Azure NAT Gateway: Fix Setup, Connectivity & SNAT Errors

Microsoft Fix Intermediate 14 min read Official Docs Grounded Updated April 20, 2026
What's in This Guide
  1. Why This Is Happening
  2. The Quick Fix
  3. Step-by-Step Solution
  4. Advanced Troubleshooting
  5. Prevention & Best Practices
  6. FAQ

Why This Is Happening

You've set up an Azure NAT Gateway, or you're trying to, and something just isn't working. Maybe your VMs in a private subnet still can't reach the internet. Maybe you're seeing SNAT port exhaustion errors under load. Maybe you deployed a StandardV2 NAT Gateway and now your virtual network is stuck in a failed state , and the Azure portal is giving you a vague error with zero guidance on how to fix it. I've seen every one of these scenarios, and they're all fixable once you understand what Azure NAT Gateway actually does under the hood.

Here's the core concept you need to internalize: Azure NAT Gateway is a fully managed, distributed Network Address Translation service. It lets every resource in a subnet reach the internet using shared public IP addresses , without those resources ever needing a public IP of their own. Crucially, it's a one-way door. Unsolicited inbound connections from the internet are blocked. Only response packets to outbound connections can flow back through. That security model is exactly why things break in non-obvious ways when the configuration is off.

The two most common reasons people land on this guide are:

  1. SNAT port exhaustion, Your subnets are hammering outbound connections faster than NAT Gateway can allocate Source Network Address Translation ports. This surfaces as intermittent connection failures, especially under load, and it's one of the most misdiagnosed networking problems in Azure.
  2. SKU mismatch or missing association, You created a NAT Gateway but didn't properly associate it with a subnet, or you're using a Standard SKU public IP with a StandardV2 NAT Gateway (which isn't supported, more on that below).

There's also a third category that trips up Azure engineers who are newer to the platform: the StandardV2 SKU is currently in public preview, and it has a meaningful list of limitations and known bugs, including a nasty one where attaching it to an empty subnet created before April 2025 can send your entire virtual network into a failed state. Microsoft's error messages for this are genuinely unhelpful, which is why you're here.

The good news: Azure NAT Gateway is intentionally designed to be straightforward to configure. When it breaks, it almost always comes down to one of a handful of root causes, and they're all addressable with the right sequence of steps. Browse all Microsoft fix guides →

The Quick Fix, Try This First

Before diving into a full diagnostic, run through this checklist. In my experience, about 70% of Azure NAT Gateway problems are solved by catching one of these misconfigurations early.

Step 1, Verify the subnet association. Open the Azure portal, navigate to your NAT Gateway resource, and click Subnets in the left-hand menu under Settings. If the subnet you expect to use isn't listed there, that's your problem. A NAT Gateway that isn't associated with a subnet does absolutely nothing. Click + Associate, pick your virtual network and subnet, and save.

Step 2, Confirm the public IP or prefix is attached. Still in your NAT Gateway resource, click Outbound IP in the left menu. You need at least one public IP address or one public IP prefix assigned. If this blade shows nothing, your VMs have nowhere to NAT their traffic to. Add a public IP by clicking + Add a public IP address.

Step 3, Check the SKU match. This is the silent killer for StandardV2 deployments. If you're using StandardV2 NAT Gateway, you must use StandardV2 SKU public IP addresses. Standard SKU public IPs are not supported with StandardV2 NAT Gateway. In the portal, go to your public IP resource, look at SKU in the Overview pane. If it says "Standard" instead of "Standard V2", you need to create a new public IP with the correct SKU.

Step 4, Check your region. StandardV2 NAT Gateway isn't available everywhere. If your virtual network is deployed in Canada East, Central India, Chile Central, Indonesia Central, Israel Northwest, Malaysia West, Qatar Central, or UAE Central, StandardV2 is not an option in your region yet. You'd need to use the Standard SKU instead.

Step 5, Run a connectivity test. SSH into one of your private VMs (via Azure Bastion or a jump box), then run:

curl -s https://ifconfig.me

If this returns the public IP you assigned to your NAT Gateway, everything is working. If it hangs or fails, continue to the step-by-step section below.

Pro Tip
When you're adding multiple public IPs to a NAT Gateway to scale outbound connections, use a public IP prefix instead of individual IPs. A /28 prefix gives you 16 contiguous IPs and automatically scales the gateway as needed, and it lets you configure destination firewall rules with a single predictable IP range rather than maintaining a list of individual addresses. It's dramatically easier to manage long-term.
1
Create or Recreate Your NAT Gateway with the Correct SKU

One of the most important things to understand about Azure NAT Gateway SKUs: you cannot upgrade a Standard SKU NAT Gateway to StandardV2. There's no in-place upgrade path. If you started with Standard and now need StandardV2 capabilities, zone redundancy, IPv6 support, 100 Gbps throughput instead of 50 Gbps, or flow log support, you have to create a brand new resource and swap it in.

To create a new NAT Gateway in the Azure portal:

  1. Search for NAT Gateways in the top search bar and open the service.
  2. Click + Create.
  3. On the Basics tab, choose your subscription, resource group, and region.
  4. Under SKU, choose either Standard or Standard V2 based on your needs.
  5. For Standard SKU, choose your availability zone (or leave as "No zone" for non-zonal). Standard NAT Gateway operates out of a single availability zone, plan accordingly.
  6. For StandardV2, no zone selection is needed, it's zone-redundant by design and spans all zones in the region automatically.
  7. Set your idle timeout (default is 4 minutes; range is 4–120 minutes).

Move to the Outbound IP tab and add your public IP or prefix. If you're building a StandardV2 gateway, only StandardV2 SKU public IPs will appear as valid options, you'll need to create one first if you don't have one.

If you did this correctly, after deployment you'll see your NAT Gateway with a green "Succeeded" provisioning state in the Overview blade. A "Failed" state here means something went wrong during creation, delete it and try again, paying close attention to the SKU of your associated public IP resource.

2
Associate the NAT Gateway with Your Subnet

This step trips up a surprising number of people, including senior engineers. Creating the NAT Gateway is not enough, you have to explicitly associate it with one or more subnets. Until you do that, your private resources are still going out through whatever outbound path existed before (often a default SNAT path via a load balancer, or no path at all).

There are two ways to do this association. The first is from the NAT Gateway resource itself:

  1. Open your NAT Gateway in the portal.
  2. In the left menu under Settings, click Subnets.
  3. Click + Associate.
  4. Select your Virtual Network from the dropdown, then choose the subnet.
  5. Click Save.

The second approach is from the Virtual Network side, navigate to your VNet, click Subnets, open the specific subnet, and set the NAT gateway field in the subnet configuration panel.

One important thing to know: a single subnet can only be associated with one NAT Gateway at a time. But the same NAT Gateway can be associated with multiple subnets in the same virtual network. All subnets in a VNet can share a single NAT Gateway resource if you want centralized outbound management.

After saving the association, wait about 60 seconds for propagation, then re-run your connectivity test from the VM. If you see your NAT Gateway's public IP returned from curl -s https://ifconfig.me, the association is working.

Watch out: if you're associating a StandardV2 NAT Gateway with an empty subnet that was created before April 2025 and has no VMs in it, you may see the virtual network enter a failed state. This is a documented known issue. The fix is to remove the NAT Gateway association, add a VM to that subnet first, and then reattach the NAT Gateway.

3
Diagnose and Fix SNAT Port Exhaustion

SNAT port exhaustion is the sneakiest Azure NAT Gateway problem because it doesn't fail loudly, it causes intermittent connection failures that look like application bugs or backend timeouts. If your application works fine at low load but starts dropping connections as traffic scales up, SNAT port exhaustion is the first thing to investigate.

Here's how to check via Azure Monitor. In the portal:

  1. Open your NAT Gateway resource.
  2. Click Metrics in the left menu.
  3. Add the metric SNAT Connection Count and also Dropped Packets.
  4. Set the time range to cover your incident window.

If you see Dropped Packets spiking in correlation with traffic peaks, you're exhausting SNAT ports. NAT Gateway dynamically allocates SNAT ports to scale outbound connectivity, but if you're opening an extremely large number of concurrent connections to the same destination endpoint, you can still hit limits.

The fix has three parts. First, add more public IP addresses to your NAT Gateway, each IP provides 64,512 SNAT ports. You can attach up to 16 public IP addresses, or equivalently a /28 public IP prefix. In the portal, go to Outbound IP under your NAT Gateway settings and click + Add a public IP address.

Second, look at your application's connection handling. Are you opening and closing connections rapidly to the same destination? Connection pooling at the application layer dramatically reduces SNAT port consumption.

Third, review your TCP idle timeout. The default is 4 minutes. If your app keeps idle connections open but doesn't send keepalives, those connections hold SNAT ports hostage. Either reduce the idle timeout or configure TCP keepalives in your application.

4
Fix Delegated Subnet Compatibility Issues

Here's a scenario I see constantly in enterprise Azure deployments: someone tries to attach a StandardV2 NAT Gateway to a subnet that's been delegated to a specific Azure service, and it just silently doesn't work, or the configuration fails.

StandardV2 NAT Gateway cannot be attached to delegated subnets for these specific services:

  • Azure SQL Managed Instance
  • Azure Container Instances
  • Azure Database for PostgreSQL, Flexible Server
  • Azure Database for MySQL, Flexible Server and standard MySQL
  • Azure Data Factory, Data Movement
  • Microsoft Power Platform services
  • Azure Stream Analytics
  • Azure Web Apps
  • Azure DNS Private Resolver

If you need outbound NAT for any of these services, your options depend on which services you're running. For SQL Managed Instance or ACI, you'll need to use Standard (not StandardV2) NAT Gateway, since Standard NAT Gateway doesn't carry the same delegated subnet restrictions. Alternatively, evaluate whether a user-defined route (UDR) through an Azure Firewall fits your architecture better, this is often the right call in hub-spoke topologies anyway.

To check whether your subnet has a delegation set, in the portal navigate to your Virtual Network → Subnets → click your subnet → look for the Subnet delegation field. If any service is listed there, that's a delegated subnet. You cannot remove the delegation without removing the service resources first.

The practical fix for most teams: use separate subnets, one delegated subnet for the PaaS service, and a separate non-delegated subnet for your VMs that get the NAT Gateway association. Route traffic between them using VNet peering or the hub-spoke pattern.

5
Fix IPv6 Outbound Issues with StandardV2

StandardV2 NAT Gateway supports both IPv4 and IPv6 public IP addresses, this is one of its headline features over Standard SKU. But there's a documented known issue that affects IPv6 outbound traffic specifically, and if you've enabled dual-stack (IPv4 + IPv6) networking in your VNet, you may be hitting it right now.

The issue: IPv6 outbound traffic via Load Balancer outbound rules is disrupted when StandardV2 NAT Gateway is associated to the same subnet. NAT Gateway takes priority for outbound traffic, and this interferes with IPv6 outbound rules configured on an external Load Balancer.

Microsoft has documented three options depending on your requirements:

  1. If you need both IPv4 and IPv6 outbound via Load Balancer rules: Use Load Balancer outbound rules for both IPv4 and IPv6 traffic. Don't associate a StandardV2 NAT Gateway to that subnet.
  2. If you want NAT Gateway for IPv4 and Load Balancer outbound rules for IPv6: Use Standard (not StandardV2) NAT Gateway for IPv4 outbound, and keep Load Balancer outbound rules for IPv6. This works because the conflict is specific to StandardV2.
  3. If you can go all-in on NAT Gateway for everything: Use StandardV2 NAT Gateway with both IPv4 and IPv6 public IPs assigned. Remove Load Balancer outbound rules entirely for that subnet.

To add an IPv6 public IP to your StandardV2 NAT Gateway in the portal: go to Outbound IP under your NAT Gateway → click + Add a public IP address → when creating the new IP, under IP Version select IPv6. Make sure the IP SKU is StandardV2 or it won't be compatible.

After making changes, verify with:

curl -6 -s https://ifconfig.me

from your VM. A returned IPv6 address that matches your assigned NAT Gateway IP confirms it's working correctly.

Advanced Troubleshooting

If you've worked through the steps above and you're still hitting issues, here's where to dig deeper. These scenarios come up more in enterprise environments, larger deployments, Infrastructure-as-Code pipelines, and multi-tenant architectures where the interaction between services gets complicated fast.

Terraform Deployments

If your team uses Terraform to manage Azure infrastructure, be aware: Terraform does not yet support StandardV2 NAT Gateway or StandardV2 Public IP deployments. This is a documented limitation. If you try to deploy StandardV2 resources via Terraform, you'll get provider errors or the resources will silently deploy as the wrong SKU depending on your provider version. Your options are to use Azure CLI, ARM templates, Bicep, or the portal directly for StandardV2 resources, and manage the state manually until Terraform adds support. Track the relevant GitHub issue in the Azure Terraform provider repo for status updates.

Using Azure CLI for Deployment

When the portal gives you cryptic errors, the CLI often gives more useful output. Here's the full creation sequence via Azure CLI:

# Create a StandardV2 public IP
az network public-ip create \
  --resource-group MyRG \
  --name MyNatGwIP \
  --sku StandardV2 \
  --allocation-method Static \
  --version IPv4

# Create the StandardV2 NAT Gateway
az network nat gateway create \
  --resource-group MyRG \
  --name MyNatGateway \
  --public-ip-addresses MyNatGwIP \
  --sku StandardV2 \
  --idle-timeout 10

# Associate with your subnet
az network vnet subnet update \
  --resource-group MyRG \
  --vnet-name MyVNet \
  --name MySubnet \
  --nat-gateway MyNatGateway

Virtual Network Failed State Recovery

If your VNet entered a failed state after attaching a StandardV2 NAT Gateway to an empty subnet (created before April 2025 without any VMs), the recovery sequence is:

# Step 1, Disassociate the NAT Gateway from the subnet
az network vnet subnet update \
  --resource-group MyRG \
  --vnet-name MyVNet \
  --name MySubnet \
  --remove natGateway

# Step 2, Deploy a VM into that subnet (any minimal VM will do)
# Step 3, Reattach the NAT Gateway
az network vnet subnet update \
  --resource-group MyRG \
  --vnet-name MyVNet \
  --name MySubnet \
  --nat-gateway MyNatGateway

Flow Logs for Deep Traffic Analysis (StandardV2 Only)

StandardV2 NAT Gateway supports flow logs, IP-based traffic records that show you exactly what's flowing outbound. If you're trying to trace which VMs are generating traffic, where it's going, and whether expected connections are making it through, enabling flow logs is the right move. In the portal, go to your NAT Gateway → Diagnostic settings → add a setting to send logs to a Log Analytics workspace or Storage Account. Query them in Log Analytics with:

AzureDiagnostics
| where ResourceType == "NATGATEWAYS"
| where Category == "NatGatewayFlowLogs"
| project TimeGenerated, srcIP_s, dstIP_s, dstPort_d, protocol_s
| order by TimeGenerated desc
When to Call Microsoft Support

If your VNet remains in a failed state after following the recovery steps above, if you're seeing provisioning failures that persist across multiple fresh deployments, or if you believe you've hit a platform-level bug in StandardV2 Preview behavior, open a support ticket. StandardV2 is in preview, and Microsoft explicitly tracks known issues for preview features. Don't spend days debugging what might be a backend platform bug. Open a ticket at Microsoft Support, select Azure → Networking → NAT Gateway, and include your resource IDs, region, timestamps, and the exact error messages you see in the Activity Log.

Prevention & Best Practices

Once your Azure NAT Gateway is running correctly, a small amount of upfront planning saves you from most of the pain points outlined in this guide. Here's what I tell every team that asks me how to avoid NAT Gateway headaches going forward.

Plan your IP capacity before you need it. Each public IP on your NAT Gateway provides 64,512 SNAT ports. If you know your workload makes thousands of concurrent outbound connections, start with a public IP prefix instead of a single IP. A /28 prefix gives you 16 IPs out of the gate and scales automatically without any reconfiguration. The operational overhead of managing 16 individual IPs later versus a single prefix resource is significant, get the prefix in place early.

Choose your SKU with zone requirements in mind. Standard NAT Gateway is zonal, it lives in a single availability zone. If that zone goes down, your outbound connectivity goes with it. StandardV2 is zone-redundant across all zones in the region. For production workloads that require high availability, StandardV2 (where available in your region) is the better choice, just factor in the preview limitations before committing fully.

Separate your subnet topology by purpose. Don't mix delegated PaaS subnets with VM subnets if you need NAT Gateway everywhere. Use dedicated subnets for each PaaS service and a separate compute subnet with the NAT Gateway association. This gives you clean control over routing and avoids the delegation conflicts described in Step 4.

Monitor SNAT metrics proactively. Set up an Azure Monitor alert on the Dropped Packets metric for your NAT Gateway before traffic problems happen, not after. A reasonable alert threshold is anything above 0 for more than 5 minutes, dropped packets should not be a normal baseline condition.

Test idle timeout settings in staging first. The default 4-minute TCP idle timeout works for most workloads. But if you have long-lived connections, database connections, WebSocket sessions, or keep-alive HTTP connections, changing this value in production without testing first can cause unexpected disconnections. Simulate your connection patterns in a staging environment and measure actual idle connection behavior before touching the timeout value.

Quick Wins
  • Use a public IP prefix (/28) instead of individual IPs for easier firewall allowlisting and automatic scaling
  • Enable Azure Monitor alerts on Dropped Packets and SNAT Connection Count from day one
  • Always associate NAT Gateway with subnets that contain at least one VM before deploying to production (avoids the known empty-subnet issue)
  • Document which regions your deployment targets, StandardV2 is not available in 8 regions as of 2026, and this affects your disaster recovery architecture

Frequently Asked Questions

What is Azure NAT Gateway and do I actually need it?

Azure NAT Gateway is Microsoft's managed Network Address Translation service that lets VMs and other resources in a private subnet reach the internet without having individual public IP addresses. You need it any time you want private VMs to make outbound internet calls, downloading packages, calling external APIs, or pushing data to external services, while keeping those VMs unreachable from unsolicited inbound traffic. Before NAT Gateway existed, teams typically used a load balancer's outbound rules or gave VMs public IPs directly, both of which are either more expensive or harder to secure at scale. NAT Gateway is the cleaner, purpose-built answer to this specific problem.

What's the difference between Standard and StandardV2 NAT Gateway, which should I pick?

Standard NAT Gateway is zonal (deploys to one availability zone, 50 Gbps max throughput) and is generally available. StandardV2 is zone-redundant (spans all zones in a region, 100 Gbps max throughput), adds IPv6 support and flow logs, but it's currently in public preview, which means it has known bugs and limitations you should read carefully before using in production. If your region supports StandardV2 and you need high availability across zones or you need IPv6 outbound support, StandardV2 is the direction Microsoft is heading. If you're in a StandardV2-unsupported region (Canada East, Central India, Chile Central, Indonesia Central, Israel Northwest, Malaysia West, Qatar Central, UAE Central) or you're running a delegated service subnet that StandardV2 can't attach to, Standard is your only option.

Can I upgrade my existing Standard NAT Gateway to StandardV2?

No, there's no in-place upgrade path. Microsoft has been explicit about this: you must create a new StandardV2 NAT Gateway resource and then replace the Standard one on your subnets. The process is: create your new StandardV2 gateway with a StandardV2 SKU public IP, then go to each subnet that currently uses your Standard gateway and change the associated NAT Gateway to the new one. There will be a brief period (usually under 60 seconds) during the swap where outbound connectivity is interrupted, so plan for a short maintenance window. After confirming the new gateway is working, delete the old Standard SKU resource.

My VMs still can't reach the internet even after I set up NAT Gateway, what am I missing?

The three most common culprits in this exact scenario are: (1) the NAT Gateway isn't actually associated with the subnet your VMs are in, check this under the NAT Gateway's Subnets blade in the portal; (2) there's a Network Security Group (NSG) on the subnet or the VM's NIC that's blocking outbound traffic on port 80 or 443, check your NSG outbound rules and make sure outbound internet traffic is allowed; (3) there's a user-defined route (UDR) in the subnet's route table that's overriding the NAT Gateway's route and sending traffic somewhere else like an Azure Firewall. Run curl -s https://ifconfig.me from inside the VM, if it hangs rather than returning an error, a routing or NSG issue is the likely cause.

How many public IPs can I add to a NAT Gateway, and when do I need more?

You can attach up to 16 public IP addresses to a single NAT Gateway, or use a /28 public IP prefix (which is also 16 IPs). Each IP provides 64,512 SNAT ports, so 16 IPs gives you over 1 million SNAT ports total. Most workloads never need more than 1–2 IPs. You should add more IPs when you see the Dropped Packets metric rising in Azure Monitor, or when your application starts experiencing intermittent outbound connection failures during traffic peaks. A /28 prefix is generally the better choice over individual IPs because it gives you a contiguous range for firewall allowlisting and the gateway automatically distributes across the range.

Does NAT Gateway work with Azure Kubernetes Service (AKS)?

Yes, NAT Gateway is actually the recommended outbound connectivity method for AKS clusters in many production scenarios, particularly when you need predictable outbound IPs for firewall allowlisting. You can configure NAT Gateway as the outbound type during AKS cluster creation, or you can manually associate the AKS node pool subnet with a NAT Gateway. The main thing to watch for is that AKS creates its own subnet for node pools, make sure the NAT Gateway is associated specifically with that node pool subnet. If your AKS cluster uses the Managed NAT Gateway option, Azure handles the association automatically; if you're bringing your own NAT Gateway, you manage the subnet association yourself.

Related Microsoft Fix Guides

Microsoft Fix
How to Fix Windows Update Errors (Error 0x80070003 & More)
Microsoft Fix
Fix Microsoft 365 Sign-In Problems, Complete Guide
Microsoft Fix
Azure Active Directory Troubleshooting Guide
Browse All
5,000+ Microsoft Fix Guides →
H
Sai Kiran Pandrala
Our team includes certified Microsoft engineers, Azure architects, and system administrators with 10+ years of enterprise IT experience. Every guide is written from hands-on troubleshooting, not guesswork. We test every fix before publishing.