I have been working with AWS for quite some time and recently started working on Azure for one of the projects. I started from Azure VNET and noticed many differences when it comes to virtual private cloud.
I want to dwell a little on this topic
I started studying the topic of AZUR and if I understand correctly, we have the following picture:
Let's say we need to deploy a scale set and make it fail-safe, what can we do:
- Create a virtual network
- Create a subnet
- Create a scale set and specify the availability zones (1,2,3) + bind to the subnet.
At this stage, we have a set of virtual machines that are geographically separated by availability zones, which is good, but these machines do not have access to the Internet.
- Ok, for this we can create a NAT gateway. Since we have one subnet and we can connect it to one NAT - we only need one NAT gateway. However, a NAT gateway can be deployed only in a certain (single) availability zone, let it be zone number 1.
As a result, we see a picture:
Let's assume that the scale set deployed three virtual machines and balanced them by AZ so that there is one VM per AZ. All VMs access the Internet through NAT in zone 1
And here the most interesting thing is that zone 1 is falling. In this case, we:
- We lose 1 VM and NAT
- As a result, 2 other VMs do not have access to the Internet
- the scale set node restarts in the available availability zone, but like the others, it does not have access to the Internet
The question is how to prevent this problem?
I'm considering using a load balancer with NAT rules, but the documentation says it's not the best approach and recommends using NAT
In this case as per MsDoc in your virtual network create multiple subnets associate each subnet with Nat gateway in different availability zone like below:
create a virtual network with multiple subnets.
Create multiple NAT gateways and associate each with a subnet in a different availability zone:
Now if one availability zone goes down, the VMs in the other availability zones will still have access to the internet through their respective NAT gateways.