NAT and NAT Gateway in Azure

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
curious how at a virtual machines and other resources talk to things on the Internet in this video we'll look at net capabilities in Asia so I think we're all used to the idea that the ipv4 address space has run out and we're not all ready to just run over to ipv6 quite yet so how is it we all have all these different devices with all these different IP addresses but they still work and it's really all thanks the kind of network address translation port address translation the idea being for example in our houses in our house hopefully your house doesn't look as bad as that we have lots of different devices we have tablets we have computers and if you went it did like an IP config or an ifconfig or an IP it will tell you an IP address and most likely that by P address if you're at home is gonna be maybe a 192.168 something it might be a 1:7 2.12 it might be a 10 dot something and those all make up kind of this RFC 1918 address space is used for internal purposes it will not route over the Internet but you want to go and talk to the Internet so how does that work well you have a service provider and that service provider has a piece of equipment at your house and that piece of equipment I think of it some kind of router it has its own IP address but most likely that IP address is routable on the internet unless they're doing another kind of natty so you have all these different devices in your house TVs whatever all of their IP address and so I have a packet you can imagine maybe this had an address of 10 dot zero dot one dot ten anyone's to go and talk to saying on the Internet so when it creates his IP packet the source address is 10.0 110 when it hits this device it rewrites the packet so now it's IP becomes the source IP and sends it out the internet it does whatever it does and the response is sent back to that IP address where it has maintained kind of a lookup table and now when it gets that IP packet back in it will now rewrite the destination to instead of being its IP the original requester and it sends it on its way and if you only has one public IP address and lots of internal IP addresses to map to it can't do a one-to-one mapping it has lots of internal ip's mapping to one public IP so what we do is that we do port address translation and you can think about each kind of session each unique combination of internal IP and port and destination IP and porom protocol it maps that like a five tuple and so what it would do is on this traffic that's going out it will say well hey you you are port 10000 the next one going out your port ten thousand and one your ten thousand and two for any kind of unique set of session data so when it comes back in it will say hey your IP code on ten thousand went Wells hey port 10000 was this IP in that session so we can forward it on so it's creating that mapping that's at your house and actually really works very very similar way we have to nap the traffic so if I think about I have an azure virtual network so I have a v-net and that v-net remember is going to get broken up into subnets so there's just say for example I've got some net one and that virtual network is going to use an IP scheme commonly from RFC 1918 it doesn't have to be commonly will so some that is a portion of that IP space and I have a bunch of different resources in there I've got VM I've got VMs behind maybe a load balancer they're all talking on private eye peas and if I do nothing else they can get to the internet so have the internet out here and it works so how is it doing that well it actually works in different ways if I have a virtual machine and it has its own instance level public IP so if I have created an instance level is just for that VM public IP and it's kind of linked to that virtual machine now remember this is primarily an inbound construct I give that virtual machine a public IP because I want it to get traffic from the internet maybe is offering a website on 4:43 now we typically wouldn't do that directly when IP because if I'm offering a service to the internet probably want it to be resilient so I'd want multiple instances I want scale I want a low balance that but if we did if a VM in Asia has its own instance level public IP what it wants to do outbound communications against there it will actually use that instance level public IP that's hope will then go and get to the internet and get the responses if I have a public IP I'm going to use that not just to offer services to the Internet that's what I'm going to do to actually get to the Internet because it's a one-to-one mapping a public IP to my internal I have kind of the full pulse available to me now if I have a load balancer and the load balancer Bella has a public IP and again that's used to receive things from the internet primarily but once again virtual machines behind a load balancer will use that to go and get to the internet there are some different functional here is a basic load balancer that's just what happens if it was a standard load balancer and it did not have a public IP address these wouldn't be able to get to the internet so things behind that load balancer would not be able to get the internet as long as the standard load balancer does have a public IP then the things behind it will use that to go and get to the Internet that's an important point because if I use things like maybe private linked service or have internal load balancers and I'm using standard load balancer I have to think about how they going to get to the internet so there doesn't have a public IP they don't have that access now what about if I have virtual machines isn't it just delete that for a second let's extend that something out for a second what about if I just have a VM and it doesn't have a public IP well then as you're just behind the scenes kind of allocates an IP address and it may even was there outbound flow so it's gonna enable that to function but I've no control over that I don't know why IP it's going to use it'll be hard for me to go on whitelist a particular service knowing it's coming from this address and if I have multiple virtual machines they all may use that same public IP that's just been automatically handled by Asia so I have really no control of that whatsoever so those are kind of the three basic scenarios now these are using port address translation when I have multiple either in this load balancer or when it's just this automatically allocated so it's looking at hey based on that source IP that protocol the destination is gonna assign an ephemeral port that it will map and hold for a certain amount of time before that times L so when the traffic comes back and it knows hey that port helps it map to who was the source IP address but what if I want a bit more control what if I don't like this idea that hey I wanna offer services to the Internet through may be an instance level public IP or a low balance of a public IP but I want to separate the outgoing flows now if I use a standard load balancer skew they are outbound flows I do have some control over that but it's still a distinct object and if I use a standard load balancer what I have to have knowledge in advance I have to plan I have to think about the scaling I have to explicitly join the virtual machine to that back-end set there's work I have to do there it says another solution there's nat gateway so we've net gateway I create this kind of that gateway resource and it can either be regional or it can be a zonal so zonal means it is isolated to the zone I select now I could still use it from resources that are in different availability zones but what he wouldn't want to he's gonna break that zone promise so you want to architect accordingly if I was gonna use a zone or that gateway I would have an that gateway in each of my three availability zones and then I would have to make sure my subnets the resources were put into a particular subnet were all in a particular availability zone I'll explain that in a second so with this net gateway this is designed to provide outbound functionality and once I create that Nate gateway it has a either public IP and it's the standard SKU or it's gonna be an IP prefix an IP prefix is a set of contiguous public IP addresses and what do I use this is I link then that gateway to a subnet I could have multiple subnets like I have something it - I could link it to there as well and when I do that this will now override how things go out to Internet so even though I've got an instant sample public IP even though I'm behind a standard load balancer it will not use that for outbound connectivity anymore so as virtual machines will use those to receive things but for its outbound flow so if this VM to get out to the Internet it works you send it to the rainbow color over here it will send it to it's in that gateway this is trying to get outbound it will go to the net gateway so now separating it this will automatically scale I don't have to worry about thinking about this thing in advance I just have to link it to a subnet and it will automatically take all of the outbound traffic and NAT it for everything in that subnet so it's much easier to think about from a manageability perspective it is not compatible with non-standard skews what I mean by that is there's a standard public IP there's a standard load balancer these work with each other if I had a basic load balancer that inbound flow would cease to work it is not compatible I have to use the standard skews at the load balancer of the public IP if I want to use net gateway with that subnet if I attach an 8 gateway to the subnet and I just had a basic load balancer it will not get the traffic anymore this will just override it does an important point to understand so this is kind of fantastic I just create this net gateway I'll link you to a subnet it will now be used for all of that outbound flow I know the IP addresses or the IP prefixes for the NAT gateway so I can I go ahead and whitelist these for other services that it may be trying to access now just one point to clarify then so I talked before about availability zones so if you remember if I have an azure subscription if you think about what is a region a region is typically made up of three availability zones these are kind of isolated sets of resource and power of water and communication so have this kind of easy one two and three now in a virtual network is a regional construct so my v-net would span all three of those availability zones ad was my subnet so by default my subnets would also just be spanning all of the availability zones but if I create in that gateway and I make it zonal so here let's say this is mine at gateway one and then I create an oven that gateway to an another NAT gateway for I'm kidding three-three I would need to make sure when I link this to subnet well I want all the resources in that subnet in that AZ so I would have to architect accordingly so in this case I would probably create a subnet and although they are spanning all the availability zones in terms of the construct I would make sure that when I put compute resources in them I only put compute resources in that subnet that were in AZ one I would already put compute resources that when that subnet in AZ 2 etc so now I can link the appropriate subnet to the appropriate gateway for that a Z suppose using VM scale says I wouldn't want them to span zones I would want it just to be in a particular zone and I would be a particular subnet and I would not put things in this subnet that were in other zones I want to keep that zonal promise if this neck Gateway is in this AZ I want to link it to subnets that only contain things in that a Z as well if I put something in this subnet that lived in AZ 2 it would still work but I'm just breaking that zonal promise I'm relying on something in a different zone that's a more complex thing that didn't make complete sense don't super worry about it but just realize that's what happens if I make and a zone or saying this in a particular zone I need to make sure everything that's using it from a good architecture perspective is also in the same zone subnets normally span all lazy's will be my responsibility to kind of carve things up differently and make sure I only put resources in that subnet that are in the AZ that I'm linking to that subnet so that gateway gives me a way to control the flow of traffic if I don't using that gateway there's a public IP it's going to use that just behind a load balancer that has a public IP first and then it's gonna use that it was just a basic load balancer it will still work I've always added which dynamically allocate a public IP for its usage remember the special case is standard load balancer if it doesn't have a public IP they won't have any internet access I have to do something else either give the standard load balancer a public IP or using that gateway then I can control it so let's take a super quick look at this in action so let's look at a quick example here I've got a virtual machine it has both a private IP address and a public IP address but look at a different virtual machine let's say for example my domain controller well it does not have a public IP if in the web browser I perform a check for what is my IP for the virtual machine that has a public IP address remember its primary goal is to offer services out to the Internet we can see that that IP address that it's using to get outbound to the Internet is the same as the one that's been used to provide services to the Internet I its public IP for the virtual machine that doesn't have a public IP address well it can still get to the Internet but it just kind of has some random IP that's what a shoe is just allocating for it and maybe other virtual machines for example I have two other virtual machines that don't have public IP s but they're in a different region you can see they are using the same public IP a Jew is automatically providing that NAT and it's using the same ip address now what we're going to do is actually create that neck wait now you will notice this public IP is a standard public IP SKU if it was basic I would not be able to create in that gateway and connect it to the subnet because it knows it would clash it knows it would break things so if I look at the properties we're seeing this is standards you need to make sure you don't have any basic load balancers or basic public eye peas in a subnet I want to attach than that gateway to so now I'll go to my net gateway can see I've created in that gateway already but it's not currently operational I have to actually add a subnet to it it has its own public IP I didn't give it a prefix one public IP gives me over 60,000 ephemeral port so I can use for various sessions and connections but I could use a prefix if I needed to scale beyond that but I'll know that public IP I could use it and whitelist it on other services so now what I'll do is I'll go to my subnet or pick a virtual network in the same region I'm gonna link it to my infrastructure subnet and then I'll save this is now gonna link the NAT gateway to that subnet and that's it so that's a huge benefit here not only is this a instantly scalable service is very simple to manage that's how hard it is to configure it with networks I just select the subnets I want to use it so now this virtual machine is one that had the public IP address if I now jump over back to what is my IP if I run it again so right now that was what it's public IP address of the VM what if I go and run this again I can see it's actually changed now it's public IP address is that of the Gateway so remember that last number is 1 for 2 that one for 2 is the IP address that the NAT Gateway uses if I went back and looked at my actual virtual machine if the dress is similar but it's a 2 for 8 so here you can see now that that gateway is being used for its outbound connectivity I can still get to services on its public IP address that it's offering but its outbound communication is now going through the NAT gateway likewise virtual machines that are on the same subnet that aren't behind a load balancer that aren't having their own public IP will use the same one so once again I'm looking for this 1385 one 85.1 for two if I jump over to my machine is on the same subnet remember previously it had the automatically allocated public IP from Asia I check his IP address again now it's got that NAT gateway so because it's on remember I'll paste it in just we can compare them it's using the net gateway public IP so now anything on that subnet it's just gonna use it for its outbound internet access so I hope that was useful I hope now it makes a bit of sense please give this video a like please subscribe and see you at next video soon take care [Music]
Info
Channel: John Savill's Technical Training
Views: 7,857
Rating: undefined out of 5
Keywords: NAT, NAT Gateway, Azure
Id: c685a1CiaIs
Channel Id: undefined
Length: 21min 37sec (1297 seconds)
Published: Fri Mar 13 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.