-
Notifications
You must be signed in to change notification settings - Fork 6
Governance Policies Azure Networking Nat Gateway
Governance policies for Nat Gateway
Domain: azure-networking
| Name | Description |
|---|---|
| NAT Gateway with zone-redundant public IP | Standard NAT Gateway associated with a zone-redundant static public IP and subnet |
| Description | Instead |
|---|---|
| Do not rely on default outbound access for internet connectivity | Use NAT Gateway for deterministic, scalable outbound SNAT |
| Do not attach multiple NAT Gateways to the same subnet | Use a single NAT Gateway with multiple public IPs for scale |
| Check | Severity | Description |
|---|---|---|
| AZ-NAT-001 | Required | Use Standard SKU for NAT Gateway with zone-redundant public IP |
| AZ-NAT-002 | Required | Associate NAT Gateway with a Standard SKU static public IP address |
| AZ-NAT-003 | Recommended | Associate NAT Gateway with private subnets for controlled outbound connectivity |
| AZ-NAT-004 | Recommended | Enable diagnostic settings for NAT Gateway metrics |
Use Standard SKU for NAT Gateway with zone-redundant public IP
Severity: Required
Rationale: Standard SKU is the only supported SKU; zone redundancy ensures high availability
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/publicIPAddresses | pip-resource | Standard SKU, static allocation, zone-redundant |
| Microsoft.Network/virtualNetworks/subnets | snet-nat | Associate NAT gateway with subnet |
| Microsoft.Insights/diagnosticSettings | diag-metrics | Route metrics to Log Analytics |
Associate NAT Gateway with a Standard SKU static public IP address
Severity: Required
Rationale: NAT Gateway only works with Standard SKU static public IPs; dynamic allocation is not supported
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/natGateways | nat-gw | Parent NAT gateway resource |
Associate NAT Gateway with private subnets for controlled outbound connectivity
Severity: Recommended
Rationale: Subnets without NAT Gateway or other outbound mechanism lose internet access when default outbound is retired
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/networkSecurityGroups | nsg-resource | NSG on subnet for inbound filtering |
Enable diagnostic settings for NAT Gateway metrics
Severity: Recommended
Rationale: Monitor SNAT port utilization, packet counts, and dropped packets for capacity planning
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/natGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace |
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration