ | Destination Ports | Enter **80**,**443**. |

+ | Destination Type | Select **IP Address**. |

+ | Destination | Enter * |

+6. Select **Add**.

+## Create test virtual machine

+A Windows Server 2022 virtual machine is used to test the outbound internet traffic through the NAT gateway. Use the following example to create a Windows Server 2022 virtual machine.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **+ Create** then **Azure virtual machine**.

+3. In **Create a virtual machine** enter or select the following information in the **Basics** tab:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpokeFW-rg**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM-Spoke**. |

+ | Region | Select **South Central US**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter - x64 Gen2**. |

+ | VM architecture | Leave the default of **x64**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Authentication type | Select **Password**. |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Reenter password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+4. Select **Next: Disks** then **Next: Networking**.

+5. In the Networking tab, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet-Spoke**. |

+ | Subnet | Select **subnet-private (10.2.0.0/24)**. |

+ | Public IP | Select **None**. |

+6. Leave the rest of the options at the defaults and select **Review + create**.

+7. Select **Create**.

+## Test NAT gateway

+You'll connect to the Windows Server 2022 virtual machines you created in the previous steps to verify that the outbound internet traffic is leaving the NAT gateway.

+### Obtain NAT gateway public IP address

+Obtain the NAT gateway public IP address for verification of the steps later in the article.

+1. In the search box at the top of the portal, enter **Public IP**. Select **Public IP addresses** in the search results.

+2. Select **myPublic-NAT**.

+3. Make note of value in **IP address**. The example used in this article is **20.225.88.213**.

+### Test NAT gateway from spoke

+Use Microsoft Edge on the Windows Server 2022 virtual machine to connect to https://whatsmyip.com to verify the functionality of the NAT gateway.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **myVM-Spoke**.

+3. Select **Connect** then **Bastion**.

+4. Enter the username and password you entered when the virtual machine was created.

+5. Select **Connect**.

+6. Open **Microsoft Edge** when the desktop finishes loading.

+7. In the address bar, enter **https://whatsmyip.com**.

+8. Verify the outbound IP address displayed is the same as the IP of the NAT gateway you obtained previously.

+ :::image type="content" source="./media/tutorial-hub-spoke-nat-firewall/outbound-ip-address.png" alt-text="Screenshot of outbound IP address.":::

+## Clean up resources

+If you're not going to continue to use this application, delete the created resources with the following steps:

+1. In the search box at the top of the portal, enter **Resource group**. Select **Resource groups** in the search results.

+2. Select **TutorialNATHubSpokeFW-rg**.

+3. In the **Overview** of **TutorialNATHubSpokeFW-rg**, select **Delete resource group**.

+4. In **TYPE THE RESOURCE GROUP NAME:**, enter **TutorialNATHubSpokeFW-rg**.

+5. Select **Delete**.

+## Next steps

+Advance to the next article to learn how to integrate a NAT gateway with an Azure Load Balancer:

+> [!div class="nextstepaction"]

+> [Integrate NAT gateway with an internal load balancer](tutorial-nat-gateway-load-balancer-internal-portal.md)

+ Title: 'Tutorial: Use a NAT gateway with a hub and spoke network'

+description: Learn how to integrate a NAT gateway into a hub and spoke network with a network virtual appliance.

+# Tutorial: Use a NAT gateway with a hub and spoke network

+A hub and spoke network is one of the building blocks of a highly available multiple location network infrastructure. The most common deployment of a hub and spoke network is done with the intention of routing all inter-spoke and outbound internet traffic through the central hub. The purpose is to inspect all of the traffic traversing the network with a Network Virtual Appliance (NVA) for security scanning and packet inspection.

+For outbound traffic to the internet, the network virtual appliance would typically have one network interface with an assigned public IP address. The NVA after inspecting the outbound traffic forwards the traffic out the public interface and to the internet. Azure NAT Gateway eliminates the need for the public IP address assigned to the NVA. Associating a NAT gateway with the public subnet of the NVA changes the routing for the public interface to route all outbound internet traffic through the NAT gateway. The elimination of the public IP address increases security and allows for the scaling of outbound source network address translation (SNAT) with multiple public IP addresses and or public IP prefixes.

+> [!IMPORTANT]

+> The NVA used in this article is for demonstration purposes only and is simulated with an Ubuntu virtual machine. The solution doesn't include a load balancer for high availability of the NVA deployment. Replace the Ubuntu virtual machine in this article with an NVA of your choice. Consult the vendor of the chosen NVA for routing and configuration instructions. A load balancer and availability zones is recommended for a highly available NVA infrastructure.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a NAT gateway.

+> * Create a hub and spoke virtual network.

+> * Create a simulated Network Virtual Appliance (NVA).

+> * Force all traffic from the spokes through the hub.

+> * Force all internet traffic in the hub and the spokes out the NAT gateway.

+> * Test the NAT gateway and inter-spoke routing.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Create a NAT gateway

+All outbound internet traffic will traverse the NAT gateway to the internet. Use the following example to create a NAT gateway for the hub and spoke network.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+3. Select **+ Create**.

+4. In the **Basics** tab of **Create network address translation (NAT) gateway** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **TutorialNATHubSpoke-rg** in **Name**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select **South Central US**. |

+ | Availability zone | Select a **Zone** or **No zone**. |

+ | TCP idle timeout (minutes) | Leave the default of **4**. |

+5. Select **Next: Outbound IP**.

+6. In **Outbound IP** in **Public IP addresses**, select **Create a new public IP address**.

+7. Enter **myPublicIP-NAT** in **Name**.

+8. Select **OK**.

+9. Select **Review + create**.

+10. Select **Create**.

+## Create hub virtual network

+The hub virtual network is the central network of the solution. The hub network contains the NVA appliance and a public and private subnet. The NAT gateway is assigned to the public subnet during the creation of the virtual network. An Azure Bastion host is configured as part of the following example. The bastion host is used to securely connect to the NVA virtual machine and the test virtual machines deployed in the spokes later in the article.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **+ Create**.

+3. In the **Basics** tab of **Create virtual network**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet-Hub**. |

+ | Region | Select **South Central US**. |

+4. Select **Next: IP Addresses**.

+5. In the **IP Addresses** tab in **IPv4 address space**, select the trash can to delete the address space that is auto populated.

+6. In **IPv4 address space** enter **10.1.0.0/16**.

+7. Select **+ Add subnet**.

+8. In **Add subnet** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Subnet name | Enter **subnet-private**. |

+ | Subnet address range | Enter **10.1.0.0/24**. |

+9. Select **Add**.

+10. Select **+ Add subnet**.

+11. In **Add subnet** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Subnet name | Enter **subnet-public**. |

+ | Subnet address range | Enter **10.1.253.0/28**. |

+ | **NAT GATEWAY** | |

+ | NAT gateway | Select **myNATgateway**. |

+12. Select **Add**.

+13. Select **Next: Security**.

+14. In the **Security** tab in **BastionHost**, select **Enable**.

+15. Enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Bastion name | Enter **myBastion**. |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/26**. |

+ | Public IP address | Select **Create new**. </br> In **Name** enter **myPublicIP-Bastion**. </br> Select **OK**. |

+16. Select **Review + create**.

+17. Select **Create**.

+It will take a few minutes for the bastion host to deploy. When the virtual network is created as part of the deployment, you can proceed to the next steps.

+## Create simulated NVA virtual machine

+The simulated NVA will act as a virtual appliance to route all traffic between the spokes and hub and traffic outbound to the internet. An Ubuntu virtual machine is used for the simulated NVA. Use the following example to create the simulated NVA and configure the network interfaces.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **+ Create** then **Azure virtual machine**.

+3. In **Create a virtual machine** enter or select the following information in the **Basics** tab:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM-NVA**. |

+ | Region | Select **(US) South Central US**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Ubuntu Server 20.04 LTS - x64 Gen2**. |

+ | VM architecture | Leave the default of **x64**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Authentication type | Select **Password**. |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Reenter password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+4. Select **Next: Disks** then **Next: Networking**.

+5. In the Networking tab, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet-Hub**. |

+ | Subnet | Select **subnet-public**. |

+ | Public IP | Select **None**. |

+6. Leave the rest of the options at the defaults and select **Review + create**.

+7. Select **Create**.

+### Configure virtual machine network interfaces

+The IP configuration of the primary network interface of the virtual machine is set to dynamic by default. Use the following example to change the primary network interface IP configuration to static and add a secondary network interface for the private interface of the NVA.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **myVM-NVA**.

+3. In the **Overview** select **Stop** if the virtual machine is running.

+4. Select **Networking** in **Settings**.

+5. In **Networking** select the network interface name next to **Network Interface:**. The interface name is the virtual machine name and random numbers and letters. In this example, the interface name is **myvm-nva271**.

+6. In the network interface properties, select **IP configurations** in **Settings**.

+7. In **IP forwarding** select **Enabled**.

+8. Select **Save**.

+9. When the save action completes, select **ipconfig1**.

+10. In **Assignment** in **ipconfig1** select **Static**.

+11. In **IP address** enter **10.1.253.10**.

+12. Select **Save**.

+13. When the save action completes, return to the networking configuration for **myVM-NVA**.

+14. In **Networking** of **myVM-NVA** select **Attach network interface**.

+15. Select **Create and attach network interface**.

+16. In **Create network interface** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Network interface** | |

+ | Name | Enter **myVM-NVA-private-nic**. |

+ | Subnet | Select **subnet-private (10.1.0.0/24)**. |

+ | NIC network security group | Select **Advanced**. |

+ | Configure network security group | Select **myVM-VNA-nsg**. |

+ | Private IP address assignment | Select **Static**. |

+ | Private IP address | Enter **10.1.0.10**. |

+17. Select **Create**.

+### Configure virtual machine software

+The routing for the simulated NVA uses IP tables and internal NAT in the Ubuntu virtual machine. Connect to the NVA virtual machine with Azure Bastion to configure IP tables and the routing configuration.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **myVM-NVA**.

+3. Start **myVM-NVA**.

+4. When the virtual machine is completed booting, continue with the next steps.

+5. Select **Connect** then **Bastion**.

+6. Enter the username and password you entered when the virtual machine was created.

+7. Select **Connect**.

+8. Enter the following information at the prompt of the virtual machine to enable IP forwarding:

+ ```bash

+ sudo vim /etc/sysctl.conf

+ ```

+9. In the Vim editor, remove the **`#`** from the line **`net.ipv4.ip_forward=1`**:

+ Press the **Insert** key.

+ ```bash

+ # Uncomment the next line to enable packet forwarding for IPv4

+ net.ipv4.ip_forward=1

+ ```

+ Press the **Esc** key.

+ Enter **`:wq`** and press **Enter**.

+10. Enter the following information to enable internal NAT in the virtual machine:

+ ```bash

+ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

+ sudo apt-get update

+ sudo apt install iptables-persistent

+ ```

+ Select **Yes** twice.

+ ```bash

+ sudo su

+ iptables-save > /etc/iptables/rules.v4

+ exit

+ ```

+11. Use Vim to edit the configuration with the following information:

+ ```bash

+ sudo vim /etc/rc.local

+ ```

+ Press the **Insert** key.

+ Add the following line to the configuration file:

+

+ ```bash

+ /sbin/iptables-restore < /etc/iptables/rules.v4

+ ```

+ Press the **Esc** key.

+ Enter **`:wq`** and press **Enter**.

+12. Reboot the virtual machine:

+ ```bash

+ sudo reboot

+ ```

+## Create hub network route table

+Route tables are used to overwrite Azure's default routing. Create a route table to force all traffic within the hub private subnet through the simulated NVA.

+1. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+2. Select **+ Create**.

+3. In **Create Route table** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Region | Select **South Central US**. |

+ | Name | Enter **myRouteTable-NAT-Hub**. |

+ | Propagate gateway routes | Leave the default of **Yes**. |

+4. Select **Review + create**.

+5. Select **Create**.

+6. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+7. Select **myRouteTable-NAT-Hub**.

+8. In **Settings** select **Routes**.

+9. Select **+ Add** in **Routes**.

+10. Enter or select the following information in **Add route**:

+ | Setting | Value |

+ | - | -- |

+ | Route name | Enter **default-via-NAT-Hub**. |

+ | Address prefix destination | Select **IP Addresses**. |

+ | Destination IP addresses/CIDR ranges | Enter **0.0.0.0/0**. |

+ | Next hop type | Select **Virtual appliance**. |

+ | Next hop address | Enter **10.1.0.10**. </br> **_This is the IP address you added to the private interface of the NVA in the previous steps._**. |

+11. Select **Add**.

+12. Select **Subnets** in **Settings**.

+13. Select **+ Associate**.

+14. Enter or select the following information in **Associate subnet**:

+ | Setting | Value |

+ | - | -- |

+ | Virtual network | Select **myVNet-Hub (TutorialNATHubSpoke-rg)**. |

+ | Subnet | Select **subnet-private**. |

+15. Select **OK**.

+## Create spoke one virtual network

+Create another virtual network in a different region for the first spoke of the hub and spoke network.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **+ Create**.

+3. In the **Basics** tab of **Create virtual network**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet-Spoke-1**. |

+ | Region | Select **East US 2**. |

+4. Select **Next: IP Addresses**.

+5. In the **IP Addresses** tab in **IPv4 address space**, select the trash can to delete the address space that is auto populated.

+6. In **IPv4 address space** enter **10.2.0.0/16**.

+7. Select **+ Add subnet**.

+8. In **Add subnet** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Subnet name | Enter **subnet-private**. |

+ | Subnet address range | Enter **10.2.0.0/24**. |

+9. Select **Add**.

+10. Select **Review + create**.

+11. Select **Create**.

+## Create peering between hub and spoke one

+A virtual network peering is used to connect the hub to spoke one and spoke one to the hub. Use the following example to create a two-way network peering between the hub and spoke one.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **myVNet-Hub**.

+3. Select **Peerings** in **Settings**.

+4. Select **+ Add**.

+5. Enter or select the following information in **Add peering**:

+ | Setting | Value |

+ | - | -- |

+ | **This virtual network** | |

+ | Peering link name | Enter **myVNet-Hub-To-myVNet-Spoke-1**. |

+ | Traffic to remote virtual network | Leave the default of **Allow (default)**. |

+ | Traffic forwarded from remote virtual network | Leave the default of **Allow (default)**. |

+ | Virtual network gateway or Route Server | Leave the default of **None**. |

+ | **Remote virtual network** | |

+ | Peering link name | Enter **myVNet-Spoke-1-To-myVNet-Hub**. |

+ | Virtual network deployment model | Leave the default of **Resource manager**. |

+ | Subscription | Select your subscription. |

+ | Virtual network | Select **myVNet-Spoke-1**. |

+ | Traffic to remote virtual network | Leave the default of **Allow (default)**. |

+ | Traffic forwarded from remote virtual network | Leave the default of **Allow (default)**. |

+ | Virtual network gateway or Route Server | Leave the default of **None**. |

+6. Select **Add**.

+7. Select **Refresh** and verify **Peering status** is **Connected**.

+## Create spoke one network route table

+Create a route table to force all inter-interspoke and internet egress traffic through the simulated NVA in the hub virtual network.

+1. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+2. Select **+ Create**.

+3. In **Create Route table** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Region | Select **East US 2**. |

+ | Name | Enter **myRouteTable-NAT-Spoke-1**. |

+ | Propagate gateway routes | Leave the default of **Yes**. |

+4. Select **Review + create**.

+5. Select **Create**.

+6. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+7. Select **myRouteTable-NAT-Spoke-1**.

+8. In **Settings** select **Routes**.

+9. Select **+ Add** in **Routes**.

+10. Enter or select the following information in **Add route**:

+ | Setting | Value |

+ | - | -- |

+ | Route name | Enter **default-via-NAT-Spoke-1**. |

+ | Address prefix destination | Select **IP Addresses**. |

+ | Destination IP addresses/CIDR ranges | Enter **0.0.0.0/0**. |

+ | Next hop type | Select **Virtual appliance**. |

+ | Next hop address | Enter **10.1.0.10**. </br> **_This is the IP address you added to the private interface of the NVA in the previous steps._**. |

+11. Select **Add**.

+12. Select **Subnets** in **Settings**.

+13. Select **+ Associate**.

+14. Enter or select the following information in **Associate subnet**:

+ | Setting | Value |

+ | - | -- |

+ | Virtual network | Select **myVNet-Spoke-1 (TutorialNATHubSpoke-rg)**. |

+ | Subnet | Select **subnet-private**. |

+15. Select **OK**.

+## Create spoke one test virtual machine

+A Windows Server 2022 virtual machine is used to test the outbound internet traffic through the NAT gateway and inter-spoke traffic in the hub and spoke network. Use the following example to create a Windows Server 2022 virtual machine.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **+ Create** then **Azure virtual machine**.

+3. In **Create a virtual machine** enter or select the following information in the **Basics** tab:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM-Spoke-1**. |

+ | Region | Select **(US) East US 2**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter - x64 Gen2**. |

+ | VM architecture | Leave the default of **x64**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Authentication type | Select **Password**. |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Reenter password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+4. Select **Next: Disks** then **Next: Networking**.

+5. In the Networking tab, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet-Spoke-1**. |

+ | Subnet | Select **subnet-private (10.2.0.0/24)**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **Allow selected ports**. |

+ | Select inbound ports | Select **HTTP (80)**. </br> Select **RDP (3389)**. |

+6. Leave the rest of the options at the defaults and select **Review + create**.

+7. Select **Create**.

+## Create the second spoke virtual network

+Create the second virtual network for the second spoke of the hub and spoke network.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **+ Create**.

+3. In the **Basics** tab of **Create virtual network**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet-Spoke-2**. |

+ | Region | Select **West US 2**. |

+4. Select **Next: IP Addresses**.

+5. In the **IP Addresses** tab in **IPv4 address space**, select the trash can to delete the address space that is auto populated.

+6. In **IPv4 address space** enter **10.3.0.0/16**.

+7. Select **+ Add subnet**.

+8. In **Add subnet** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Subnet name | Enter **subnet-private**. |

+ | Subnet address range | Enter **10.3.0.0/24**. |

+9. Select **Add**.

+10. Select **Review + create**.

+11. Select **Create**.

+## Create peering between hub and spoke two

+Create a two-way virtual network peer between the hub and spoke two.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **myVNet-Hub**.

+3. Select **Peerings** in **Settings**.

+4. Select **+ Add**.

+5. Enter or select the following information in **Add peering**:

+ | Setting | Value |

+ | - | -- |

+ | **This virtual network** | |

+ | Peering link name | Enter **myVNet-Hub-To-myVNet-Spoke-2**. |

+ | Traffic to remote virtual network | Leave the default of **Allow (default)**. |

+ | Traffic forwarded from remote virtual network | Leave the default of **Allow (default)**. |

+ | Virtual network gateway or Route Server | Leave the default of **None**. |

+ | **Remote virtual network** | |

+ | Peering link name | Enter **myVNet-Spoke-2-To-myVNet-Hub**. |

+ | Virtual network deployment model | Leave the default of **Resource manager**. |

+ | Subscription | Select your subscription. |

+ | Virtual network | Select **myVNet-Spoke-2**. |

+ | Traffic to remote virtual network | Leave the default of **Allow (default)**. |

+ | Traffic forwarded from remote virtual network | Leave the default of **Allow (default)**. |

+ | Virtual network gateway or Route Server | Leave the default of **None**. |

+6. Select **Add**.

+7. Select **Refresh** and verify **Peering status** is **Connected**.

+## Create spoke two network route table

+Create a route table to force all outbound internet and inter-spoke traffic through the simulated NVA in the hub virtual network.

+1. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+2. Select **+ Create**.

+3. In **Create Route table** enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Region | Select **West US 2**. |

+ | Name | Enter **myRouteTable-NAT-Spoke-2**. |

+ | Propagate gateway routes | Leave the default of **Yes**. |

+4. Select **Review + create**.

+5. Select **Create**.

+6. In the search box at the top of the portal, enter **Route table**. Select **Route tables** in the search results.

+7. Select **myRouteTable-NAT-Spoke-2**.

+8. In **Settings** select **Routes**.

+9. Select **+ Add** in **Routes**.

+10. Enter or select the following information in **Add route**:

+ | Setting | Value |

+ | - | -- |

+ | Route name | Enter **default-via-NAT-Spoke-2**. |

+ | Address prefix destination | Select **IP Addresses**. |

+ | Destination IP addresses/CIDR ranges | Enter **0.0.0.0/0**. |

+ | Next hop type | Select **Virtual appliance**. |

+ | Next hop address | Enter **10.1.0.10**. </br> **_This is the IP address you added to the private interface of the NVA in the previous steps._**. |

+11. Select **Add**.

+12. Select **Subnets** in **Settings**.

+13. Select **+ Associate**.

+14. Enter or select the following information in **Associate subnet**:

+ | Setting | Value |

+ | - | -- |

+ | Virtual network | Select **myVNet-Spoke-2 (TutorialNATHubSpoke-rg)**. |

+ | Subnet | Select **subnet-private**. |

+15. Select **OK**.

+## Create spoke two test virtual machine

+Create a Windows Server 2022 virtual machine for the test virtual machine in spoke two.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **+ Create** then **Azure virtual machine**.

+3. In **Create a virtual machine** enter or select the following information in the **Basics** tab:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorialNATHubSpoke-rg**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM-Spoke-2**. |

+ | Region | Select **(US) West US 2**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter - x64 Gen2**. |

+ | VM architecture | Leave the default of **x64**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Authentication type | Select **Password**. |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Reenter password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+4. Select **Next: Disks** then **Next: Networking**.

+5. In the Networking tab, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet-Spoke-2**. |

+ | Subnet | Select **subnet-private (10.3.0.0/24)**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **Allow selected ports**. |

+ | Select inbound ports | Select **HTTP (80)**. </br> Select **RDP (3389)**. |

+6. Leave the rest of the options at the defaults and select **Review + create**.

+7. Select **Create**.

+## Test NAT gateway

+You'll connect to the Windows Server 2022 virtual machines you created in the previous steps to verify that the outbound internet traffic is leaving the NAT gateway.

+### Obtain NAT gateway public IP address

+Obtain the NAT gateway public IP address for verification of the steps later in the article.

+1. In the search box at the top of the portal, enter **Public IP**. Select **Public IP addresses** in the search results.

+2. Select **myPublic-NAT**.

+3. Make note of value in **IP address**. The example used in this article is **52.153.224.79**.

+### Test NAT gateway from spoke one

+Use Microsoft Edge on the Windows Server 2022 virtual machine to connect to https://whatsmyip.com to verify the functionality of the NAT gateway.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **myVM-Spoke-1**.

+3. Select **Connect** then **Bastion**.

+4. Enter the username and password you entered when the virtual machine was created.

+5. Select **Connect**.

+6. Open **Microsoft Edge** when the desktop finishes loading.

+7. In the address bar, enter **https://whatsmyip.com**.

+8. Verify the outbound IP address displayed is the same as the IP of the NAT gateway you obtained previously.

+ :::image type="content" source="./media/tutorial-hub-spoke-route-nat/outbound-ip-address.png" alt-text="Screenshot of outbound IP address.":::

+9. Open **Windows PowerShell**.

+10. Use the following example to install IIS. IIS will be used later to test inter-spoke routing.

+ ```powershell

+ Install-WindowsFeature Web-Server

+ ```

+11. Leave the bastion connection open to **myVM-Spoke-1**.

+### Test NAT gateway from spoke two

+Use Microsoft Edge on the Windows Server 2022 virtual machine to connect to https://whatsmyip.com to verify the functionality of the NAT gateway.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **myVM-Spoke-2**.

+3. Select **Connect** then **Bastion**.

+4. Enter the username and password you entered when the virtual machine was created.

+5. Select **Connect**.

+6. Open **Microsoft Edge** when the desktop finishes loading.

+7. In the address bar, enter **https://whatsmyip.com**.

+8. Verify the outbound IP address displayed is the same as the IP of the NAT gateway you obtained previously.

+ :::image type="content" source="./media/tutorial-hub-spoke-route-nat/outbound-ip-address.png" alt-text="Screenshot of outbound IP address.":::

+9. Open **Windows PowerShell**.

+10. Use the following example to install IIS. IIS will be used later to test inter-spoke routing.

+ ```powershell

+ Install-WindowsFeature Web-Server

+ ```

+11. Leave the bastion connection open to **myVM-Spoke-2**.

+## Test routing between the spokes

+Traffic from spoke one to spoke two and spoke two to spoke one will route through the simulated NVA in the hub virtual network. Use the following examples to verify the routing between spokes of the hub and spoke network.

+### Test routing from spoke one to spoke two

+Use Microsoft Edge to connect to the web server on **myVM-Spoke-2** you installed in the previous steps.

+1. Return to the open bastion connection to **myVM-Spoke-1**.

+2. Open **Microsoft Edge** if it's not open.

+3. In the address bar, enter **10.3.0.4**.

+4. Verify the default IIS page is displayed from **myVM-Spoke-2**.

+ :::image type="content" source="./media/tutorial-hub-spoke-route-nat/iis-myvm-spoke-1.png" alt-text="Screenshot of default IIS page on myVM-Spoke-1.":::

+5. Close the bastion connection to **myVM-Spoke-1**.

+### Test routing from spoke two to spoke one

+Use Microsoft Edge to connect to the web server on **myVM-Spoke-1** you installed in the previous steps.

+1. Return to the open bastion connection to **myVM-Spoke-2**.

+2. Open **Microsoft Edge** if it's not open.

+3. In the address bar, enter **10.2.0.4**.

+4. Verify the default IIS page is displayed from **myVM-Spoke-1**.

+ :::image type="content" source="./media/tutorial-hub-spoke-route-nat/iis-myvm-spoke-2.png" alt-text="Screenshot of default IIS page on myVM-Spoke-2.":::

+5. Close the bastion connection to **myVM-Spoke-1**.

+## Clean up resources

+If you're not going to continue to use this application, delete the created resources with the following steps:

+1. In the search box at the top of the portal, enter **Resource group**. Select **Resource groups** in the search results.

+2. Select **myResourceGroup**.

+3. In the **Overview** of **myResourceGroup**, select **Delete resource group**.

+4. In **TYPE THE RESOURCE GROUP NAME:**, enter **TutorialNATHubSpoke-rg**.

+5. Select **Delete**.

+## Next steps

+Advance to the next article to learn how to use an Azure Gateway Load Balancer for highly available network virtual appliances:

+> [!div class="nextstepaction"]

+> [Gateway Load Balancer](../load-balancer/gateway-overview.md)

+ Title: 'Tutorial: Migrate a virtual machine public IP address to NAT gateway'

+description: Learn how to migrate your virtual machine public IP to a NAT gateway.

+# Tutorial: Migrate a virtual machine public IP address to Azure NAT Gateway

+In this article, you'll learn how to migrate your virtual machine's public IP address to a NAT gateway. You'll learn how to remove the IP address from the virtual machine. You'll reuse the IP address from the virtual machine for the NAT gateway.

+Azure NAT Gateway is the recommended method for outbound connectivity. Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service. A NAT gateway doesn't have the same limitations of SNAT port exhaustion as default outbound access. A NAT gateway replaces the need for a virtual machine to have a public IP address to have outbound connectivity.

+For more information about Azure NAT Gateway, see [What is Azure NAT Gateway](nat-overview.md)

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Remove the public IP address from the virtual machine.

+> * Associate the public IP address from the virtual machine with a NAT gateway.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure Virtual Machine with a public IP address assigned to its network interface. For more information on creating a virtual machine with a public IP, see [Quickstart: Create a Windows virtual machine in the Azure portal](../virtual-machines/windows/quick-create-portal.md).

+

+ * For the purposes of this article, the example virtual machine is named **myVM**. The example public IP address is named **myPublicIP**.

+> [!NOTE]

+> Removal of the public IP address prevents direct connections to the virtual machine from the internet. RDP or SSH access won't function to the virtual machine after you complete this migration. To securely manage virtual machines in your subscription, use Azure Bastion. For more information on Azure Bastion, see [What is Azure Bastion?](../bastion/bastion-overview.md).

+## Remove public IP from virtual machine

+In this section, you'll learn how to remove the public IP address from the virtual machine.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines**.

+3. In **Virtual machines**, select **myVM** or your virtual machine.

+4. In the **Overview** of **myVM**, select **Public IP address**.

+

+ :::image type="content" source="./media/tutorial-migrate-ilip-nat/select-public-ip.png" alt-text="Screenshot of virtual machines public IP address.":::

+5. In **myPublicIP**, select the **Overview** page in the left-hand column.

+6. In **Overview**, select **Dissociate**.

+ :::image type="content" source="./media/tutorial-migrate-ilip-nat/remove-public-ip.png" alt-text="Screenshot of virtual machines public IP address overview and removal of IP address.":::

+7. Select **Yes** in **Dissociate public IP address**.

+### (Optional) Upgrade IP address

+The NAT gateway resource requires a standard SKU public IP address. In this section, you'll upgrade the IP you removed from the virtual machine in the previous section. If the IP address you removed is already a standard SKU public IP, you can proceed to the next section.

+1. In the search box at the top of the portal, enter **Public IP**. Select **Public IP addresses**.

+2. In **Public IP addresses**, select **myPublicIP** or your basic SKU IP address.

+3. In the **Overview** of **myPublicIP**, select the IP address upgrade banner.

+ :::image type="content" source="./media/tutorial-migrate-ilip-nat/select-upgrade-banner.png" alt-text="Screenshot of public IP address upgrade banner.":::

+4. In **Upgrade to Standard SKU**, select the box next to **I acknowledge**. Select the **Upgrade** button.

+ :::image type="content" source="./media/tutorial-migrate-ilip-nat/upgrade-public-ip.png" alt-text="Screenshot of upgrade public IP address selection.":::

+5. When the upgrade is complete, proceed to the next section.

+## Create NAT gateway

+In this section, youΓÇÖll create a NAT gateway with the IP address you previously removed from the virtual machine. You'll assign the NAT gateway to your pre-created subnet within your virtual network. The subnet name for this example is **default**.

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways**.

+2. In **NAT gateways**, select **+ Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select the following information in the **Basics** tab.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **myResourceGroup**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select the region of your virtual network. In this example, it's **West US 2**. |

+ | Availability zone | Leave the default of **None**. |

+ | Idle timeout (minutes) | Enter **10**. |

+4. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+5. In **Public IP addresses** in the **Outbound IP** tab, select the IP address from the previous section in **Public IP addresses**. In this example, it's **myPublicIP**.

+6. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+7. In the pull-down box for **Virtual network**, select your virtual network.

+8. In **Subnet name**, select the checkbox for your subnet. In this example, it's **default**.

+9. Select the **Review + create** tab, or select **Review + create** at the bottom of the page.

+10. Select **Create**.

+## Clean up resources

+If you're not going to continue to use this application, delete the NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **myResourceGroup** resource group.

+3. Select **Delete resource group**.

+4. Enter **myResourceGroup** and select **Delete**.

+## Next steps

+In this article, you learned how to:

+* Remove a public IP address from a virtual machine.

+* Create a NAT gateway and use the public IP address from the virtual machine for the NAT gateway resource.

+Any virtual machine created within this subnet won't require a public IP address and will automatically have outbound connectivity. For more information about NAT gateway and the connectivity benefits it provides, see [Design virtual networks with NAT gateway](nat-gateway-resource.md).

+Advance to the next article to learn how to migrate default outbound access to Azure NAT Gateway:

+> [!div class="nextstepaction"]

+> [Migrate outbound access to NAT gateway](tutorial-migrate-outbound-nat.md)

+ Title: 'Tutorial: Migrate outbound access to NAT gateway'

+description: Learn how to migrate outbound access in your virtual network to a NAT gateway.

+# Tutorial: Migrate outbound access to Azure NAT Gateway

+In this article, you'll learn how to migrate your outbound connectivity from [default outbound access](../virtual-network/ip-services/default-outbound-access.md) to a NAT gateway. You'll learn how to change your outbound connectivity from load balancer outbound rules to a NAT gateway. You'll reuse the IP address from the outbound rule configuration for the NAT gateway.

+Azure NAT Gateway is the recommended method for outbound connectivity. A NAT gateway is a fully managed and highly resilient Network Address Translation (NAT) service. A NAT gateway doesn't have the same limitations of SNAT port exhaustion as default outbound access. A NAT gateway replaces the need for outbound rules in a load balancer for outbound connectivity.

+For more information about Azure NAT Gateway, see [What is Azure NAT Gateway](nat-overview.md)

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Migrate default outbound access to a NAT gateway.

+> * Migrate load balancer outbound connectivity and IP address to a NAT gateway.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* A standard public load balancer in your subscription. The load balancer must have a separate frontend IP address and outbound rules configured. For more information on creating an Azure Load Balancer, see [Quickstart: Create a public load balancer to load balance VMs using the Azure portal](../load-balancer/quickstart-load-balancer-standard-public-portal.md)

+ * The load balancer name used in the examples is **myLoadBalancer**.

+> [!NOTE]

+> Azure NAT Gateway provides outbound connectivity for standard internal load balancers. For more information on integrating a NAT gateway with your internal load balancers, see [Tutorial: Integrate a NAT gateway with an internal load balancer using Azure portal](tutorial-nat-gateway-load-balancer-internal-portal.md).

+## Migrate default outbound access

+In this section, youΓÇÖll learn how to change your outbound connectivity method from default outbound access to a NAT gateway.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways**.

+3. In **NAT gateways**, select **+ Create**.

+4. In **Create network address translation (NAT) gateway**, enter or select the following information in the **Basics** tab.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **myResourceGroup**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select the region of your virtual network. In this example, it's **West Europe**. |

+ | Availability zone | Leave the default of **None**. |

+ | Idle timeout (minutes) | Enter **10**. |

+5. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+6. In **Public IP addresses** in the **Outbound IP** tab, select **Create a new public IP address**.

+7. In **Add a public IP address**, enter **myNATgatewayIP** in **Name**. Select **OK**.

+8. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+9. In the pull-down box for **Virtual network**, select your virtual network.

+10. In **Subnet name**, select the checkbox next to your subnet.

+11. Select the **Review + create** tab, or select **Review + create** at the bottom of the page.

+12. Select **Create**.

+## Migrate load balancer outbound connectivity

+In this section, youΓÇÖll learn how to change your outbound connectivity method from outbound rules to a NAT gateway. You'll keep the same frontend IP address used for the outbound rules. You'll remove the outbound ruleΓÇÖs frontend IP configuration then create a NAT gateway with the same frontend IP address. A public load balancer is used throughout this section.

+### Remove outbound rule frontend IP configuration

+You remove the outbound rule and the associated frontend IP configuration from your load balancer. The load balancer name used in this example is **myLoadBalancer**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+3. Select **myLoadBalancer** or your load balancer.

+4. In **myLoadBalancer**, select **Frontend IP configuration** in **Settings**.

+5. Note the **IP address** in **Frontend IP configuration** that you wish to migrate to a **NAT gateway**. You'll need this information in the next section. In this example, it's **myFrontendIP-outbound**.

+6. Select **Delete** next to the IP configuration you wish to remove. In this example, it's **myFrontendIP-outbound**.

+ :::image type="content" source="./media/tutorial-migrate-outbound-nat/frontend-ip.png" alt-text="Screenshot of frontend IP address removal for NAT gateway.":::

+7. Select **Delete**.

+8. In **Delete myFrontendIP-outbound**, select the check box next to **I have read and understood that this frontend IP configuration as well as the associated resources listed above will be deleted**.

+9. Select **Delete**. This procedure will delete the frontend IP configuration and the outbound rule associated with the frontend.

+ :::image type="content" source="./media/tutorial-migrate-outbound-nat/delete-frontend-ip.png" alt-text="Screenshot of confirmation of frontend IP address removal for NAT gateway.":::

+### Create NAT gateway

+In this section, youΓÇÖll create a NAT gateway with the IP address previously used for outbound rule and assign it to your pre-created subnet within your virtual network. The subnet name for this example is **myBackendSubnet**.

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways**.

+2. In **NAT gateways**, select **+ Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select the following information in the **Basics** tab.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **myResourceGroup**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway**. |

+ | Region | Select the region of your virtual network. In this example, it's **West Europe**. |

+ | Availability zone | Leave the default of **None**. |

+ | Idle timeout (minutes) | Enter **10**. |

+4. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+5. In **Public IP addresses** in the **Outbound IP** tab, select the IP address you noted from the previous section. In this example, it's **myPublicIP-outbound**.

+6. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+7. In the pull-down box for **Virtual network**, select your virtual network.

+8. In **Subnet name**, select the checkbox for your subnet. In this example, it's **myBackendSubnet**.

+9. Select the **Review + create** tab, or select **Review + create** at the bottom of the page.

+10. Select **Create**.

+## Clean up resources

+If you're not going to continue to use this application, delete

+the NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **myResourceGroup** resource group.

+3. Select **Delete resource group**.

+4. Enter **myResourceGroup** and select **Delete**.

+## Next steps

+In this article, you learned how to:

+* Migrate default outbound access to a NAT gateway.

+* Migrate load balancer outbound connectivity and IP address to a NAT gateway.

+For more information about NAT gateway and the connectivity benefits it provides, see [Design virtual networks with NAT gateway](nat-gateway-resource.md).

+Advance to the next article to learn how to integrate a NAT gateway with a public load balancer:

+> [!div class="nextstepaction"]

+> [Integrate a NAT gateway with a public load balancer using the Azure portal](tutorial-nat-gateway-load-balancer-public-portal.md)

+ Title: 'Tutorial: Integrate NAT gateway with an internal load balancer - Azure portal'

+description: In this tutorial, learn how to integrate a NAT gateway with an internal load Balancer using the Azure portal.

+# Tutorial: Integrate a NAT gateway with an internal load balancer using the Azure portal

+In this tutorial, you'll learn how to integrate a NAT gateway with an internal load balancer.

+By default, an Azure Standard Load Balancer is secure. Outbound connectivity is explicitly defined by enabling outbound SNAT (Source Network Address Translation).

+SNAT is enabled for an internal backend pool via another public load balancer, network routing, or a public IP defined on a virtual machine.

+The NAT gateway integration replaces the need for the deployment of a public load balancer, network routing, or a public IP defined on a virtual machine in the backend pool.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create an Azure Load Balancer

+> * Create two virtual machines for the backend pool of the Azure Load Balancer

+> * Create a NAT gateway

+> * Validate outbound connectivity of the virtual machines in the load balancer backend pool

+## Prerequisites

+An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Create the virtual network

+In this section, you'll create a virtual network and subnet.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the upper-left side of the screen, select **Create a resource > Networking > Virtual network** or search for **Virtual network** in the search box.

+2. Select **Create**.

+3. In **Create virtual network**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **Create new**. Enter **TutorIntLBNAT-rg**. </br> Select **OK**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet** |

+ | Region | Select **(US) East US** |

+4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+5. In the **IP Addresses** tab, enter this information:

+ | Setting | Value |

+ |--|-|

+ | IPv4 address space | Enter **10.1.0.0/16** |

+6. Under **Subnet name**, select the word **default**.

+7. In **Edit subnet**, enter this information:

+ | Setting | Value |

+ |--|-|

+ | Subnet name | Enter **myBackendSubnet** |

+ | Subnet address range | Enter **10.1.0.0/24** |

+8. Select **Save**.

+9. Select the **Security** tab or select the **Next: Security** button at the bottom of the page.

+10. Under **BastionHost**, select **Enable**. Enter this information:

+ | Setting | Value |

+ |--|-|

+ | Bastion name | Enter **myBastionHost** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/24** |

+ | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

+11. Select the **Review + create** tab or select the **Review + create** button.

+12. Select **Create**.

+## Create load balancer

+In this section, you create a load balancer that load balances virtual machines.

+During the creation of the load balancer, you'll configure:

+* Frontend IP address

+* Backend pool

+* Inbound load-balancing rules

+1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+2. In the **Load balancer** page, select **Create**.

+3. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

+ | Setting | Value |

+ | | |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorIntLBNAT-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myLoadBalancer** |

+ | Region | Select **(US) East US**. |

+ | SKU | Leave the default **Standard**. |

+ | Type | Select **Internal**. |

+4. Select **Next: Frontend IP configuration** at the bottom of the page.

+5. In **Frontend IP configuration**, select **+ Add a frontend IP configuration**.

+6. Enter **LoadBalancerFrontend** in **Name**.

+7. Select **myVNet** in **Virtual network**.

+8. Select **myBackendSubnet** in **Subnet**.

+9. Select **Dynamic** for **Assignment**.

+10. Select **Zone-redundant** in **Availability zone**.

+ > [!NOTE]

+ > In regions with [Availability Zones](../availability-zones/az-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json#availability-zones), you have the option to select no-zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements. In regions without Availability Zones, this field won't appear. </br> For more information on availability zones, see [Availability zones overview](../availability-zones/az-overview.md).

+11. Select **Add**.

+12. Select **Next: Backend pools** at the bottom of the page.

+13. In the **Backend pools** tab, select **+ Add a backend pool**.

+14. Enter **myBackendPool** for **Name** in **Add backend pool**.

+15. Select **NIC** or **IP Address** for **Backend Pool Configuration**.

+16. Select **IPv4** or **IPv6** for **IP version**.

+17. Select **Add**.

+18. Select the **Next: Inbound rules** button at the bottom of the page.

+19. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

+20. In **Add load balancing rule**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **myHTTPRule** |

+ | IP Version | Select **IPv4** or **IPv6** depending on your requirements. |

+ | Frontend IP address | Select **LoadBalancerFrontend**. |

+ | Backend pool | Select **myBackendPool**. |

+ | Protocol | Select **TCP**. |

+ | Port | Enter **80**. |

+ | Backend port | Enter **80**. |

+ | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **HTTP** in **Protocol**. </br> Leave the rest of the defaults, and select **OK**. |

+ | Session persistence | Select **None**. |

+ | Idle timeout (minutes) | Enter or select **15**. |

+ | TCP reset | Select **Enabled**. |

+ | Floating IP | Select **Disabled**. |

+21. Select **Add**.

+22. Select the blue **Review + create** button at the bottom of the page.

+23. Select **Create**.

+## Create virtual machines

+In this section, you'll create two VMs (**myVM1** and **myVM2**) in two different zones (**Zone 1** and **Zone 2**).

+These VMs are added to the backend pool of the load balancer that was created earlier.

+1. On the upper-left side of the portal, select **Create a resource** > **Compute** > **Virtual machine**.

+

+2. In **Create a virtual machine**, type or select the values in the **Basics** tab:

+ | Setting | Value |

+ |--|-|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **TutorIntLBNAT-rg** |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM1** |

+ | Region | Select **(US) East US** |

+ | Availability Options | Select **Availability zones** |

+ | Availability zone | Select **1** |

+ | Image | Select **Windows Server 2019 Datacenter** |

+ | Azure Spot instance | Leave the default |

+ | Size | Choose VM size or take default setting |

+ | **Administrator account** | |

+ | Username | Enter a username |

+ | Password | Enter a password |

+ | Confirm password | Reenter password |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None** |

+3. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+

+4. In the Networking tab, select or enter:

+ | Setting | Value |

+ |-|-|

+ | **Network interface** | |

+ | Virtual network | **myVNet** |

+ | Subnet | **myBackendSubnet** |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Advanced**|

+ | Configure network security group | Select **Create new**. </br> In the **Create network security group**, enter **myNSG** in **Name**. </br> Under **Inbound rules**, select **+Add an inbound rule**. </br> Under **Destination port ranges**, enter **80**. </br> Under **Priority**, enter **100**. </br> In **Name**, enter **myNSGRule** </br> Select **Add** </br> Select **OK** |

+ | **Load balancing** |

+ | Place this virtual machine behind an existing load-balancing solution? | Select the check box. |

+ | **Load balancing settings** |

+ | Load balancing options | Select **Azure load balancer** |

+ | Select a load balancer | Select **myLoadBalancer** |

+ | Select a backend pool | Select **myBackendPool** |

+

+5. Select **Review + create**.

+

+6. Review the settings, and then select **Create**.

+7. Follow the steps 1 to 6 to create a VM with the following values and all the other settings the same as **myVM1**:

+ | Setting | VM 2 |

+ | - | -- |

+ | Name | **myVM2** |

+ | Availability zone | **2** |

+ | Network security group | Select the existing **myNSG**|

+## Create NAT gateway

+In this section, you'll create a NAT gateway and assign it to the subnet in the virtual network you created previously.

+1. On the upper-left side of the screen, select **Create a resource > Networking > NAT gateway** or search for **NAT gateway** in the search box.

+2. Select **Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource Group | Select **TutorIntLBNAT-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myNATGateway** |

+ | Region | Select **(US) East US** |

+ | Availability Zone | Select **None**. |

+ | Idle timeout (minutes) | Enter **10**. |

+4. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

+5. In the **Outbound IP** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | Public IP addresses | Select **Create a new public IP address**. </br> In **Name**, enter **myNATgatewayIP**. </br> Select **OK**. |

+6. Select the **Subnet** tab, or select the **Next: Subnet** button at the bottom of the page.

+7. In the **Subnet** tab, select **myVNet** in the **Virtual network** pull-down.

+8. Check the box next to **myBackendSubnet**.

+9. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+10. Select **Create**.

+## Test NAT gateway

+In this section, we'll test the NAT gateway. We'll first discover the public IP of the NAT gateway. We'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+

+1. Select **Resource groups** in the left-hand menu, select the **TutorIntLBNAT-rg** resource group, and then from the resources list, select **myNATgatewayIP**.

+2. Make note of the public IP address:

+ :::image type="content" source="./media/tutorial-nat-gateway-load-balancer-internal-portal/find-public-ip.png" alt-text="Screenshot of discover public IP address of NAT gateway." border="true":::

+3. Select **Resource groups** in the left-hand menu, select the **TutorIntLBNAT-rg** resource group, and then from the resources list, select **myVM1**.

+4. On the **Overview** page, select **Connect**, then **Bastion**.

+5. Enter the username and password entered during VM creation.

+6. Open **Internet Explorer** on **myVM1**.

+7. Enter **https://whatsmyip.com** in the address bar.

+8. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

+ :::image type="content" source="./media/tutorial-nat-gateway-load-balancer-internal-portal/my-ip.png" alt-text="Screenshot of Internet Explorer showing external outbound IP." border="true":::

+## Clean up resources

+If you're not going to continue to use this application, delete

+the virtual network, virtual machine, and NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **TutorIntLBNAT-rg** resource group.

+3. Select **Delete resource group**.

+4. Enter **TutorIntLBNAT-rg** and select **Delete**.

+## Next steps

+For more information on Azure NAT Gateway, see:

+> [!div class="nextstepaction"]

+> [Azure NAT Gateway overview](nat-overview.md)

+ Title: 'Tutorial: Integrate NAT gateway with a public load balancer - Azure portal'

+description: In this tutorial, learn how to integrate a NAT gateway with a public load Balancer using the Azure portal.

+# Tutorial: Integrate a NAT gateway with a public load balancer using the Azure portal

+In this tutorial, you'll learn how to integrate a NAT gateway with a public load balancer.

+By default, an Azure Standard Load Balancer is secure. Outbound connectivity is explicitly defined by enabling outbound SNAT (Source Network Address Translation). SNAT is enabled in a load-balancing rule or outbound rules.

+The NAT gateway integration replaces the need for outbound rules for backend pool outbound SNAT.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create an Azure Load Balancer

+> * Create two virtual machines for the backend pool of the Azure Load Balancer

+> * Create a NAT gateway

+> * Validate outbound connectivity of the virtual machines in the load balancer backend pool

+## Prerequisites

+An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Create the virtual network

+In this section, you'll create a virtual network and subnet.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. In **Virtual networks**, select **+ Create**.

+3. In **Create virtual network**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **Create new**. </br> In **Name** enter **TutorPubLBNAT-rg**. </br> Select **OK**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet** |

+ | Region | Select **(US) East US** |

+4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+5. In the **IP Addresses** tab, enter this information:

+ | Setting | Value |

+ |--|-|

+ | IPv4 address space | Enter **10.1.0.0/16** |

+6. Under **Subnet name**, select the word **default**.

+7. In **Edit subnet**, enter this information:

+ | Setting | Value |

+ |--|-|

+ | Subnet name | Enter **myBackendSubnet** |

+ | Subnet address range | Enter **10.1.0.0/24** |

+8. Select **Save**.

+9. Select the **Security** tab or select the **Next: Security** button at the bottom of the page.

+10. Under **BastionHost**, select **Enable**. Enter this information:

+ | Setting | Value |

+ |--|-|

+ | Bastion name | Enter **myBastionHost** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/27** |

+ | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

+11. Select the **Review + create** tab or select the **Review + create** button.

+12. Select **Create**.

+## Create load balancer

+In this section, you'll create a zone redundant load balancer that load balances virtual machines. With zone-redundancy, one or more availability zones can fail and the data path survives as long as one zone in the region remains healthy.

+During the creation of the load balancer, you'll configure:

+* Frontend IP address

+* Backend pool

+* Inbound load-balancing rules

+1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+2. In the **Load balancer** page, select **Create**.

+3. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

+ | Setting | Value |

+ | | |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **TutorPubLBNAT-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myLoadBalancer** |

+ | Region | Select **(US) East US**. |

+ | SKU | Leave the default **Standard**. |

+ | Type | Select **Public**. |

+ | Tier | Leave the default **Regional**. |

+4. Select **Next: Frontend IP configuration** at the bottom of the page.

+5. In **Frontend IP configuration**, select **+ Add a frontend IP configuration**.

+6. Enter **LoadBalancerFrontend** in **Name**.

+7. Select **IPv4** or **IPv6** for the **IP version**.

+ > [!NOTE]

+ > IPv6 isn't currently supported with Routing Preference or Cross-region load-balancing (Global Tier).

+8. Select **IP address** for the **IP type**.

+ > [!NOTE]

+ > For more information on IP prefixes, see [Azure Public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md).

+9. Select **Create new** in **Public IP address**.

+10. In **Add a public IP address**, enter **myPublicIP** for **Name**.

+11. Select **Zone-redundant** in **Availability zone**.

+ > [!NOTE]

+ > In regions with [Availability Zones](../availability-zones/az-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json#availability-zones), you have the option to select no-zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements. In regions without Availability Zones, this field won't appear. </br> For more information on availability zones, see [Availability zones overview](../availability-zones/az-overview.md).

+12. Leave the default of **Microsoft Network** for **Routing preference**.

+13. Select **OK**.

+14. Select **Add**.

+15. Select **Next: Backend pools** at the bottom of the page.

+16. In the **Backend pools** tab, select **+ Add a backend pool**.

+17. Enter **myBackendPool** for **Name** in **Add backend pool**.

+18. Select **myVNet** in **Virtual network**.

+19. Select **NIC** or **IP Address** for **Backend Pool Configuration**.

+20. Select **IPv4** or **IPv6** for **IP version**.

+21. Select **Add**.

+22. Select the **Next: Inbound rules** button at the bottom of the page.

+23. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

+24. In **Add load balancing rule**, enter or select the following information:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **myHTTPRule** |

+ | IP Version | Select **IPv4** or **IPv6** depending on your requirements. |

+ | Frontend IP address | Select **LoadBalancerFrontend**. |

+ | Backend pool | Select **myBackendPool**. |

+ | Protocol | Select **TCP**. |

+ | Port | Enter **80**. |

+ | Backend port | Enter **80**. |

+ | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **HTTP** in **Protocol**. </br> Leave the rest of the defaults, and select **OK**. |

+ | Session persistence | Select **None**. |

+ | Idle timeout (minutes) | Enter or select **15**. |

+ | TCP reset | Select **Enabled**. |

+ | Floating IP | Select **Disabled**. |

+ | Outbound source network address translation (SNAT) | Leave the default of **(Recommended) Use outbound rules to provide backend pool members access to the internet.** |

+25. Select **Add**.

+26. Select the blue **Review + create** button at the bottom of the page.

+27. Select **Create**.

+## Create virtual machines

+In this section, you'll create two VMs (**myVM1** and **myVM2**) in two different zones (**Zone 1** and **Zone 2**).

+These VMs are added to the backend pool of the load balancer that was created earlier.

+1. On the upper-left side of the portal, select **Create a resource** > **Compute** > **Virtual machine**.

+

+2. In **Create a virtual machine**, type or select the values in the **Basics** tab:

+ | Setting | Value |

+ |--|-|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **TutorPubLBNAT-rg** |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM1** |

+ | Region | Select **(US) East US** |

+ | Availability Options | Select **Availability zones** |

+ | Availability zone | Select **1** |

+ | Image | Select **Windows Server 2019 Datacenter** |

+ | Azure Spot instance | Leave the default |

+ | Size | Choose VM size or take default setting |

+ | **Administrator account** | |

+ | Username | Enter a username |

+ | Password | Enter a password |

+ | Confirm password | Reenter password |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None** |

+3. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+

+4. In the Networking tab, select or enter:

+ | Setting | Value |

+ |-|-|

+ | **Network interface** | |

+ | Virtual network | **myVNet** |

+ | Subnet | **myBackendSubnet** |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Advanced**|

+ | Configure network security group | Select **Create new**. </br> In the **Create network security group**, enter **myNSG** in **Name**. </br> Under **Inbound rules**, select **+Add an inbound rule**. </br> In **Destination port ranges**, enter **80**. </br> Under **Priority**, enter **100**. </br> In **Name**, enter **myNSGRule** </br> Select **Add** </br> Select **OK** |

+ | **Load balancing** |

+ | Place this virtual machine behind an existing load-balancing solution? | Select the check box.|

+ | **Load balancing settings** |

+ | Load-balancing options | Select **Azure load balancer** |

+ | Select a load balancer | Select **myLoadBalancer** |

+ | Select a backend pool | Select **myBackendPool** |

+

+5. Select **Review + create**.

+

+6. Review the settings, and then select **Create**.

+7. Follow the steps 1 to 7 to create a VM with the following values and all the other settings the same as **myVM1**:

+ | Setting | VM 2 |

+ | - | -- |

+ | Name | **myVM2** |

+ | Availability zone | **2** |

+ | Network security group | Select the existing **myNSG** |

+## Create NAT gateway

+In this section, you'll create a NAT gateway and assign it to the subnet in the virtual network you created previously.

+1. On the upper-left side of the screen, select **Create a resource > Networking > NAT gateway** or search for **NAT gateway** in the search box.

+2. Select **Create**.

+3. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource Group | Select **TutorPubLBNAT-rg**. |

+ | **Instance details** | |

+ | Name | Enter **myNATGateway** |

+ | Region | Select **(US) East US** |

+ | Availability Zone | Select **None**. |

+ | Idle timeout (minutes) | Enter **10**. |

+4. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

+5. In the **Outbound IP** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | Public IP addresses | Select **Create a new public IP address**. </br> In **Name**, enter **myNATgatewayIP**. </br> Select **OK**. |

+6. Select the **Subnet** tab, or select the **Next: Subnet** button at the bottom of the page.

+7. In the **Subnet** tab, select **myVNet** in the **Virtual network** pull-down.

+8. Check the box next to **myBackendSubnet**.

+9. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+10. Select **Create**.

+## Test NAT gateway

+In this section, we'll test the NAT gateway. We'll first discover the public IP of the NAT gateway. We'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+

+1. Select **Resource groups** in the left-hand menu, select the **TutorPubLBNAT-rg** resource group, and then from the resources list, select **myNATgatewayIP**.

+2. Make note of the public IP address:

+ :::image type="content" source="./media/tutorial-nat-gateway-load-balancer-public-portal/find-public-ip.png" alt-text="Screenshot discover public IP address of NAT gateway." border="true":::

+3. Select **Resource groups** in the left-hand menu, select the **TutorPubLBNAT-rg** resource group, and then from the resources list, select **myVM1**.

+4. On the **Overview** page, select **Connect**, then **Bastion**.

+5. Enter the username and password entered during VM creation.

+6. Open **Internet Explorer** on **myVM1**.

+7. Enter **https://whatsmyip.com** in the address bar.

+8. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

+ :::image type="content" source="./media/tutorial-nat-gateway-load-balancer-public-portal/my-ip.png" alt-text="Screenshot Internet Explorer showing external outbound IP." border="true":::

+## Clean up resources

+If you're not going to continue to use this application, delete

+the virtual network, virtual machine, and NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **TutorPubLBNAT-rg** resource group.

+3. Select **Delete resource group**.

+4. Enter **TutorPubLBNAT-rg** and select **Delete**.

+## Next steps

+For more information on Azure NAT Gateway, see:

+> [!div class="nextstepaction"]

+> [Azure NAT Gateway overview](nat-overview.md)

+ Title: 'Tutorial: Protect your NAT gateway with Azure DDoS Protection Standard'

+description: Learn how to create an NAT gateway in an Azure DDoS Protection Standard protected virtual network.

+# Tutorial: Protect your NAT gateway with Azure DDoS Protection Standard

+This article helps you create a NAT gateway with a DDoS protected virtual network. Azure DDoS Protection Standard enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your NAT gateway from large scale DDoS attacks.

+> [!IMPORTANT]

+> Azure DDoS Protection incurs a cost when you use the Standard SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a NAT gateway

+> * Create a DDoS protection plan

+> * Create a virtual network and associate the DDoS protection plan

+> * Create a test virtual machine

+> * Test the NAT gateway

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Create a NAT gateway

+Before you deploy the NAT gateway resource and the other resources, a resource group is required to contain the resources deployed. In the following steps, you'll create a resource group, NAT gateway resource, and a public IP address. You can use one or more public IP address resources, public IP prefixes, or both.

+For information about public IP prefixes and a NAT gateway, see [Manage NAT gateway](./manage-nat-gateway.md?tabs=manage-nat-portal#add-or-remove-a-public-ip-prefix).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways** in the search results.

+3. Select **+ Create**.

+4. In **Create network address translation (NAT) gateway**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource Group | Select **Create new**. </br> Enter **myResourceGroupNAT**. </br> Select **OK**. |

+ | **Instance details** | |

+ | NAT gateway name | Enter **myNATgateway** |

+ | Region | Select **West Europe** |

+ | Availability Zone | Select **No Zone**. |

+ | Idle timeout (minutes) | Enter **10**. |

+ For information about availability zones and NAT gateway, see [NAT gateway and availability zones](./nat-availability-zones.md).

+5. Select the **Outbound IP** tab, or select the **Next: Outbound IP** button at the bottom of the page.

+6. In the **Outbound IP** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | Public IP addresses | Select **Create a new public IP address**. </br> In **Name**, enter **myPublicIP**. </br> Select **OK**. |

+7. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+8. Select **Create**.

+## Create a DDoS protection plan

+1. In the search box at the top of the portal, enter **DDoS protection**. Select **DDoS protection plans** in the search results and then select **+ Create**.

+1. In the **Basics** tab of **Create a DDoS protection plan** page, enter or select the following information:

+ | Setting | Value |

+ |--|--|

+ | **Project details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Enter **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Name | Enter **myDDoSProtectionPlan**. |

+ | Region | Select **West Europe**. |

+1. Select **Review + create** and then select **Create** to deploy the DDoS protection plan.

+## Create a virtual network

+Before you deploy a virtual machine and can use your NAT gateway, you need to create the virtual network. This virtual network will contain the virtual machine created in later steps.

+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+2. Select **Create**.

+3. In **Create virtual network**, enter or select this information in the **Basics** tab:

+ | **Setting** | **Value** |

+ ||--|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet** |

+ | Region | Select **(Europe) West Europe** |

+4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+5. Accept the default IPv4 address space of **10.1.0.0/16**.

+6. In the subnet section in **Subnet name**, select the **default** subnet.

+7. In **Edit subnet**, enter this information:

+ | Setting | Value |

+ |--|-|

+ | Subnet name | Enter **mySubnet** |

+ | Subnet address range | Enter **10.1.0.0/24** |

+ | **NAT GATEWAY** |

+ | NAT gateway | Select **myNATgateway**. |

+8. Select **Save**.

+9. Select the **Security** tab.

+10. In **BastionHost**, select **Enable**. Enter this information:

+ | Setting | Value |

+ |--|-|

+ | Bastion name | Enter **myBastionHost** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/26** |

+ | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

+11. In **DDoS protection** select **Enable**. Select **myDDoSProtectionPlan** in DDoS protection plan.

+12. Select the **Review + create** tab or select the **Review + create** button.

+13. Select **Create**.

+It can take a few minutes for the deployment of the virtual network to complete. Proceed to the next steps when the deployment completes.

+

+## Create test virtual machine

+In this section, you'll create a virtual machine to test the NAT gateway and verify the public IP address of the outbound connection.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **+ Create** > **Azure virtual machine**.

+2. In the **Create a virtual machine** page in the **Basics** tab, enter, or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **myResourceGroupNAT**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter **myVM**. |

+ | Region | Select **(Europe) West Europe**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2022 Datacenter: Azure Edition - Gen2**. |

+ | Size | Select a size. |

+ | **Administrator account** | |

+ | Username | Enter a username for the virtual machine. |

+ | Password | Enter a password. |

+ | Confirm password | Confirm password. |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+3. Select the **Disks** tab, or select the **Next: Disks** button at the bottom of the page.

+4. Leave the default in the **Disks** tab.

+5. Select the **Networking** tab, or select the **Next: Networking** button at the bottom of the page.

+6. In the **Networking** tab, enter or select the following information:

+ | **Setting** | **Value** |

+ | -- | |

+ | **Network interface** | |

+ | Virtual network | Select **myVNet**. |

+ | Subnet | Select **mySubnet (10.1.0.0/24)**. |

+ | Public IP | Select **None**. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **None**. |

+7. Select the **Review + create** tab, or select the blue **Review + create** button at the bottom of the page.

+8. Select **Create**.

+## Test NAT gateway

+In this section, you'll test the NAT gateway. You'll first discover the public IP of the NAT gateway. You'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

+

+1. In the search box at the top of the portal, enter **Public IP**. Select **Public IP addresses** in the search results.

+2. Select **myPublicIP**.

+3. Make note of the public IP address:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/find-public-ip.png" alt-text="Screenshot of discover public IP address of NAT gateway." border="true":::

+4. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+5. Select **myVM**.

+4. On the **Overview** page, select **Connect**, then **Bastion**.

+6. Enter the username and password entered during VM creation. Select **Connect**.

+7. Open **Microsoft Edge** on **myTestVM**.

+8. Enter **https://whatsmyip.com** in the address bar.

+9. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

+ :::image type="content" source="./media/quickstart-create-nat-gateway-portal/my-ip.png" alt-text="Screenshot of Internet Explorer showing external outbound IP." border="true":::

+## Clean up resources

+If you're not going to continue to use this application, delete

+the virtual network, virtual machine, and NAT gateway with the following steps:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **myResourceGroupNAT** resource group.

+3. Select **Delete resource group**.

+4. Enter **myResourceGroupNAT** and select **Delete**.

+## Next steps

+For more information on Azure NAT Gateway, see:

+> [!div class="nextstepaction"]

+> [Azure NAT Gateway overview](nat-overview.md)

+ Title: Manage NSG flow logs using Azure Policy

+description: Learn how to use built-in policies to manage the deployment of Azure Network Watcher NSG flow logs.

+# Manage NSG flow logs using Azure Policy

+Azure Policy helps to enforce organizational standards and to assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. In this article, you learn how to use two built-in policies available for NSG flow Logs to manage your flow logs setup. The first policy flags any network security group without flow logs enabled. The second policy automatically deploys NSG flow logs without flow logs enabled.

+To learn more about Azure policy, see [What is Azure Policy?](../governance/policy/overview.md) and [Quickstart: Create a policy assignment to identify non-compliant resources](../governance/policy/assign-policy-portal.md).

+5. Use the Type filter and choose "Built-in". Then search for "flow log"

+You should see the two built-in policies for flow logs

+- *"Flow log should be configured for every network security group"* is the audit policy that flags non-compliant network security groups (network security groups without flow logging enabled)

+- *"Deploy a flow log resource with target network security group"* is the policy with a deployment action, it enables flow logs on all network security groups without flow logs

+The policy checks all existing ARM objects of type ΓÇ£Microsoft.Network/networkSecurityGroupsΓÇ¥, that is, it looks at all network security groups in a given scope, and checks for the existence of linked flow logs via the flow Logs property of the network security group. If the property doesn't exist, the network security group is flagged.

+If you want to see the full definition of the policy, you can visit the [Definitions tab](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Definitions) and search for "flow logs" to find the policy

+The policy checks all existing ARM objects of type ΓÇ£Microsoft.Network/networkSecurityGroupsΓÇ¥, that is, it looks at all network security groups in a given scope, and checks for the existence of linked flow logs via the flow logs property of the network security group. If the property doesn't exist, the policy deploys a flow log.

+If you want to see the full definition of the policy, you can visit the [Definitions tab](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Definitions) and search for "flow logs" to find the policy.

+- Storage ID: Full resource ID of the storage account. Note: This storage account should be in the same region as the network security group.

+- Network Watchers RG: Name of the resource group containing your Network Watcher resource. If you haven't renamed it, you can enter `NetworkWatcherRG`, which is the default Network Watcher resource group.

+- You need Contributor or Owner permission to use this policy. If you have these permissions, you shouldn't see any errors.

+4. Select "Review + Create" to review your assignment.

+- To learn more about NSG flow logs, see [Flow logs for network security groups](./network-watcher-nsg-flow-logging-overview.md).

+- To learn about using built-in policies with traffic analytics, see [Manage traffic analytics using Azure Policy](./traffic-analytics-policy-portal.md).

+- To learn how to use an ARM template to deploy flow Logs and traffic analytics, see [Configure NSG flow logs using an Azure Resource Manager (ARM) template](./quickstart-configure-network-security-group-flow-logs-from-arm-template.md).

+# Manage traffic analytics using Azure Policy

+Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. In this article, you learn how to use three built-in policies available for [Azure Network Watcher traffic analytics](./traffic-analytics.md) to manage your setup.

+> As an alternative to the open source solution presented in this article, you can use [Azure Arc](../azure-arc/overview.md) to manage your ARO clusters along with its [Azure Key Vault Provider for Secrets Store CSI Driver extension](../azure-arc/kubernetes/tutorial-akv-secrets-provider.md). This method is fully supported by Microsoft and is recommended instead of the open source solution below.

+## How to view the output of an `az networkcloud baremetalmachine run-read-command` in the Cluster Manager Storage account

+This guide walks you through accessing the output file that is created in the Cluster Manager Storage account when an `az networkcloud baremetalmachine run-read-command` is executed on a server. The name of the file is identified in the `az rest` status output.

+1. Open the Cluster Manager Managed Resource Group for the Cluster where the server is housed and then select the **Storage account**.

+1. In the Storage account details, select **Storage browser** from the navigation menu on the left side.

+1. In the Storage browser details, select on **Blob containers**.

+1. Select the baremetal-run-command-output blob container.

+1. Select the output file from the run-read command. The file name can be identified from the `az rest --method get` command. Additionally, the **Last modified** timestamp aligns with when the command was executed.

+1. You can manage & download the output file from the **Overview** pop-out.

+description: Review the monitoring and metrics features in Azure Database for PostgreSQL - Flexible Server.

+Monitoring data about your servers helps you troubleshoot and optimize for your workload. Azure Database for PostgreSQL provides various monitoring options to provide insight into how your server is performing.

+Azure Database for PostgreSQL provides various metrics that give insight into the behavior of the resources that support the Azure Database for PostgreSQL server. Each metric is emitted at a 1-minute interval and has up to [93 days of history](../../azure-monitor/essentials/data-platform-metrics.md#retention-of-metrics). You can configure alerts on the metrics. Other options include setting up automated actions, performing advanced analytics, and archiving the history. For more information, see the [Azure Metrics overview](../../azure-monitor/essentials/data-platform-metrics.md).

+The following metrics are available for a flexible server instance of Azure Database for PostgreSQL:

+|Display name|Metric ID|Unit|Description|

+|||||

+|**Active Connections**|`active_connections`|Count|Number of connections to your server.|

+|**Backup Storage Used**|`backup_storage_used`|Bytes|Amount of backup storage used. This metric represents the sum of storage that's consumed by all the full backups, differential backups, and log backups that are retained based on the backup retention period that's set for the server. The frequency of the backups is service managed. For geo-redundant storage, backup storage usage is twice the usage for locally redundant storage.|

+|**Failed Connections**|`connections_failed`|Count|Number of failed connections.|

+|**Succeeded Connections** |`connections_succeeded`|Count |Number of succeeded connections.|

+|**CPU Credits Consumed**|`cpu_credits_consumed` |Count |Number of credits used by the flexible server. Applies to the Burstable tier.|

+|**CPU Credits Remaining** |`cpu_credits_remaining`|Count |Number of credits available to burst. Applies to the Burstable tier. |

+|**CPU percent** |`cpu_percent`|Percent |Percentage of CPU in use.|

+|**Disk Queue Depth**|`disk_queue_depth` |Count |Number of outstanding I/O operations to the data disk.|

+|**IOPS**|`iops` |Count |Number of I/O operations to disk per second.|

+|**Maximum Used Transaction IDs**|`maximum_used_transactionIDs`|Count |Maximum number of transaction IDs in use. |

+|**Memory percent**|`memory_percent` |Percent |Percentage of memory in use. |

+|**Network Out** |`network_bytes_egress` |Bytes |Amount of outgoing network traffic.|

+|**Network In**|`network_bytes_ingress`|Bytes |Amount of incoming network traffic.|

+|**Read IOPS** |`read_iops`|Count |Number of data disk I/O read operations per second. |

+|**Read Throughput** |`read_throughput`|Bytes |Bytes read per second from disk. |

+|**Storage Free**|`storage_free` |Bytes |Amount of storage space that's available.|

+|**Storage percent** |`storage_percent`|Percentage|Percent of storage space that's used. The storage that's used by the service can include database files, transaction logs, and server logs.|

+|**Storage Used**|`storage_used` |Bytes |Amount of storage space that's used. The storage that's used by the service can include the database files, transaction logs, and the server logs.|

+|**Transaction Log Storage Used**|`txlogs_storage_used`|Bytes |Amount of storage space that's used by the transaction logs. |

+|**Write Throughput**|`write_throughput` |Bytes |Bytes written to disk per second.|

+|**Write IOPS**|`write_iops` |Count |Number of data disk I/O write operations per second.|

+## Enhanced metrics

+You can use enhanced metrics for Azure Database for PostgreSQL - Flexible Server to get fine-grained monitoring and alerting on databases. You can configure alerts on the metrics.

+Some enhanced metrics include a `Dimension` parameter that you can use to split and filter metrics data by using a dimension like database name or state.

+### Enable enhanced metrics

+- Most of these new metrics are *disabled* by default. A few exceptions are described in the next table.

+- To enable these metrics, set the server parameter `metrics.collector_database_activity` to `ON`. This parameter is dynamic and doesn't require an instance restart.

+### List of enhanced metrics

+You can choose from the following categories of enhanced metrics:

+- Activity

+- Database

+- Logical replication

+- Replication

+- Saturation

+- Traffic

+#### Activity

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Sessions By State** (Preview)|`sessions_by_state` |Count|Overall state of the back ends. |State|No|

+|**Sessions By WaitEventType** (Preview)|`sessions_by_wait_event_type` |Count|Sessions by the type of event for which the back end is waiting.|Wait Event Type|No|

+|**Oldest Backend** (Preview) |`oldest_backend_time_sec` |Seconds|Age in seconds of the oldest back end (irrespective of the state).|Doesn't apply|No|

+|**Oldest Query** (Preview) |`longest_query_time_sec`|Seconds|Age in seconds of the longest query that's currently running. |Doesn't apply|No|

+|**Oldest Transaction** (Preview) |`longest_transaction_time_sec`|Seconds|Age in seconds of the longest transaction (including idle transactions).|Doesn't apply|No|

+|**Oldest xmin** (Preview)|`oldest_backend_xmin`|Count|The actual value of the oldest `xmin`. If `xmin` isn't increasing, it indicates that there are some long-running transactions that can potentially hold dead tuples from being removed. |Doesn't apply|No|

+|**Oldest xmin Age** (Preview)|`oldest_backend_xmin_age`|Count|Age in units of the oldest `xmin`. Indicates how many transactions passed since the oldest `xmin`. |Doesn't apply|No|

+#### Database

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Backends** (Preview) |`numbackends`|Count|Number of back ends that are connected to this database.|DatabaseName|No|

+|**Deadlocks** (Preview)|`deadlocks` |Count|Number of deadlocks that are detected in this database.|DatabaseName|No|

+|**Disk Blocks Hit** (Preview)|`blks_hit` |Count|Number of times disk blocks were found already in the buffer cache, so that a read wasn't necessary.|DatabaseName|No|

+|**Disk Blocks Read** (Preview) |`blks_read`|Count|Number of disk blocks that were read in this database.|DatabaseName|No|

+|**Temporary Files** (Preview)|`temp_files` |Count|Number of temporary files that were created by queries in this database. |DatabaseName|No|

+|**Temporary Files Size** (Preview) |`temp_bytes` |Bytes|Total amount of data that's written to temporary files by queries in this database. |DatabaseName|No|

+|**Total Transactions** (Preview) |`xact_total` |Count|Number of total transactions that executed in this database. |DatabaseName|No|

+|**Transactions Committed** (Preview) |`xact_commit`|Count|Number of transactions in this database that have been committed.|DatabaseName|No|

+|**Transactions Rolled back** (Preview) |`xact_rollback`|Count|Number of transactions in this database that have been rolled back.|DatabaseName|No|

+|**Tuples Deleted** (Preview) |`tup_deleted`|Count|Number of rows that were deleted by queries in this database. |DatabaseName|No|

+|**Tuples Fetched** (Preview) |`tup_fetched`|Count|Number of rows that were fetched by queries in this database. |DatabaseName|No|

+|**Tuples Inserted** (Preview)|`tup_inserted` |Count|Number of rows that were inserted by queries in this database.|DatabaseName|No|

+|**Tuples Returned** (Preview)|`tup_returned` |Count|Number of rows that were returned by queries in this database.|DatabaseName|No|

+|**Tuples Updated** (Preview) |`tup_updated`|Count|Number of rows that were updated by queries in this database. |DatabaseName|No|

+#### Logical replication

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Max Logical Replication Lag** (Preview)|`logical_replication_delay_in_bytes`|Bytes|Maximum lag across all logical replication slots.|Doesn't apply|Yes |

+#### Replication

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Max Physical Replication Lag** (Preview)|`physical_replication_delay_in_bytes`|Bytes|Maximum lag across all asynchronous physical replication slots.|Doesn't apply|Yes |

+|**Read Replica Lag** (Preview)|`physical_replication_delay_in_seconds`|Seconds|Read replica lag in seconds. |Doesn't apply|Yes |

+#### Saturation

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Disk Bandwidth Consumed Percentage**|`disk_bandwidth_consumed_percentage`|Percent|Percentage of data disk bandwidth consumed per minute.|Doesn't apply|Yes |

+|**Disk IOPS Consumed Percentage** |`disk_iops_consumed_percentage` |Percent|Percentage of data disk I/Os consumed per minute. |Doesn't apply|Yes |

+#### Traffic

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Max Connections** ^|`max_connections`|Count|Number of maximum connections. |Doesn't apply|Yes |

+^ **Max Connections** represents the configured value for the `_max_connections_ server` parameter. This metric is pooled every 30 minutes.

+#### Considerations for using enhanced metrics

+- Enhanced metrics that use the DatabaseName dimension have a *50-database* limit.

+- On the *Burstable* SKU, the limit is 10 databases for metrics that use the DatabaseName dimension.

+- The DatabaseName dimension limit is applied on the object identifier (OID) column, which reflects the order of creation for the database.

+- The DatabaseName in the metrics dimension is *case insensitive*. The metrics for database names that are the same except for case (for example, *contoso_database* and *Contoso_database*) will be merged and might not show accurate data.

+Autovaccum metrics can be used to monitor and tune autovaccum performance for Azure Database for PostgresSQL - Flexible Server. Each metric is emitted at a *30-minute* interval and has up to *93 days* of retention. You can create alerts for specific metrics, and you can split and filter metrics data by using the DatabaseName dimension.

+### Enable autovacuum metrics

+- Autovacuum metrics are disabled by default.

+- To enable these metrics, set the server parameter `metrics.autovacuum_diagnostics` to `ON`.

+- This parameter is dynamic, so an instance restart isn't required.

+### List of autovacuum metrics

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Analyze Counter User Tables** (Preview)|`analyze_count_user_tables`|Count|Number of times user-only tables have been manually analyzed in this database. |DatabaseName|No |

+|**AutoAnalyze Counter User Tables** (Preview)|`autoanalyze_count_user_tables`|Count|Number of times user-only tables have been analyzed by the autovacuum daemon in this database. |DatabaseName|No |

+|**AutoVacuum Counter User Tables** (Preview) |`autovacuum_count_user_tables` |Count|Number of times user-only tables have been vacuumed by the autovacuum daemon in this database. |DatabaseName|No |

+|**Estimated Dead Rows User Tables** (Preview)|`n_dead_tup_user_tables` |Count|Estimated number of dead rows for user-only tables in this database. |DatabaseName|No |

+|**Estimated Live Rows User Tables** (Preview)|`n_live_tup_user_tables` |Count|Estimated number of live rows for user-only tables in this database. |DatabaseName|No |

+|**Estimated Modifications User Tables** (Preview)|`n_mod_since_analyze_user_tables`|Count|Estimated number of rows that were modified since user-only tables were last analyzed. |DatabaseName|No |

+|**User Tables Analyzed** (Preview) |`tables_analyzed_user_tables`|Count|Number of user-only tables that have been analyzed in this database. |DatabaseName|No |

+|**User Tables AutoAnalyzed** (Preview) |`tables_autoanalyzed_user_tables`|Count|Number of user-only tables that have been analyzed by the autovacuum daemon in this database.|DatabaseName|No |

+|**User Tables AutoVacuumed** (Preview) |`tables_autovacuumed_user_tables`|Count|Number of user-only tables that have been vacuumed by the autovacuum daemon in this database.|DatabaseName|No |

+|**User Tables Counter** (Preview)|`tables_counter_user_tables` |Count|Number of user-only tables in this database.|DatabaseName|No |

+|**User Tables Vacuumed** (Preview) |`tables_vacuumed_user_tables`|Count|Number of user-only tables that have been vacuumed in this database. |DatabaseName|No |

+|**Vacuum Counter User Tables** (Preview) |`vacuum_count_user_tables` |Count|Number of times user-only tables have been manually vacuumed in this database (not counting `VACUUM FULL`).|DatabaseName|No |

+### Considerations for using autovacuum metrics

+- Autovacuum metrics that use the DatabaseName dimension have a *30-database* limit.

+- On the *Burstable* SKU, the limit is 10 databases for metrics that use the DatabaseName dimension.

+- The DatabaseName dimension limit is applied on the OID column, which reflects the order of creation for the database.

+You can use PgBouncer metrics to monitor the performance of the PgBouncer process, including details for active connections, idle connections, total pooled connections, and the number of connection pools. Each metric is emitted at a *30-minute* interval and has up to *93 days* of history. Customers can configure alerts on the metrics and also access the new metrics dimensions to split and filter metrics data by database name.

+### Enable PgBouncer metrics

+- PgBouncer metrics are disabled by default.

+- For PgBouncer metrics to work, both the server parameters `pgbouncer.enabled` and `metrics.pgbouncer_diagnostics` must be enabled.

+- These parameters are dynamic and don't require an instance restart.

+### List of PgBouncer metrics

+|Display name|Metric ID|Unit|Description|Dimension|Default enabled|

+|||||||

+|**Active client connections** (Preview) |`client_connections_active` |Count|Connections from clients that are associated with an Azure Database for PostgreSQL connection. |DatabaseName|No |

+|**Waiting client connections** (Preview)|`client_connections_waiting`|Count|Connections from clients that are waiting for an Azure Database for PostgreSQL connection to service them.|DatabaseName|No |

+|**Active server connections** (Preview) |`server_connections_active` |Count|Connections to Azure Database for PostgreSQL that are in use by a client connection. |DatabaseName|No |

+|**Idle server connections** (Preview) |`server_connections_idle` |Count|Connections to Azure Database for PostgreSQL that are idle and ready to service a new client connection. |DatabaseName|No |

+|**Total pooled connections** (Preview)|`total_pooled_connections`|Count|Current number of pooled connections. |DatabaseName|No |

+|**Number of connection pools** (Preview)|`num_pools` |Count|Total number of connection pools. |DatabaseName|No |

+### Considerations for using the PgBouncer metrics

+- PgBouncer metrics that use the DatabaseName dimension have a *30-database* limit.

+- On the *Burstable* SKU, the limit is 10 databases that have the DatabaseName dimension.

+- The DatabaseName dimension limit is applied to the OID column, which reflects the order of creation for the database.

+## Database availability metric

+Is-db-alive is an database server availability metric for Azure Postgres Flexible Server, that returns boolean `[1 for available]` and `[0 for not-available]`. Each metric is emitted at a *1 minute* frequency, and has up to *93 days* of retention. Customers can configure alerts on the metric.

+|Display Name |Metric ID |Unit |Description |Dimension |Default enabled|

+|-|-|-|--|||

+|**Database Is Alive** (Preview) |is-db-alive |Boolean|Indicates if the database is up or not |N/a |Yes |

+#### Considerations when using the Database availability metrics

+- Aggregating this metric with `MAX()` will allow customers to determine weather the server has been up or down in the last minute.

+- Customers have option to further aggregate these metrics with any desired frequency (5m, 10m, 30m etc.) to suit their alerting requirements and avoid any false positive.

+- Other possible aggregations are `AVG()` and `MIN()`

+## Filter and split on dimension metrics

+In the preceding tables, some metrics have dimensions like DatabaseName or State. You can use [filtering](../../azure-monitor/essentials/metrics-charts.md#filters) and [splitting](../../azure-monitor/essentials/metrics-charts.md#apply-splitting) for the metrics that have dimensions. These features show how various metric segments (or *dimension values*) affect the overall value of the metric. You can use them to identify possible outliers.

+- **Filtering**: Use filtering to choose which dimension values are included in the chart. For example, you might want to show idle connections when you chart the `Sessions-by-State` metric. You set the filter for Idle in the State dimension.

+- **Splitting**: Use splitting to control whether the chart displays separate lines for each value of a dimension or if it aggregates the values in a single line. For example, you can see one line for a `Sessions-by-State` metric across all sessions. You can see separate lines for each session grouped by State value. Apply splitting on the State dimension to see separate lines.

+The following example demonstrates splitting by the State dimension and filtering on specific State values:

+For more information about setting up charts for dimensional metrics, see [Metric chart examples](../../azure-monitor/essentials/metric-chart-samples.md).

+In addition to the metrics, you can use Azure Database for PostgreSQL to configure and access Azure Database for PostgreSQL standard logs. For more information, see [Logging concepts](concepts-logging.md).

+## Next steps

+- Learn more about how to [configure and access logs](howto-configure-and-access-logs.md).

+- Learn more about [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+- Learn more about [audit logs](concepts-audit.md).

+Each troubleshooting guide requires a specific set of data, which is sourced from three separate features: [Diagnostic settings](howto-configure-and-access-logs.md), [Query Store](concepts-query-store.md), and [Enhanced Metrics](concepts-monitoring.md#enable-enhanced-metrics).

+* Public preview of [Troubleshooting guides](./concepts-troubleshooting-guides.md) for Azure Database for PostgreSQL ΓÇô Flexible Server.

+The automation framework's GitHub repository contains a set of [Sample BOMs](https://github.com/Azure/sap-automation/tree/main/training-materials/WORKSPACES/BOMS) that you can use to get started. It is also possible to create BOMs for other SAP Applications and databases.

+You can find multiple complete, usable BOM files in the [GitHub repository](https://github.com/Azure/sap-automation/tree/main/training-materials/WORKSPACES/BOMS) folder.

+- Creates to volume groups and logical volumes

+- Configures the kernel parameters

+- Configures routing for additional network interfaces (if required)

+- Crates the user accounts and groups

+- Configures the banners displayed when logged in

+- Configures the services required

+ - StorageDsc

+ - NetworkingDsc

+ - ComputerManagementDsc

+ - PSDesiredStateConfiguration

+ - WindowsDefender

+ - ServerManager

+ - SecurityPolicyDsc

+ - Visual C++ runtime libraries

+ - ODBC Drivers

+- Configures the swap file size

+- Initializes the disks

+- Configures Windows Firewall

+- Joins the virtual machine to the specified domain

+### SAP Specific Operating System Configuration

+The SAP Specific Operating System Configuration playbook is used to configure the operating system of the SAP virtual machines. The playbook performs the following tasks:

+# [Linux](#tab/linux)

+The following tasks are executed on Linux virtual machines:

+- Configures the hosts file

+- Ensures that all the SAP specific repositories are registered and enabled

+- Ensures that all the SAP specific packaged are installed

+- Performs the disk mount operations

+- Configures the SAP specific services

+- Implements configurations defined in the relevant SAP Notes

+# [Windows](#tab/windows)

+- Connects to the Windows file shares

+## April 2023

+- [RSA announcements](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/rsac-2023-microsoft-sentinel-empowering-the-soc-with-next-gen/ba-p/3803613)

+- [Manage multiple workspaces with workspace manager](#manage-multiple-workspaces-with-workspace-manager-preview)

+### Manage multiple workspaces with workspace manager (Preview)

+Centrally manage Microsoft Sentinel at scale with Workspace Manager. Whether you're working across workspaces or Azure AD tenants, workspace manager reduces the complexity.

+Learn more about [Microsoft Sentinel workspace manager](workspace-manager.md).

+- [Microsoft Defender for Identity alerts now available in Government Community Cloud](#microsoft-defender-for-identity-alerts-now-available-in-government-community-cloud)

+### Microsoft Defender for Identity alerts now available in Government Community Cloud

+Microsoft Defender for Identity alerts are now available in Government Community Cloud (GCC).

+If you previously used the MDI alerts connector, with the introduction of the new alerts, the `UniqueExternalId` field is no longer populated. The ID represents the alert, and was formerly located in the `ExternalProperties` field. You can now be obtain the ID through the `AlertName` field, which contains the alert’s name.

+If you've used this ID in your custom queries, we recommend that you adjust your queries accordingly. Review the [Security alert name mapping and unique external IDs](/defender-for-identity/alerts-overview#security-alert-name-mapping-and-unique-external-ids).

+## Upload a block blob by staging blocks and committing

+You can have greater control over how to divide uploads into blocks by manually staging individual blocks of data. When all of the blocks that make up a blob are staged, you can commit them to Blob Storage.

+The following example reads data from a file and stages blocks to be committed as part of a blob:

+## Overview of the migration process

+Before you get started with the migration, read [Understand storage account migration from the classic deployment model to Azure Resource Manager](classic-account-migration-process.md) for an overview of the process.

+To migrate your classic storage accounts, you should:

+1. [Identify classic storage accounts in your subscription](#identify-classic-storage-accounts-in-your-subscription).

+1. [Locate and delete any disk artifacts in classic accounts](#locate-and-delete-any-disk-artifacts-in-a-classic-account).

+1. [Migrate your classic storage accounts](#migrate-a-classic-storage-account).

+1. [Update your applications to use Azure Resource Manager APIs](#update-your-applications-to-use-azure-resource-manager-apis).

+## Locate and delete any disk artifacts in a classic account

+Classic storage accounts may contain classic (unmanaged) disks, virtual machine images, and operating system (OS) images. To migrate the account, you will need to delete these artifacts first.

+> [!IMPORTANT]

+> If you do not delete classic disk artifacts first, the migration may fail.

+To learn about migrating unmanaged disks to managed disks, see [Migrating unmanaged disks to managed disks](../../virtual-machines/unmanaged-disks-deprecation.md).

+# [Portal](#tab/azure-portal)

+To delete disk artifacts from the Azure portal, follow these steps:

+1. Navigate to the Azure portal.

+1. In the **Search** bar at the top, search for **Disks (classic)**, **OS Images (classic)**, or **VM Images (classic)** to display classic disk artifacts.

+1. Locate the classic disk artifact to delete, and select it to view its properties.

+1. Select the **Delete** button to delete the disk artifact.

+ :::image type="content" source="media/classic-account-migrate/delete-disk-artifacts-portal.png" alt-text="Screenshot showing how to delete classic disk artifacts in Azure portal." lightbox="media/classic-account-migrate/delete-disk-artifacts-portal.png":::

+For more information about errors that may occur when deleting disk artifacts and how to address them, see [Troubleshoot errors when you delete Azure classic storage accounts, containers, or VHDs](/troubleshoot/azure/virtual-machines/storage-classic-cannot-delete-storage-account-container-vhd).

+# [PowerShell](#tab/azure-powershell)

+To learn how to locate and delete disk artifacts in classic storage accounts with PowerShell, see [Migrate to Resource Manager with PowerShell](../../virtual-machines/migration-classic-resource-manager-ps.md#step-52-migrate-a-storage-account).

+## Update your applications to use Azure Resource Manager APIs

+After you migrate your classic storage account to Azure Resource Manager, you must update your applications and scripts to use Azure Resource Manager APIs. The [Azure Storage resource provider](/rest/api/storagerp/) is the implementation of Azure Resource Manager for Azure Storage.

+Azure Storage provides SDKs for convenience in calling the Azure Storage resource provider APIs:

+- [Management client library for .NET](/dotnet/api/overview/azure/resourcemanager.storage-readme)

+- [Management client library for Java](/java/api/overview/azure/resourcemanager-storage-readme)

+- [Management client library for JavaScript](/javascript/api/overview/azure/arm-storage-readme)

+- [Management client library for Python](/python/api/overview/azure/mgmt-storage-readme)

+You can also use the latest versions of Azure PowerShell and Azure CLI to manage your migrated storage accounts:

+- [Azure PowerShell](/powershell/azure/what-is-azure-powershell)

+- [Azure CLI](/cli/azure/what-is-azure-cli)

+To learn more about resource providers in Azure Resource Manager, see [Resource providers and resource types](../../azure-resource-manager/management/resource-providers-and-types.md).

+If you have classic storage accounts, start planning your migration now. Complete it by August 31, 2024, to take advantage of Azure Resource Manager.

+To learn more about the classic versus Azure Resource Manager deployment models, see [Resource Manager and classic deployment](../../azure-resource-manager/management/deployment-models.md#changes-for-compute-network-and-storage).

+On August 31, 2024, we'll retire classic Azure storage accounts and they'll no longer be accessible. Before that date, you must migrate your storage accounts to Azure Resource Manager, and update your applications to use [Azure Storage resource provider](/rest/api/storagerp/) APIs.

+The Azure Storage resource provider is the implementation of Azure Resource Manager for Azure Storage. To learn more about resource providers in Azure Resource Manager, see [Resource providers and resource types](../../azure-resource-manager/management/resource-providers-and-types.md).

+Azure Resource Manager storage accounts provide all of the same functionality, as well as new features, including:

+- A [consistent management layer](../../azure-resource-manager/management/overview.md#consistent-management-layer) that simplifies deployment by enabling you to create, update, and delete resources.

+- [Resource grouping](../../azure-resource-manager/management/overview.md#resource-groups), which allows you to deploy, monitor, manage, and apply access control policies to resources as a group.

+- All new features for Azure Storage are implemented for storage accounts in Azure Resource Manager deployments. Customers that are still using classic resources will not have access to new features and updates.

+For more information about the advantages of using Azure Resource Manager, see [The benefits of using Resource Manager](../../azure-resource-manager/management/overview.md#the-benefits-of-using-resource-manager).

+If your applications are using Azure Service Manager classic APIs to access classic accounts, then those applications will no longer be able to access those storage accounts after August 31, 2024.

+Before you get started with the migration, read [Understand storage account migration from the classic deployment model to Azure Resource Manager](classic-account-migration-process.md) for an overview of the process.

+To migrate your classic storage accounts, you should:

+1. Identify all classic storage accounts in your subscription. To learn how, see [Identify classic storage accounts in your subscription](classic-account-migrate.md#identify-classic-storage-accounts-in-your-subscription).

+1. Delete any classic (unmanaged) disks or disk artifacts in your classic storage accounts. To learn how to delete classic disk artifacts, see [Locate and delete any disk artifacts in a classic account](classic-account-migrate.md#locate-and-delete-any-disk-artifacts-in-a-classic-account).

+1. Migrate any classic storage accounts to [Azure Resource Manager](../../azure-resource-manager/management/overview.md). For step-by-step instructions on performing the migration, see [How to migrate your classic storage accounts to Azure Resource Manager](classic-account-migrate.md).

+1. Check your applications and logs to determine whether you're dynamically creating, updating, or deleting classic storage accounts from your code, scripts, or templates. If you are, then you must update your applications to use Azure Resource Manager APIs for account management. For more information, see [Update your applications to use Azure Resource Manager APIs](classic-account-migrate.md#update-your-applications-to-use-azure-resource-manager-apis).

+ 1. Under **Service type**, search for and select **Storage Account Management**.

+ 1. Under **Summary**, type a description of your issue.

+ 1. Under **Problem type**, select **Migrate a classic storage account to Azure Resource Manager**.

+There's no downtime for data plane operations while you are migrating a classic storage account to Resource Manager. Management plane operations are blocked during the migration. For more information, see [Understand storage account migration from the classic deployment model to Azure Resource Manager](classic-account-migration-process.md).

+There may be downtime for scenarios linked to classic virtual machine (VM) migration or unmanaged disk migration. For more information about those scenarios, see [Migration classic VMs](../../virtual-machines/classic-vm-deprecation.md) and [Migrating unmanaged disks to managed disks](../../virtual-machines/unmanaged-disks-deprecation.md).

+### How do I migrate storage accounts that contain classic disk artifacts?

+If your classic storage accounts contain classic (unmanaged) disks, virtual machine images, or operating system (OS) images, you'll need to delete these artifacts before you begin the migration. Failing to delete these artifacts may cause the migration to fail. To learn how to delete classic disk artifacts, see [Locate and delete any disk artifacts in a classic account](classic-account-migrate.md#locate-and-delete-any-disk-artifacts-in-a-classic-account).

+We recommend migrating unmanaged disks to managed disks. To learn about migrating unmanaged disks to managed disks, see [Migrating unmanaged disks to managed disks](../../virtual-machines/unmanaged-disks-deprecation.md).

+The Validation step doesn't check for VM disks that may be associated with the storage account. You must check your storage accounts manually to determine whether they contain VM disks. For more information, see the following articles:

+ Title: List of Azure regions that support geo-zone-redundant storage (GZRS)

+description: List of Azure regions that support geo-zone-redundant storage (GZRS)

+# Azure regions that support geo-zone-redundant storage (GZRS)

+This article lists the regions that support geo-zone-redundant storage (GZRS). For a list of regions that support zone-redundant storage (ZRS), see [Azure regions that support zone-redundant storage (ZRS)](redundancy-regions-zrs.md).

+## GZRS-supported Regions

+## See also

+- [Azure regions that support zone-redundant (ZRS) storage](redundancy-regions-zrs.md)

+- [Azure Storage redundancy](storage-redundancy.md)

+ Title: List of Azure regions that support zone-redundant storage (ZRS)

+description: List of Azure regions that support zone-redundant storage (ZRS)

+# Azure regions that support zone-redundant storage (ZRS)

+This article lists the regions that support zone-redundant storage (ZRS). For a list of regions that support geo-zone-redundant storage (GZRS), see [Azure regions that support geo-zone-redundant storage (GZRS)](redundancy-regions-gzrs.md).

+## Standard storage accounts

+## Premium block blob accounts

+## See also

+- [Azure regions that support geo-zone-redundant (GZRS) storage](redundancy-regions-gzrs.md)

+- [Azure Storage redundancy](storage-redundancy.md)

+For a list of regions that support zone-redundant storage (ZRS) for standard accounts, see [Azure regions that support zone-redundant storage (ZRS) for standard storage accounts](redundancy-regions-zrs.md#standard-storage-accounts).

+For a list of regions that support zone-redundant storage (ZRS) for premium block blobs accounts, see [Azure regions that support zone-redundant storage (ZRS) for premium block blob accounts](redundancy-regions-zrs.md#premium-block-blob-accounts).

+For a list of regions that support zone-redundant storage (ZRS) for premium file share accounts, see [Azure Files zone-redundant storage for premium file shares](../files/redundancy-premium-file-shares.md).

+For a list of regions that support geo-zone-redundant storage (GZRS), see [Azure regions that support geo-zone-redundant storage (GZRS)](redundancy-regions-gzrs.md).

+In order to use an Azure file share via the public endpoint outside of the Azure region it's hosted in, such as on-premises or in a different Azure region, the OS must support SMB 3.x. Older versions of Windows that support only SMB 2.1 can't mount Azure file shares via the public endpoint.

+| Windows 10, version 21H2 | SMB 3.1.1 | Yes | AES-128-GCM |