Glad you liked it! Stay tuned for my next video, it will feature a demo on another neat networking service: Private Resolver ;) Should be out early next week 👍
I have a public IP assigned directly to a VM NIC with routing type on the public IP selected as Internet. The subnet the VM exists in has a route table. I want my VM to always access the Internet as the public IP on the VM. Does the route table override this? For example, if I put a route in the table and tell it next hop Internet, will it go out Microsoft’s standard Internet, or the VM will know to go out the public IP on its NIC?
The routing preference on the public IP doesn't really matter in this case as that is more related to whether or not traffic should prefer to flow through Microsoft's network or prefer to use public internet as the carrier. While I haven't tested your specific scenario I know that the default behavior for a VM with a public IP assigned to it is to use that as the outgoing IP. But as soon as you have a NAT gateway assigned to the subnet the VM will use that as the outgoing IP, so I would assume it's the same in your scenario.
@@PetterTech Ok. I did this last night. With the route table in play and a VM with a Pub IP, the route table determined what would happen. The VM never showed up online as it’s assigned public IP. It continued to use the defined default routes in the table. In this case a virtual Cisco VMX we have up there or just out through Microsoft’s default Internet next hop. So I made a NAT gateway with my Pub IP, assigned it to the server subnet. Then I made routes in the table with next hop destination “Internet”. That made that traffic go out through the gateway and show up with the gateway’s pub IP as the NAT gateway becomes the “Internet” hop when you make that kind of route. This solved our problem. Which was, when you have static IPs assigned by Cisco to your VMX / SASE service the assigned IPs only work for ports 80 and 443. Any other traffic shows up at the destination as an IP from a random Cisco pool. Confirmed with Cisco’s TAC. We have an application that uses a non-standard port to connect to a vendor. When it arrives at the vendor they want to see it on a defined public IP so they can whitelist it on their side. Doing the gateway allowed me to keep our route table intact but force traffic to this destination out the gateway and its static pub IP. The rest of the traffic continues to go out the VMX etc.
Using a public ip prefix with the NAT gateway is more for scaling up the number of outbound connections that can exist. The NAT gateway really isn't made for doing one to one NAT stuff, for that you would need a more advanced service like Azure Firewall or a load balancer.
What are you currently using to provide outbound access for your VMs? The Azure magic or something explicit like Azure Firewall or NAT Gateway?
Great video - thanks for demo! :-)
Glad you liked it! Stay tuned for my next video, it will feature a demo on another neat networking service: Private Resolver ;)
Should be out early next week 👍
I have a public IP assigned directly to a VM NIC with routing type on the public IP selected as Internet. The subnet the VM exists in has a route table. I want my VM to always access the Internet as the public IP on the VM. Does the route table override this? For example, if I put a route in the table and tell it next hop Internet, will it go out Microsoft’s standard Internet, or the VM will know to go out the public IP on its NIC?
The routing preference on the public IP doesn't really matter in this case as that is more related to whether or not traffic should prefer to flow through Microsoft's network or prefer to use public internet as the carrier.
While I haven't tested your specific scenario I know that the default behavior for a VM with a public IP assigned to it is to use that as the outgoing IP. But as soon as you have a NAT gateway assigned to the subnet the VM will use that as the outgoing IP, so I would assume it's the same in your scenario.
@@PetterTech Ok. I did this last night. With the route table in play and a VM with a Pub IP, the route table determined what would happen. The VM never showed up online as it’s assigned public IP. It continued to use the defined default routes in the table. In this case a virtual Cisco VMX we have up there or just out through Microsoft’s default Internet next hop.
So I made a NAT gateway with my Pub IP, assigned it to the server subnet. Then I made routes in the table with next hop destination “Internet”. That made that traffic go out through the gateway and show up with the gateway’s pub IP as the NAT gateway becomes the “Internet” hop when you make that kind of route.
This solved our problem. Which was, when you have static IPs assigned by Cisco to your VMX / SASE service the assigned IPs only work for ports 80 and 443. Any other traffic shows up at the destination as an IP from a random Cisco pool. Confirmed with Cisco’s TAC. We have an application that uses a non-standard port to connect to a vendor. When it arrives at the vendor they want to see it on a defined public IP so they can whitelist it on their side.
Doing the gateway allowed me to keep our route table intact but force traffic to this destination out the gateway and its static pub IP. The rest of the traffic continues to go out the VMX etc.
Cool to hear! I guess that kind of challenge isn't a unique one so good to know a way around it 👍
All examples are always with ONE public IP. How is it with Public IP Prefix - and doing one to one NAT?
Using a public ip prefix with the NAT gateway is more for scaling up the number of outbound connections that can exist. The NAT gateway really isn't made for doing one to one NAT stuff, for that you would need a more advanced service like Azure Firewall or a load balancer.
@@PetterTech, thanks.. I used a loadbalancer to fix my case 👍🏻