| title | description | author | ms.author | ms.service | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|---|---|---|
Manage inbound NAT rules for Azure Load Balancer |
In this article, you'll learn how to add and remove and inbound NAT rule in the Azure portal. |
greg-lindsay |
greglin |
load-balancer |
how-to |
03/15/2022 |
template-how-to |
An inbound NAT rule is used to forward traffic from a load balancer frontend to one or more instances in the backend pool.
There are two types of inbound NAT rule:
-
Single virtual machine - An inbound NAT rule that targets a single machine in the backend pool of the load balancer
-
Multiple virtual machines - An inbound NAT rule that targets multiple virtual machines in the backend pool of the load balancer
In this article, you'll learn how to add and remove an inbound NAT rule for both types. You'll learn how to change the frontend port allocation in a multiple instance inbound NAT rule.
[!INCLUDE quickstarts-free-trial-note]
- A standard public load balancer in your subscription. For more information on creating an Azure Load Balancer, see Quickstart: Create a public load balancer to load balance VMs using the Azure portal. The load balancer name for the examples in this article is myLoadBalancer.
[!INCLUDE azure-cli-prepare-your-environment.md]
- If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run
Get-Module -ListAvailable Azto find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to runConnect-AzAccountto create a connection with Azure.
In this example, you'll create an inbound NAT rule to forward port 500 to backend port 443.
-
Sign in to the Azure portal.
-
In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.
-
Select myLoadBalancer or your load balancer.
-
In the load balancer page, select Inbound NAT rules in Settings.
-
Select + Add in Inbound NAT rules to add the rule.
:::image type="content" source="./media/manage-inbound-nat-rules/add-rule.png" alt-text="Screenshot of the inbound NAT rules page for Azure Load Balancer":::
-
Enter or select the following information in Add inbound NAT rule.
Setting Value Name Enter myInboundNATrule. Type Select Azure Virtual Machine. Target virtual machine Select the virtual machine that you wish to forward the port to. In this example, it's myVM1. Network IP configuration Select the IP configuration of the virtual machine. In this example, it's ipconfig1(10.1.0.4). Frontend IP address Select myFrontend. Frontend Port Enter 500. Service Tag Leave the default of Custom. Backend port Enter 443. Protocol Select TCP. -
Leave the rest of the settings at the defaults and select Add.
:::image type="content" source="./media/manage-inbound-nat-rules/add-single-instance-rule.png" alt-text="Screenshot of the create inbound NAT rule page":::
In this example, you'll create an inbound NAT rule to forward port 500 to backend port 443.
Use Get-AzLoadBalancer to place the load balancer information into a variable.
Use Add-AzLoadBalancerInboundNatRuleConfig to create the inbound NAT rule.
To save the configuration to the load balancer, use Set-AzLoadBalancer.
## Place the load balancer information into a variable for later use. ##
$slb = @{
ResourceGroupName = 'myResourceGroup'
Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb
## Create the single virtual machine inbound NAT rule. ##
$rule = @{
Name = 'myInboundNATrule'
Protocol = 'Tcp'
FrontendIpConfiguration = $lb.FrontendIpConfigurations[0]
FrontendPort = '500'
BackendPort = '443'
}
$lb | Add-AzLoadBalancerInboundNatRuleConfig @rule
$lb | Set-AzLoadBalancer
In this example, you'll create an inbound NAT rule to forward port 500 to backend port 443.
Use az network lb inbound-nat-rule create to create the NAT rule.
az network lb inbound-nat-rule create \
--backend-port 443 \
--lb-name myLoadBalancer \
--name myInboundNATrule \
--protocol Tcp \
--resource-group myResourceGroup \
--backend-pool-name myBackendPool \
--frontend-ip-name myFrontend \
--frontend-port 500
In this example, you'll create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter Maximum number of machines in backend pool with a value of 500. This setting will limit the backend pool to 500 virtual machines.
-
Sign in to the Azure portal.
-
In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.
-
Select myLoadBalancer or your load balancer.
-
In the load balancer page, select Inbound NAT rules in Settings.
-
Select + Add in Inbound NAT rules to add the rule.
:::image type="content" source="./media/manage-inbound-nat-rules/add-rule.png" alt-text="Screenshot of the inbound NAT rules page for Azure Load Balancer":::
-
Enter or select the following information in Add inbound NAT rule.
Setting Value Name Enter myInboundNATrule. Type Select Backend pool. Target backend pool Select your backend pool. In this example, it's myBackendPool. Frontend IP address Select your frontend IP address. In this example, it's myFrontend. Frontend port range start Enter 500. Maximum number of machines in backend pool Enter 500. Backend port Enter 443. Protocol Select TCP. -
Leave the rest at the defaults and select Add.
:::image type="content" source="./media/manage-inbound-nat-rules/add-inbound-nat-rule.png" alt-text="Screenshot of the add inbound NAT rules page":::
In this example, you'll create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter -FrontendPortRangeEnd with a value of 1000. This setting will limit the backend pool to 500 virtual machines.
Use Get-AzLoadBalancer to place the load balancer information into a variable.
Use Add-AzLoadBalancerInboundNatRuleConfig to create the inbound NAT rule.
To save the configuration to the load balancer, use Set-AzLoadBalancer
## Place the load balancer information into a variable for later use. ##
$slb = @{
ResourceGroupName = 'myResourceGroup'
Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb
## Create the multiple virtual machines inbound NAT rule. ##
$rule = @{
Name = 'myInboundNATrule'
Protocol = 'Tcp'
BackendPort = '443'
FrontendIpConfiguration = $lb.FrontendIpConfigurations[0]
FrontendPortRangeStart = '500'
FrontendPortRangeEnd = '1000'
BackendAddressPool = $lb.BackendAddressPools[0]
}
$lb | Add-AzLoadBalancerInboundNatRuleConfig @rule
$lb | Set-AzLoadBalancer
In this example, you'll create an inbound NAT rule to forward a range of ports starting at port 500 to backend port 443. The maximum number of machines in the backend pool is set by the parameter --frontend-port-range-end with a value of 1000. This setting will limit the backend pool to 500 virtual machines.
Use az network lb inbound-nat-rule create to create the NAT rule.
az network lb inbound-nat-rule create \
--backend-port 443 \
--lb-name myLoadBalancer \
--name myInboundNATrule \
--protocol Tcp \
--resource-group myResourceGroup \
--backend-pool-name myBackendPool \
--frontend-ip-name myFrontend \
--frontend-port-range-end 1000 \
--frontend-port-range-start 500
To accommodate more virtual machines in the backend pool in a multiple instance rule, change the frontend port allocation in the inbound NAT rule. In this example, you'll change the Maximum number of machines in backend pool from 500 to 1000. This setting will increase the maximum number of machines in the backend pool to 1000.
-
Sign in to the Azure portal.
-
In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.
-
Select myLoadBalancer or your load balancer.
-
In the load balancer page, select Inbound NAT rules in Settings.
-
Select the inbound NAT rule you wish to change. In this example, it's myInboundNATrule.
:::image type="content" source="./media/manage-inbound-nat-rules/select-inbound-nat-rule.png" alt-text="Screenshot of inbound NAT rule overview.":::
-
In the properties of the inbound NAT rule, change the value in Maximum number of machines in backend pool to 1000.
-
Select Save.
:::image type="content" source="./media/manage-inbound-nat-rules/change-frontend-ports.png" alt-text="Screenshot of inbound NAT rule properties page.":::
To accommodate more virtual machines in the backend pool in a multiple instance rule, change the frontend port allocation in the inbound NAT rule. In this example, you'll change the parameter -FrontendPortRangeEnd to 1500. This setting will increase the maximum number of machines in the backend pool to 1000.
Use Get-AzLoadBalancer to place the load balancer information into a variable.
To change the port allocation, use Set-AzLoadBalancerInboundNatRuleConfig.
## Place the load balancer information into a variable for later use. ##
$slb = @{
ResourceGroupName = 'myResourceGroup'
Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb
## Set the new port allocation
$rule = @{
Name = 'myInboundNATrule'
Protocol = 'Tcp'
BackendPort = '443'
FrontendIpConfiguration = $lb.FrontendIpConfigurations[0]
FrontendPortRangeStart = '500'
FrontendPortRangeEnd = '1500'
BackendAddressPool = $lb.BackendAddressPools[0]
}
$lb | Set-AzLoadBalancerInboundNatRuleConfig @rule
To accommodate more virtual machines in the backend pool, change the frontend port allocation in the inbound NAT rule. In this example, you'll change the parameter --frontend-port-range-end to 1500. This setting will increase the maximum number of machines in the backend pool to 1000
Use az network lb inbound-nat-rule update to change the frontend port allocation.
az network lb inbound-nat-rule update \
--frontend-port-range-end 1500 \
--lb-name myLoadBalancer \
--name myInboundNATrule \
--resource-group myResourceGroup
Port mappings for the virtual machines in the backend pool can be viewed by using the Azure portal.
-
Sign in to the Azure portal.
-
In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.
-
Select myLoadBalancer or your load balancer.
-
In the load balancer page in, select Inbound NAT rules in Settings.
-
Select myInboundNATrule or your inbound NAT rule.
:::image type="content" source="./media/manage-inbound-nat-rules/view-inbound-nat-rule.png" alt-text="Screenshot of inbound NAT rule page.":::
-
Scroll to the Port mapping section of the inbound NAT rule properties page.
:::image type="content" source="./media/manage-inbound-nat-rules/view-port-mappings.png" alt-text="Screenshot of inbound NAT rule port mappings.":::
In this example, you'll remove an inbound NAT rule.
-
Sign in to the Azure portal.
-
In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.
-
Select myLoadBalancer or your load balancer.
-
In the load balancer page in, select Inbound NAT rules in Settings.
-
Select the three dots next to the rule you want to remove.
-
Select Delete.
:::image type="content" source="./media/manage-inbound-nat-rules/remove-inbound-nat-rule.png" alt-text="Screenshot of inbound NAT rule removal.":::
In this example, you'll remove an inbound NAT rule.
Use Get-AzLoadBalancer to place the load balancer information into a variable.
To remove the inbound NAT rule, use Remove-AzLoadBalancerInboundNatRuleConfig.
To save the configuration to the load balancer, use Set-AzLoadBalancer.
## Place the load balancer information into a variable for later use. ##
$slb = @{
ResourceGroupName = 'myResourceGroup'
Name = 'myLoadBalancer'
}
$lb = Get-AzLoadBalancer @slb
## Remove the inbound NAT rule
$lb | Remove-AzLoadBalancerInboundNatRuleConfig -Name 'myInboundNATrule'
$lb | Set-AzLoadBalancer
In this example, you'll remove an inbound NAT rule.
Use az network lb inbound-nat-rule delete to remove the rule.
az network lb inbound-nat-rule delete \
--lb-name myLoadBalancer \
--name myInboundNATrule \
--resource-group myResourceGroup
In this article, you learned how to manage inbound NAT rules for an Azure Load Balancer.
For more information about Azure Load Balancer, see: