Skip to content

[Draft] nat gw2 blog #5738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
rahulrai-in wants to merge 3 commits into
base: master
Choose a base branch
from
+184 −0
Draft

[Draft] nat gw2 blog #5738

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
84c4591
nat gw2 blog
rahulrai-in Apr 22, 2026
8729175
Update blog title for managed NAT gateway v2 in AKS
rahulrai-in Apr 24, 2026
2b3d7ae
Update index.md
rahulrai-in Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
184 changes: 184 additions & 0 deletions website/blog/2026-04-26-managed-nat-gateway-v2-on-aks/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
---
title: "Introducing Managed StandardV2 NAT Gateway for AKS"
date: "2026-04-26"
description: "AKS now supports managed StandardV2 NAT Gateway for scalable, resilient, and observable egress. Learn how to enable it, migrate safely, and validate outbound traffic."
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description front matter appears to exceed the 150–160 character SEO guideline used elsewhere in the blog. Consider tightening it to stay within that range so listings/snippets don’t get truncated awkwardly.

Suggested change
description: "AKS now supports managed StandardV2 NAT Gateway for scalable, resilient, and observable egress. Learn how to enable it, migrate safely, and validate outbound traffic."
description: "AKS now supports managed StandardV2 NAT Gateway for scalable, resilient egress. Learn how to enable it, migrate safely, and validate traffic."

Copilot uses AI. Check for mistakes.
authors:
- <TO_DO> add authors
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The front matter still contains a placeholder author entry (<TO_DO> add authors). Replace this with one or more valid author keys from website/blog/authors.yml so the blog metadata resolves correctly (and avoids inline author warnings).

Suggested change
- <TO_DO> add authors
- paul-yu

Copilot uses AI. Check for mistakes.
tags:
- networking
- traffic-management
- operations
keywords: ["AKS", "managed NAT gateway", "egress", "networking", "Azure Kubernetes Service"]
---

AKS now supports **managed StandardV2 NAT gateway** for cluster egress. You get a larger egress scaling envelope, improved zone resiliency controls, and better operational visibility for outbound connections.

If you run workloads with high outbound concurrency, strict outbound IP requirements, or periodic traffic spikes, managed NAT gateway v2 helps you keep egress stable without managing extra network infrastructure by hand.

<!-- truncate -->

Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The post includes the truncate marker but doesn’t include a hero image afterward. Blog posts in this repo are expected to include a same-directory hero image (for example ./hero-image.png) with descriptive alt text for accessibility and consistent rendering on listing pages.

Suggested change
![Architecture overview of managed NAT gateway v2 providing scalable outbound connectivity for Azure Kubernetes Service clusters](./hero-image.png)

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most AKS blog posts include a hero image immediately after <!-- truncate -->. Consider adding a hero image (with descriptive alt text) here to match the blog’s standard layout and improve accessibility/visual scanning on the post page.

Suggested change
![Architecture diagram for managed StandardV2 NAT gateway egress in AKS](./hero-image.png)

Copilot uses AI. Check for mistakes.
## Why this matters

Most production clusters depend on predictable outbound traffic for image pulls, package downloads, API calls, telemetry, and third-party integrations. When egress is constrained, you can see intermittent timeouts, source port pressure, and hard-to-debug failures.

Managed StandardV2 NAT gateway improves this in three areas:

- Better scale characteristics for outbound SNAT usage
- Stronger resiliency options for zonal design
- More actionable observability for operations teams

## Architecture at a glance

The following diagram shows how managed NAT gateway v2 handles AKS outbound traffic:

```mermaid
flowchart LR
subgraph AKS[AKS cluster]
N1[Node pool A]
N2[Node pool B]
P[Pods]
P --> N1
P --> N2
end

N1 --> SLB[Standard Load Balancer outbound rules]
N2 --> SLB
SLB --> NATV2[Managed StandardV2 NAT gateway]
NATV2 --> PIP[Public IPs or prefix]
PIP --> EXT[External services\nAzure APIs, package registries, SaaS endpoints]
```

## What is new in managed StandardV2 NAT gateway

Managed StandardV2 NAT gateway keeps the AKS-managed experience while adding key improvements:

- Expanded outbound connection handling for bursty workloads
- Improved compatibility with zone-aware cluster designs
- New egress observability signals to speed up troubleshooting
- Simpler migration path from existing managed NAT gateway configurations

## Prerequisites

1. Azure CLI version 2.79.0 or later.
2. `aks-preview` extension updated to the latest version.
3. Feature registration for managed NAT gateway v2 in your subscription.

```bash
az extension add --name aks-preview
az extension update --name aks-preview

az feature register \
--namespace Microsoft.ContainerService \
--name ManagedNatGatewayV2Preview

az provider register --namespace Microsoft.ContainerService
```

## Create a new AKS cluster with managed StandardV2 NAT gateway

Use the following command to create a new cluster with managed StandardV2 NAT gateway enabled.

```bash
RESOURCE_GROUP=my-rg
CLUSTER_NAME=my-aks
LOCATION=eastus2

az group create \
--name "$RESOURCE_GROUP" \
--location "$LOCATION"

az aks create \
--resource-group "$RESOURCE_GROUP" \
--name "$CLUSTER_NAME" \
--location "$LOCATION" \
--network-plugin azure \
--outbound-type managedNATGatewayV2 \
--nat-gateway-managed-outbound-ip-count 2 \
--nat-gateway-idle-timeout 30 \
--generate-ssh-keys
```

### Verify cluster outbound profile

```bash
az aks show \
--resource-group "$RESOURCE_GROUP" \
--name "$CLUSTER_NAME" \
--query "networkProfile.outboundType"
```

Expected output:

```output
"managedNATGatewayV2"
```

## Upgrade an existing cluster

If your cluster already uses a managed outbound profile, update it in place:

```bash
az aks update \
--resource-group "$RESOURCE_GROUP" \
--name "$CLUSTER_NAME" \
--outbound-type managedNATGatewayV2 \
--nat-gateway-managed-outbound-ip-count 4 \
--nat-gateway-idle-timeout 30
```

## Migration flow

Use a phased rollout to reduce risk in production:

```mermaid
flowchart TD
A[Assess current outbound profile] --> B[Enable managed NAT gateway v2]
B --> C[Canary workload validation]
C --> D[Monitor SNAT and egress errors]
D --> E[Roll out to all workloads]
E --> F[Post-migration cleanup and documentation]
```

## Validate egress after enablement

Get cluster credentials and deploy a small test pod.

```bash
az aks get-credentials \
--resource-group "$RESOURCE_GROUP" \
--name "$CLUSTER_NAME"

kubectl run egress-check \
--image=mcr.microsoft.com/cbl-mariner/base/core:2.0 \
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The egress validation snippet assumes curl is present inside the container, but the chosen image (mcr.microsoft.com/cbl-mariner/base/core:2.0) isn’t commonly used as a curl test image in this repo. To avoid readers hitting curl: not found, use an image that explicitly includes curl (or install curl as part of the command).

Suggested change
--image=mcr.microsoft.com/cbl-mariner/base/core:2.0 \
--image=curlimages/curl:8.12.1 \

Copilot uses AI. Check for mistakes.
--restart=Never \
--command -- sh -c "curl -s https://ifconfig.me && echo"

kubectl logs pod/egress-check
```

The command should return one of the managed outbound public IP addresses from your NAT gateway v2 profile.

## Operational guidance

Follow these practices when you move production clusters:

- Start with non-critical namespaces as a canary
- Keep explicit outbound allowlists up to date in dependent services
- Track outbound failures, timeout rate, and connection reset patterns
- Scale managed outbound IP count based on measured concurrency
- Document fallback and rollback procedures before rollout

## Known considerations

- Feature availability can vary by region during rollout.
- Quotas for public IP resources still apply.
- If you use user-defined routing, validate route table and firewall policy interactions before migration.
- For highly regulated environments, review outbound IP inventory and audit requirements before cutover.

## Next steps

- Read the [AKS egress outbound type documentation](https://learn.microsoft.com/azure/aks/egress-outboundtype).
- Review [AKS networking concepts](https://learn.microsoft.com/azure/aks/concepts-network).
- Share feedback through [AKS GitHub Issues](https://github.com/Azure/AKS/issues).

Managed StandardV2 NAT gateway gives you a stronger default for production egress in AKS. Start with a canary, validate with telemetry, and roll out in phases for a low-risk transition.
Loading