Last Updated on May 30, 2025 by Arnav Sharma
If you’re designing outbound internet connectivity in Azure, you’re likely weighing options between Azure NAT Gateway, Azure Firewall, or even a combination of both. It might seem overwhelming at first, but I am going to break it all down in simple terms, with examples and comparisons.
Why Outbound Connectivity Matters
In any Azure environment, your virtual machines (VMs), containers, or platform services often need to reach the internet. Whether it’s downloading updates, accessing APIs, or pushing logs to a third-party platform, outbound connectivity is critical.
But not all outbound connections are created equal. You want:
- Predictable IP addresses (for whitelisting)
- Enough SNAT ports to handle lots of connections
- Strong security (think TLS inspection, URL filtering)
- Easy management and scalability
This is where Azure NAT Gateway and Azure Firewall come into play.
What is Azure NAT Gateway?
Azure NAT Gateway is like a high-performance translator. It takes your internal private IPs and swaps them with static public IPs when your resources make outbound calls.
Key Benefits (with Examples):
- Static IPs: If your backend VM talks to a third-party payment gateway that only allows whitelisted IPs, NAT Gateway ensures your outbound IP never changes.
- Massive SNAT Capacity: Each public IP provides 64,512 ports. With 16 IPs, that’s over a million ports—ideal for scenarios like large AKS clusters or IoT devices making many simultaneous API calls.
- No Inbound Access: Only responses to outbound traffic are allowed, which means your VMs are never exposed directly to the internet.
- Fully Managed: Microsoft handles all the scaling, patching, and fault tolerance.
Example Scenario:
A backend app in a private subnet calls hundreds of APIs daily. Assigning public IPs to each VM would be chaotic. Instead, associate a NAT Gateway with the subnet. All calls go out from a single static IP (or set), and no complex routing is needed.
What is Azure Firewall?
Azure Firewall is like a security guard for your traffic. It monitors, filters, and protects your outbound, inbound, and east-west traffic.
Features that Stand Out:
- L3-L7 Filtering: You can allow/block traffic based on IP, port, protocol, domain names (FQDN), and even full URLs (Premium only).
- Threat Intelligence: Blocks known malicious IPs and domains.
- IDPS (Premium): Scans for malware or exploits in your traffic.
- TLS Inspection (Premium): Decrypts HTTPS traffic to inspect content, then re-encrypts it.
Example Scenario:
Let’s say you’re a financial service dealing with sensitive data. You don’t just want to allow internet access—you want to inspect it. Azure Firewall (Premium) can inspect SSL traffic, block malware downloads, and log every access.
Feature Comparison Table
| Feature | Azure NAT Gateway | Azure Firewall Standard | Azure Firewall Premium |
|---|---|---|---|
| SNAT Port Capacity | 64,512 per IP (up to 1M total) | 2,496 per IP per instance | Same as Standard |
| Static Public IPs | Yes | Yes | Yes |
| Outbound Traffic Only | Yes | No (also handles inbound & E-W) | No (also handles inbound & E-W) |
| L3/L4 Filtering (IP, Port) | No | Yes | Yes |
| FQDN Filtering | No | Yes | Yes |
| Full URL Filtering | No | No | Yes |
| TLS Inspection | No | No | Yes |
| Threat Intelligence | No | Alert/Deny (IP/Domain) | Alert/Deny (IP/Domain/URL) |
| IDPS (Malware Detection) | No | No | Yes |
| Logging (App/URL Level) | No | Yes | Advanced Logging |
When to Use What
1. NAT Gateway Only
Use it when you need lots of outbound connections with predictable IPs and don’t need content inspection.
Example: An AKS cluster pulling container images or apps needing stable IPs for SaaS integrations.
2. Azure Firewall Only
Use it when security is your top priority, and SNAT needs are manageable.
Example: A payment processor handling sensitive customer info that must inspect SSL traffic and block access to shady sites.
3. Combined NAT Gateway + Azure Firewall
Use both when you want advanced security inspection and massive SNAT scalability.
Example: A large enterprise with thousands of AVD users accessing Microsoft 365. Firewall inspects traffic, NAT handles SNAT scalability.
Considerations for Zone Resiliency
Azure NAT Gateway is zonal by nature (even in “no-zone” mode). Azure Firewall can be zone-redundant. If your NAT Gateway lives in Zone 1 and that zone goes down, you lose outbound access—even if your Firewall is still alive in other zones.
Best Practice:
- Use zonal NAT Gateways per zone (e.g., one in Zone 1, one in Zone 2)
- Align NAT Gateways with zonal VM deployments
- Be mindful: only one NAT Gateway per subnet is allowed
What Microsoft Is Pushing Toward
Starting September 30, 2025, new Azure VMs won’t have default outbound internet access. Microsoft is nudging everyone to explicitly define outbound paths.
That means:
- Plan now for either NAT Gateway, Azure Firewall, or both
- Review all workloads needing internet access
- Consider centralizing outbound routes via a hub-spoke network model
Conclusion
There’s no one-size-fits-all solution. Azure NAT Gateway shines for simplicity and scale. Azure Firewall is unmatched for inspection and control. Together, they deliver power and precision—but with added complexity and cost.
Before choosing, ask yourself:
- Do I need deep traffic inspection?
- Is SNAT port exhaustion a risk?
- Will I scale to thousands of concurrent connections?
- Do I need predictable outbound IPs?
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.