You are here: Cloud Platforms > Microsoft Azure > Set up a NAT Gateway

Set up a NAT Gateway

Introduction

In order for PVSPassive Vulnerability Scanner to monitor virtual machine instances in a Microsoft Azure Virtual Network, PVS must run on a virtual machine instance that functions as a network address translation (NAT) gateway. A NAT gateway instance routes traffic from internal-only virtual machine instances to the Internet. A PVS installed on a NAT gateway has visibility into the hostnames and private IP addresses of the internal virtual machine instances before the NAT gateway masquerades the source IP address of incoming packets to forward them to the Internet.

This guide shows setting up a NAT gateway in a Microsoft Azure Virtual Network.

Before You Begin

Follow the Azure CLI Installation Instructions. Then connect to your subscription from the CLI.

Tip: If you encounter an error in the Azure CLI about the your subscription not being registered to use a namespace, see this section on the common deployment errors page.

Steps

  1. Enable Azure CLI Resource Manager commands.

    azure config mode arm

  2. Create a resource group.

    In this example, the resource group azurePVS is created.

    azure group create azurePVS eastus

    info: Executing command group create

    + Getting resource group azurePVS

    + Creating resource group azurePVS

    info: Created resource group azurePVS

    data: Name: azurePVS

    data: Location: eastus

    data: Provisioning State: Succeeded

    data: Tags: null

    data:

    info: group create command OK

  3. Create a storage account in the resource group azurePVS.

    In this example, the storage group pvsstore is created.

    azure storage account create --location eastus --resource-group azurePVS --kind Storage --sku-name GRS pvsstore

    info: Executing command storage account create

    + Checking availability of the storage account name

    + Creating storage account

    info: storage account create command OK

  4. Create a Virtual Network in the resource group azurePVS.

    In this example, the Virtual Network is pvsVNet and has the network range 10.240.0.0/16.

    azure network vnet create -g azurePVS -n pvsVNet -a 10.240.0.0/16 -l eastus

    info: Executing command network vnet create

    + Looking up the virtual network "pvsVNet"

    + Creating virtual network "pvsVNet"

    data: Name : pvsVNet

    data: Type : Microsoft.Network/virtualNetworks

    data: Location : eastus

    data: Provisioning state : Succeeded

    data: Address prefixes:

    data: 10.240.0.0/16

    info: network vnet create command OK

  5. Create a public subnet for the NAT gateway.

    In this example, the public subnet is pvsPublic and has the network range 10.240.0.0/24.

    azure network vnet subnet create -g azurePVS -e pvsVNet -n pvsPublic -a 10.240.0.0/24

    info: Executing command network vnet subnet create

    + Looking up the virtual network "pvsVNet"

    + Looking up the subnet "pvsPublic"

    + Creating subnet "pvsPublic"

    data: Name : pvsPublic

    data: Provisioning state : Succeeded

    data: Address prefix : 10.240.0.0/24

    info: network vnet subnet create command OK

  6. Create a public IP and sub domain name for the NAT gateway.

    In this example, the sub domain name is examplesubdomain and the public IP is pvsPIP.

    azure network public-ip create -d examplesubdomain azurePVS pvsPIP eastus

    info: Executing command network public-ip create

    warn: Using default --idle-timeout 4

    warn: Using default --allocation-method Dynamic

    warn: Using default --ip-version IPv4

    + Looking up the public ip "pvsPIP"

    + Creating public ip address "pvsPIP"

    data: Name : pvsPIP

    data: Type : Microsoft.Network/publicIPAddresses

    data: Location : eastus

    data: Provisioning state : Succeeded

    data: Allocation method : Dynamic

    data: IP version : IPv4

    data: Idle timeout in minutes : 4

    data: Domain name label : examplesubdomain

    data: FQDN : examplesubdomain.eastus.cloudapp.azure.com

    info: network public-ip create command OK

  7. Create a NIC for the NAT gateway and associate it with the public IP pvsPIP and public subnet pvsPublic.

    In this example, the new NIC is pvsNatNic.

    azure network nic create --public-ip-name pvsPIP --subnet-name pvsPublic --subnet-vnet-name pvsVNet azurePVS pvsNatNic eastus

    info: Executing command network nic create

    + Looking up the network interface "pvsNatNic"

    + Looking up the subnet "pvsPublic"

    + Looking up the public ip "pvsPIP"

    + Creating network interface "pvsNatNic"

    data: Name : pvsNatNic

    data: Type : Microsoft.Network/networkInterfaces

    data: Location : eastus

    data: Provisioning state : Succeeded

    data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net

    data: Enable IP forwarding : false

    data: IP configurations:

    data: Name : default-ip-config

    data: Provisioning state : Succeeded

    data: Private IP address : 10.240.0.4

    data: Private IP version : IPv4

    data: Private IP allocation method : Dynamic

    data:

    info: network nic create command OK

  8. Enable IP forwarding on the new interface pvsNatNic.

    azure network nic set -g azurePVS -n pvsNatNic -f true

    info: Executing command network nic set

    + Looking up the network interface "pvsNatNic"

    + Updating network interface "pvsNatNic"

    data: Name : pvsNatNic

    data: Type : Microsoft.Network/networkInterfaces

    data: Location : eastus

    data: Provisioning state : Succeeded

    data: MAC address : 00-0D-3A-13-27-48

    data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net

    data: Enable IP forwarding : true

    data: IP configurations:

    data: Name : default-ip-config

    data: Provisioning state : Succeeded

    data: Private IP address : 10.240.0.4

    data: Private IP version : IPv4

    data: Private IP allocation method : Dynamic

    data:

    info: network nic set command OK

  9. Create a private subnet for the instances that will not have a public IP address.

    In this example, the private subnet is pvsPrivate.

    azure network vnet subnet create -g azurePVS -e pvsVNet -n pvsPrivate -a 10.240.1.0/24

    info: Executing command network vnet subnet create

    + Looking up the virtual network "pvsVNet"

    + Looking up the subnet "pvsPrivate"

    + Creating subnet "pvsPrivate"

    data: Name : pvsPrivate

    data: Provisioning state : Succeeded

    data: Address prefix : 10.240.1.0/24

    info: network vnet subnet create command OK

  10. Create a security group for the NAT gateway.

    In this example, the security group is pvsPublicNSG.

    azure network nsg create azurePVS pvsPublicNSG eastus

    info: Executing command network nsg create

    + Looking up the network security group "pvsPublicNSG"

    + Creating a network security group "pvsPublicNSG"

    data: Name : pvsPublicNSG

    data: Type : Microsoft.Network/networkSecurityGroups

    data: Location : eastus

    data: Provisioning state : Succeeded

    data: Security rules:

    data: Name Source IP Source Port Destination IP Destination Port Protocol Direction Access Priority

    data: ----------------------------- ----------------- ----------- -------------- ---------------- -------- --------- ------ --------

    data: AllowVnetInBound VirtualNetwork * VirtualNetwork * * Inbound Allow 65000

    data: AllowAzureLoadBalancerInBound AzureLoadBalancer * * * * Inbound Allow 65001

    data: DenyAllInBound * * * * * Inbound Deny 65500

    data: AllowVnetOutBound VirtualNetwork * VirtualNetwork * * Outbound Allow 65000

    data: AllowInternetOutBound * * Internet * * Outbound Allow 65001

    data: DenyAllOutBound * * * * * Outbound Deny 65500

    info: network nsg create command OK

  11. Create a rule in the pvsPublicNSG to allow SSH to the NAT gateway.

    In this example, the new rule is called SSHRule and the rule has a priority of 1000. This gives it precedence over the existing rules seen in the previous step.

    azure network nsg rule create --protocol tcp --direction inbound --priority 1000 --destination-port-range 22 --access allow azurePVS pvsPublicNSG SSHRule

    info: Executing command network nsg rule create

    warn: Using default --source-port-range *

    warn: Using default --source-address-prefix *

    warn: Using default --destination-address-prefix *

    + Looking up the network security group "pvsPublicNSG"

    + Looking up the network security rule "SSHRule"

    + Creating a network security rule "SSHRule"

    data: Name : SSHRule

    data: Type : Microsoft.Network/networkSecurityGroups/securityRules

    data: Provisioning state : Succeeded

    data: Source IP : *

    data: Source Port : *

    data: Destination IP : *

    data: Destination Port : 22

    data: Protocol : Tcp

    data: Direction : Inbound

    data: Access : Allow

    data: Priority : 1000

    info: network nsg rule create command OK

  12. Create a rule in the pvsPublicNSGto allow all traffic to the NAT gateway from within the virtual network.

    In this example, the new rule is called PrivateToPublicRuleand the rule has a priority of 1001. This gives it precedence over the existing rules that disallow traffic.

    azure network nsg rule create --direction inbound --priority 1001 --source-address-prefix VirtualNetwork --destination-port-range 0-65535 --access allow azurePVS pvsPublicNSG PrivateToPublicRule

    info: Executing command network nsg rule create

    warn: Using default --protocol *

    warn: Using default --source-port-range *

    warn: Using default --destination-address-prefix *

    + Looking up the network security group "pvsPublicNSG"

    + Looking up the network security rule "PrivateToPublicRule"

    + Creating a network security rule "PrivateToPublicRule"

    data: Name : PrivateToPublicRule

    data: Type : Microsoft.Network/networkSecurityGroups/securityRules

    data: Provisioning state : Succeeded

    data: Source IP : VirtualNetwork

    data: Source Port : *

    data: Destination IP : *

    data: Destination Port : 0-65535

    data: Protocol : *

    data: Direction : Inbound

    data: Access : Allow

    data: Priority : 1001

    info: network nsg rule create command OK

  13. Create a rule in the pvsPublicNSG to allow traffic to the PVS web server from the Internet. The default port is 8835.

    In this example, the new rule is called PVSWebRule and the rule has a priority of 1002. This gives it precedence over the existing rules that disallow traffic.

    azure network nsg rule create --direction inbound --priority 1002 --protocol tcp --source-address-prefix Internet --destination-port-range 8835 --access allow azurePVS pvsPublicNSG PvsWebRule

    info: Executing command network nsg rule create

    warn: Using default --source-port-range *

    warn: Using default --destination-address-prefix *

    + Looking up the network security group "pvsPublicNSG"

    + Looking up the network security rule "PvsWebRule"

    + Creating a network security rule "PvsWebRule"

    data: Name : PvsWebRule

    data: Type : Microsoft.Network/networkSecurityGroups/securityRules

    data: Provisioning state : Succeeded

    data: Source IP : Internet

    data: Source Port : *

    data: Destination IP : *

    data: Destination Port : 8835

    data: Protocol : Tcp

    data: Direction : Inbound

    data: Access : Allow

    data: Priority : 1002

    info: network nsg rule create command OK

  14. Assign the security group pvsPublicNSG to the pvsNatNic, which will be used as the interface of the NAT gateway when it is launched.

    azure network nic set -g azurePVS -n pvsNatNic -o pvsPublicNSG

    info: Executing command network nic set

    + Looking up the network interface "pvsNatNic"

    + Looking up the network security group "pvsPublicNSG"

    + Updating network interface "pvsNatNic"

    data: Name : pvsNatNic

    data: Type : Microsoft.Network/networkInterfaces

    data: Location : eastus

    data: Provisioning state : Succeeded

    data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net

    data: Enable IP forwarding : false

    data: IP configurations:

    data: Name : default-ip-config

    data: Provisioning state : Succeeded

    data: Private IP address : 10.240.0.4

    data: Private IP version : IPv4

    data: Private IP allocation method : Dynamic

    data:

    info: network nic set command OK

  15. Launch the NAT gateway instance.

    In this example, CentOS 7 and the SSH key azurePVS_id_rsa are used. If you do not have an SSH key, refer to the Azure documentation for instructions on how to generate a key.

    Note: If you select a different image to install on your NAT gateway virtual machine, ensure that it is a platform that PVS supports.

    azure vm create --resource-group azurePVS --name pvsNatGateway --location eastus --os-type linux --nic-name pvsNatNic --vnet-name pvsVNet --vnet-subnet-name pvsPublic --storage-account-name pvsstore --image-urn CentOS --ssh-publickey-file ~/.ssh/azurePVS_id_rsa.pub --admin-username centos

    info: Executing command vm create

    + Looking up the VM "pvsNatGateway"

    info: Verifying the public key SSH file: ~/.ssh/azurePVS_id_rsa.pub

    info: Using the VM Size "Standard_DS1"

    info: The [OS, Data] Disk or image configuration requires storage account

    + Looking up the storage account pvsstore

    + Looking up the NIC "pvsNatNic"

    info: Found an existing NIC "pvsNatNic"

    info: The storage URI 'https://pvsstore.blob.core.windows.net/' will be used for boot diagnostics settings, and it can be overwritten by the parameter input of '--boot-diagnostics-storage-uri'.

    + Creating VM "pvsNatGateway"

    info: vm create command OK

  16. Connect to the new NAT gateway instance using the public DNS name that was created when your public IP was created.

    ssh -i ~/.ssh/azurePVS_id_rsa.pub centos@examplesubdomain.eastus.cloudapp.azure.com
  17. Once logged into your NAT gateway instance, configure iptables and IP forwarding.

    user@nat-gateway:~$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

    user@nat-gateway:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    The first sudo command tells the kernel to allow IP forwarding. The second sudo command masquerades packets received from internal instances as if they originated from the NAT gateway instance.

    Tip: Consider saving these commands in a startup script, because these settings will not persist if the instance is rebooted.

  18. Create a route table for the private subnet.

    In this example, the route table is pvsPrivateUDR.

    azure network route-table create -g azurePVS -n pvsPrivateUDR -l eastus

    info: Executing command network route-table create

    + Looking up Route Table "pvsPrivateUDR"

    + Creating Route Table "pvsPrivateUDR"

    data: Name : pvsPrivateUDR

    data: Type : Microsoft.Network/routeTables

    data: Location : eastus

    data: Provisioning state : Succeeded

    info: network route-table create command OK

  19. Create a route to the internet using the NAT gateway as the next hop for instances in the private subnet.

    In this example, the private IP address of the NAT gateway is 10.240.0.4.

    azure network route-table route create -g azurePVS -r pvsPrivateUDR -n RouteToInternet -a 0.0.0.0/0 -y VirtualAppliance -p 10.240.0.4

    info: Executing command network route-table route create

    + Looking up Route Table "pvsPrivateUDR"

    + Looking up route "RouteToInternet" in route table "pvsPrivateUDR"

    + Creating route "RouteToInternet" in a route table "pvsPrivateUDR"

    data: Name : RouteToInternet

    data: Provisioning state : Succeeded

    data: Next hop type : VirtualAppliance

    data: Next hop IP address : 10.240.0.4

    data: Address prefix : 0.0.0.0/0

    info: network route-table route create command OK

  20. Associate the route table pvsPrivateUDR with the private subnet pvsPrivate.

    azure network vnet subnet set -g azurePVS -e pvsVNet -n pvsPrivate -r pvsPrivateUDR

    info: Executing command network vnet subnet set

    + Looking up the virtual network "pvsVNet"

    + Looking up the subnet "pvsPrivate"

    + Looking up Route Table "pvsPrivateUDR"

    + Updating subnet "pvsPrivate"

    data: Name : pvsPrivate

    data: Provisioning state : Succeeded

    data: Address prefix : 10.240.1.0/24

    info: network vnet subnet set command OK

  21. Create a NIC for an example instance in the private subnet. You will need to create a new NIC for every additional instance you create.

    In this example, the new NIC is named pvsPrivateNic.

    azure network nic create --subnet-name pvsPrivate --subnet-vnet-name pvsVNet azurePVS pvsPrivateNic eastus

    info: Executing command network nic create

    + Looking up the network interface "pvsPrivateNic"

    + Looking up the subnet "pvsPrivate"

    + Creating network interface "pvsPrivateNic"

    data: Name : pvsPrivateNic

    data: Type : Microsoft.Network/networkInterfaces

    data: Location : eastus

    data: Provisioning state : Succeeded

    data: Internal domain name suffix : gqhqyfrlprbu3jyndjoq4ap5se.bx.internal.cloudapp.net

    data: Enable IP forwarding : false

    data: IP configurations:

    data: Name : default-ip-config

    data: Provisioning state : Succeeded

    data: Private IP address : 10.240.1.4

    data: Private IP version : IPv4

    data: Private IP allocation method : Dynamic

    data:

    info: network nic create command OK

  22. Launch an example instance into the private subnet pvsPrivate using the pvsPrivateNic as the NIC.

    azure vm create --resource-group azurePVS --name exampleInstance --location eastus --os-type linux --nic-name pvsPrivateNic --vnet-name pvsVNet --vnet-subnet-name pvsPrivate --storage-account-name pvsstore --image-urn CentOS --ssh-publickey-file ~/.ssh/azurePVS_id_rsa.pub --admin-username centos

    info: Executing command vm create

    + Looking up the VM "exampleInstance"

    info: Verifying the public key SSH file: ~/.ssh/azurePVS_id_rsa.pub

    info: Using the VM Size "Standard_DS1"

    info: The [OS, Data] Disk or image configuration requires storage account

    + Looking up the storage account pvsstore

    + Looking up the NIC "pvsPrivateNic"

    info: Found an existing NIC "pvsPrivateNic"

    info: This is an NIC without publicIP configured

    info: The storage URI 'https://pvsstore.blob.core.windows.net/' will be used for boot diagnostics settings, and it can be overwritten by the parameter input of '--boot-diagnostics-storage-uri'.

    + Creating VM "exampleInstance"

    info: vm create command OK

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.