Governance Policies Azure Networking Nat Gateway - Azure/az-prototype GitHub Wiki
Governance policies for Nat Gateway
Domain: azure-networking
| Name | Description |
|---|---|
| NAT Gateway with zone-redundant public IP | Standard NAT Gateway associated with a zone-redundant static public IP and subnet |
| Description | Instead |
|---|---|
| Do not rely on default outbound access for internet connectivity | Use NAT Gateway for deterministic, scalable outbound SNAT |
| Do not attach multiple NAT Gateways to the same subnet | Use a single NAT Gateway with multiple public IPs for scale |
| Check | Severity | Description |
|---|---|---|
| AZ-NAT-001 | Required | Use Standard SKU for NAT Gateway with zone-redundant public IP |
| AZ-NAT-002 | Required | Associate NAT Gateway with a Standard SKU static public IP address |
| AZ-NAT-003 | Recommended | Associate NAT Gateway with private subnets for controlled outbound connectivity |
| AZ-NAT-004 | Recommended | Enable diagnostic settings for NAT Gateway metrics |
Use Standard SKU for NAT Gateway with zone-redundant public IP
Severity: Required
Rationale: Standard SKU is the only supported SKU; zone redundancy ensures high availability
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/publicIPAddresses | pip-resource | Standard SKU, static allocation, zone-redundant |
| Microsoft.Network/virtualNetworks/subnets | snet-nat | Associate NAT gateway with subnet |
| Microsoft.Insights/diagnosticSettings | diag-metrics | Route metrics to Log Analytics |
Associate NAT Gateway with a Standard SKU static public IP address
Severity: Required
Rationale: NAT Gateway only works with Standard SKU static public IPs; dynamic allocation is not supported
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/natGateways | nat-gw | Parent NAT gateway resource |
Associate NAT Gateway with private subnets for controlled outbound connectivity
Severity: Recommended
Rationale: Subnets without NAT Gateway or other outbound mechanism lose internet access when default outbound is retired
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/networkSecurityGroups | nsg-resource | NSG on subnet for inbound filtering |
Enable diagnostic settings for NAT Gateway metrics
Severity: Recommended
Rationale: Monitor SNAT port utilization, packet counts, and dropped packets for capacity planning
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace |