Set up a NAT Gateway
Introduction
In order for NNM to monitor virtual machine instances in a Microsoft Azure Virtual Network, NNM must run on a virtual machine instance that functions as a network address translation (NAT) gateway. A NAT gateway instance routes traffic from internal-only virtual machine instances to the Internet. A NNM installed on a NAT gateway has visibility into the hostnames and private IP addresses of the internal virtual machine instances before the NAT gateway masquerades the source IP address of incoming packets to forward them to the Internet.
This guide shows setting up a NAT gateway in a Microsoft Azure Virtual Network.
Before You Begin
Follow the Azure CLI Installation Instructions. Then connect to your subscription from the CLI.
Tip: If you encounter an error in the Azure CLI about the your subscription not being registered to use a namespace, see this section on the common deployment errors page.
Steps
-
Enable Azure CLI Resource Manager commands.
azure config mode arm
-
Create a resource group.
In this example, the resource group azureNNM is created.
azure group create azureNNM eastus
info: Executing command group create
+ Getting resource group azureNNM
+ Creating resource group azureNNM
info: Created resource group azureNNM
data: Name: azureNNM
data: Location: eastus
data: Provisioning State: Succeeded
data: Tags: null
data:
info: group create command OK
-
Create a storage account in the resource group azureNNM.
In this example, the storage group nnmstore is created.
azure storage account create --location eastus --resource-group azureNNM --kind Storage --sku-name GRS nnmstore
info: Executing command storage account create
+ Checking availability of the storage account name
+ Creating storage account
info: storage account create command OK
-
Create a Virtual Network in the resource group azureNNM.
In this example, the Virtual Network is nnmVNet and has the network range 10.240.0.0/16.
azure network vnet create -g azureNNM -n nnmVNet -a 10.240.0.0/16 -l eastus
info: Executing command network vnet create
+ Looking up the virtual network "nnmVNet"
+ Creating virtual network "nnmVNet"
data: Name : nnmVNet
data: Type : Microsoft.Network/virtualNetworks
data: Location : eastus
data: Provisioning state : Succeeded
data: Address prefixes:
data: 10.240.0.0/16
info: network vnet create command OK
-
Create a public subnet for the NAT gateway.
In this example, the public subnet is nnmPublic and has the network range 10.240.0.0/24.
azure network vnet subnet create -g azureNNM -e nnmVNet -n nnmPublic -a 10.240.0.0/24
info: Executing command network vnet subnet create
+ Looking up the virtual network "nnmVNet"
+ Looking up the subnet "nnmPublic"
+ Creating subnet "nnmPublic"
data: Name : nnmPublic
data: Provisioning state : Succeeded
data: Address prefix : 10.240.0.0/24
info: network vnet subnet create command OK
-
Create a public IP and sub domain name for the NAT gateway.
In this example, the sub domain name is examplesubdomain and the public IP is nnmPIP.
azure network public-ip create -d examplesubdomain azureNNM nnmPIP eastus
info: Executing command network public-ip create
warn: Using default --idle-timeout 4
warn: Using default --allocation-method Dynamic
warn: Using default --ip-version IPv4
+ Looking up the public ip "nnmPIP"
+ Creating public ip address "nnmPIP"
data: Name : nnmPIP
data: Type : Microsoft.Network/publicIPAddresses
data: Location : eastus
data: Provisioning state : Succeeded
data: Allocation method : Dynamic
data: IP version : IPv4
data: Idle timeout in minutes : 4
data: Domain name label : examplesubdomain
data: FQDN : examplesubdomain.eastus.cloudapp.azure.com
info: network public-ip create command OK
-
Create a NIC for the NAT gateway and associate it with the public IP nnmPIP and public subnet nnmPublic.
In this example, the new NIC is nnmNatNic.
azure network nic create --public-ip-name nnmPIP --subnet-name nnmPublic --subnet-vnet-name nnmVNet azureNNM nnmNatNic eastus
info: Executing command network nic create
+ Looking up the network interface "nnmNatNic"
+ Looking up the subnet "nnmPublic"
+ Looking up the public ip "nnmPIP"
+ Creating network interface "nnmNatNic"
data: Name : nnmNatNic
data: Type : Microsoft.Network/networkInterfaces
data: Location : eastus
data: Provisioning state : Succeeded
data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net
data: Enable IP forwarding : false
data: IP configurations:
data: Name : default-ip-config
data: Provisioning state : Succeeded
data: Private IP address : 10.240.0.4
data: Private IP version : IPv4
data: Private IP allocation method : Dynamic
data:
info: network nic create command OK
-
Enable IP forwarding on the new interface nnmNatNic.
azure network nic set -g azureNNM -n nnmNatNic -f true
info: Executing command network nic set
+ Looking up the network interface "nnmNatNic"
+ Updating network interface "nnmNatNic"
data: Name : nnmNatNic
data: Type : Microsoft.Network/networkInterfaces
data: Location : eastus
data: Provisioning state : Succeeded
data: MAC address : 00-0D-3A-13-27-48
data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net
data: Enable IP forwarding : true
data: IP configurations:
data: Name : default-ip-config
data: Provisioning state : Succeeded
data: Private IP address : 10.240.0.4
data: Private IP version : IPv4
data: Private IP allocation method : Dynamic
data:
info: network nic set command OK
-
Create a private subnet for the instances that will not have a public IP address.
In this example, the private subnet is nnmPrivate.
azure network vnet subnet create -g azureNNM -e nnmVNet -n nnmPrivate -a 10.240.1.0/24
info: Executing command network vnet subnet create
+ Looking up the virtual network "nnmVNet"
+ Looking up the subnet "nnmPrivate"
+ Creating subnet "nnmPrivate"
data: Name : nnmPrivate
data: Provisioning state : Succeeded
data: Address prefix : 10.240.1.0/24
info: network vnet subnet create command OK
-
Create a security group for the NAT gateway.
In this example, the security group is nnmPublicNSG.
azure network nsg create azureNNM nnmPublicNSG eastus
info: Executing command network nsg create
+ Looking up the network security group "nnmPublicNSG"
+ Creating a network security group "nnmPublicNSG"
data: Name : nnmPublicNSG
data: Type : Microsoft.Network/networkSecurityGroups
data: Location : eastus
data: Provisioning state : Succeeded
data: Security rules:
data: Name Source IP Source Port Destination IP Destination Port Protocol Direction Access Priority
data: ----------------------------- ----------------- ----------- -------------- ---------------- -------- --------- ------ --------
data: AllowVnetInBound VirtualNetwork * VirtualNetwork * * Inbound Allow 65000
data: AllowAzureLoadBalancerInBound AzureLoadBalancer * * * * Inbound Allow 65001
data: DenyAllInBound * * * * * Inbound Deny 65500
data: AllowVnetOutBound VirtualNetwork * VirtualNetwork * * Outbound Allow 65000
data: AllowInternetOutBound * * Internet * * Outbound Allow 65001
data: DenyAllOutBound * * * * * Outbound Deny 65500
info: network nsg create command OK
-
Create a rule in the nnmPublicNSG to allow SSH to the NAT gateway.
In this example, the new rule is called SSHRule and the rule has a priority of 1000. This gives it precedence over the existing rules seen in the previous step.
azure network nsg rule create --protocol tcp --direction inbound --priority 1000 --destination-port-range 22 --access allow azureNNM nnmPublicNSG SSHRule
info: Executing command network nsg rule create
warn: Using default --source-port-range *
warn: Using default --source-address-prefix *
warn: Using default --destination-address-prefix *
+ Looking up the network security group "nnmPublicNSG"
+ Looking up the network security rule "SSHRule"
+ Creating a network security rule "SSHRule"
data: Name : SSHRule
data: Type : Microsoft.Network/networkSecurityGroups/securityRules
data: Provisioning state : Succeeded
data: Source IP : *
data: Source Port : *
data: Destination IP : *
data: Destination Port : 22
data: Protocol : Tcp
data: Direction : Inbound
data: Access : Allow
data: Priority : 1000
info: network nsg rule create command OK
-
Create a rule in the nnmPublicNSGto allow all traffic to the NAT gateway from within the virtual network.
In this example, the new rule is called PrivateToPublicRuleand the rule has a priority of 1001. This gives it precedence over the existing rules that disallow traffic.
azure network nsg rule create --direction inbound --priority 1001 --source-address-prefix VirtualNetwork --destination-port-range 0-65535 --access allow azureNNM nnmPublicNSG PrivateToPublicRule
info: Executing command network nsg rule create
warn: Using default --protocol *
warn: Using default --source-port-range *
warn: Using default --destination-address-prefix *
+ Looking up the network security group "nnmPublicNSG"
+ Looking up the network security rule "PrivateToPublicRule"
+ Creating a network security rule "PrivateToPublicRule"
data: Name : PrivateToPublicRule
data: Type : Microsoft.Network/networkSecurityGroups/securityRules
data: Provisioning state : Succeeded
data: Source IP : VirtualNetwork
data: Source Port : *
data: Destination IP : *
data: Destination Port : 0-65535
data: Protocol : *
data: Direction : Inbound
data: Access : Allow
data: Priority : 1001
info: network nsg rule create command OK
-
Create a rule in the nnmPublicNSG to allow traffic to the NNM web server from the Internet. The default port is 8835.
In this example, the new rule is called NNMWebRule and the rule has a priority of 1002. This gives it precedence over the existing rules that disallow traffic.
azure network nsg rule create --direction inbound --priority 1002 --protocol tcp --source-address-prefix Internet --destination-port-range 8835 --access allow azureNNM nnmPublicNSG NnmWebRule
info: Executing command network nsg rule create
warn: Using default --source-port-range *
warn: Using default --destination-address-prefix *
+ Looking up the network security group "nnmPublicNSG"
+ Looking up the network security rule "NnmWebRule"
+ Creating a network security rule "NnmWebRule"
data: Name : NnmWebRule
data: Type : Microsoft.Network/networkSecurityGroups/securityRules
data: Provisioning state : Succeeded
data: Source IP : Internet
data: Source Port : *
data: Destination IP : *
data: Destination Port : 8835
data: Protocol : Tcp
data: Direction : Inbound
data: Access : Allow
data: Priority : 1002
info: network nsg rule create command OK
-
Assign the security group nnmPublicNSG to the nnmNatNic, which will be used as the interface of the NAT gateway when it is launched.
azure network nic set -g azureNNM -n nnmNatNic -o nnmPublicNSG
info: Executing command network nic set
+ Looking up the network interface "nnmNatNic"
+ Looking up the network security group "nnmPublicNSG"
+ Updating network interface "nnmNatNic"
data: Name : nnmNatNic
data: Type : Microsoft.Network/networkInterfaces
data: Location : eastus
data: Provisioning state : Succeeded
data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net
data: Enable IP forwarding : false
data: IP configurations:
data: Name : default-ip-config
data: Provisioning state : Succeeded
data: Private IP address : 10.240.0.4
data: Private IP version : IPv4
data: Private IP allocation method : Dynamic
data:
info: network nic set command OK
-
Launch the NAT gateway instance.
In this example, CentOS 7 and the SSH key azureNNM_id_rsa are used. If you do not have an SSH key, refer to the Azure documentation for instructions on how to generate a key.
Note: If you select a different image to install on your NAT gateway virtual machine, ensure that it is a platform that NNM supports.
azure vm create --resource-group azureNNM --name nnmNatGateway --location eastus --os-type linux --nic-name nnmNatNic --vnet-name nnmVNet --vnet-subnet-name nnmPublic --storage-account-name nnmstore --image-urn CentOS --ssh-publickey-file ~/.ssh/azureNNM_id_rsa.pub --admin-username centos
info: Executing command vm create
+ Looking up the VM "nnmNatGateway"
info: Verifying the public key SSH file: ~/.ssh/azureNNM_id_rsa.pub
info: Using the VM Size "Standard_DS1"
info: The [OS, Data] Disk or image configuration requires storage account
+ Looking up the storage account nnmstore
+ Looking up the NIC "nnmNatNic"
info: Found an existing NIC "nnmNatNic"
info: The storage URI 'https://nnmstore.blob.core.windows.net/' will be used for boot diagnostics settings, and it can be overwritten by the parameter input of '--boot-diagnostics-storage-uri'.
+ Creating VM "nnmNatGateway"
info: vm create command OK
-
Connect to the new NAT gateway instance using the public DNS name that was created when your public IP was created.
ssh -i ~/.ssh/azureNNM_id_rsa.pub [email protected] -
Once logged into your NAT gateway instance, configure iptables and IP forwarding.
user@nat-gateway:~$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
user@nat-gateway:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The first sudo command tells the kernel to allow IP forwarding. The second sudo command masquerades packets received from internal instances as if they originated from the NAT gateway instance.
Tip: Consider saving these commands in a startup script, because these settings will not persist if the instance is rebooted.
-
Create a route table for the private subnet.
In this example, the route table is nnmPrivateUDR.
azure network route-table create -g azureNNM -n nnmPrivateUDR -l eastus
info: Executing command network route-table create
+ Looking up Route Table "nnmPrivateUDR"
+ Creating Route Table "nnmPrivateUDR"
data: Name : nnmPrivateUDR
data: Type : Microsoft.Network/routeTables
data: Location : eastus
data: Provisioning state : Succeeded
info: network route-table create command OK
-
Create a route to the internet using the NAT gateway as the next hop for instances in the private subnet.
In this example, the private IP address of the NAT gateway is 10.240.0.4.
azure network route-table route create -g azureNNM -r nnmPrivateUDR -n RouteToInternet -a 0.0.0.0/0 -y VirtualAppliance -p 10.240.0.4
info: Executing command network route-table route create
+ Looking up Route Table "nnmPrivateUDR"
+ Looking up route "RouteToInternet" in route table "nnmPrivateUDR"
+ Creating route "RouteToInternet" in a route table "nnmPrivateUDR"
data: Name : RouteToInternet
data: Provisioning state : Succeeded
data: Next hop type : VirtualAppliance
data: Next hop IP address : 10.240.0.4
data: Address prefix : 0.0.0.0/0
info: network route-table route create command OK
-
Associate the route table nnmPrivateUDR with the private subnet nnmPrivate.
azure network vnet subnet set -g azureNNM -e nnmVNet -n nnmPrivate -r nnmPrivateUDR
info: Executing command network vnet subnet set
+ Looking up the virtual network "nnmVNet"
+ Looking up the subnet "nnmPrivate"
+ Looking up Route Table "nnmPrivateUDR"
+ Updating subnet "nnmPrivate"
data: Name : nnmPrivate
data: Provisioning state : Succeeded
data: Address prefix : 10.240.1.0/24
info: network vnet subnet set command OK
-
Create a NIC for an example instance in the private subnet. You will need to create a new NIC for every additional instance you create.
In this example, the new NIC is named nnmPrivateNic.
azure network nic create --subnet-name nnmPrivate --subnet-vnet-name nnmVNet azureNNM nnmPrivateNic eastus
info: Executing command network nic create
+ Looking up the network interface "nnmPrivateNic"
+ Looking up the subnet "nnmPrivate"
+ Creating network interface "nnmPrivateNic"
data: Name : nnmPrivateNic
data: Type : Microsoft.Network/networkInterfaces
data: Location : eastus
data: Provisioning state : Succeeded
data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net
data: Enable IP forwarding : false
data: IP configurations:
data: Name : default-ip-config
data: Provisioning state : Succeeded
data: Private IP address : 10.240.1.4
data: Private IP version : IPv4
data: Private IP allocation method : Dynamic
data:
info: network nic create command OK
-
Launch an example instance into the private subnet nnmPrivate using the nnmPrivateNic as the NIC.
azure vm create --resource-group azureNNM --name exampleInstance --location eastus --os-type linux --nic-name nnmPrivateNic --vnet-name nnmVNet --vnet-subnet-name nnmPrivate --storage-account-name nnmstore --image-urn CentOS --ssh-publickey-file ~/.ssh/azureNNM_id_rsa.pub --admin-username centos
info: Executing command vm create
+ Looking up the VM "exampleInstance"
info: Verifying the public key SSH file: ~/.ssh/azureNNM_id_rsa.pub
info: Using the VM Size "Standard_DS1"
info: The [OS, Data] Disk or image configuration requires storage account
+ Looking up the storage account nnmstore
+ Looking up the NIC "nnmPrivateNic"
info: Found an existing NIC "nnmPrivateNic"
info: This is an NIC without publicIP configured
info: The storage URI 'https://nnmstore.blob.core.windows.net/' will be used for boot diagnostics settings, and it can be overwritten by the parameter input of '--boot-diagnostics-storage-uri'.
+ Creating VM "exampleInstance"
info: vm create command OK