NAT Gateway Failed

malsaeedi2007 · November 16, 2024, 2:10am

Dears
I tried to implement AZURE NAT GW but failed with the below error any one faced such issue
“{“code”:“InvalidTemplateDeployment”,“message”:“The template deployment failed because of policy violation. Please see details for more information.”,“details”:[{“code”:“RequestDisallowedByPolicy”,“target”:“NATGW02”,“message”:“Resource ‘NATGW02’ was disallowed by policy. Reasons: ‘This resource type is not allowed. Please use an approved service.’. See error details for policy resource IDs.”,“additionalInfo”:[{“type”:“PolicyViolation”,“info”:{“evaluationDetails”:{“evaluatedExpressions”:[{“result”:“False”,“expressionKind”:“Field”,“expression”:“type”,“path”:“type”,“expressionValue”:“Microsoft.Network/natGateways”,“targetValue”:[“Microsoft.Compute/virtualMachines”,“Microsoft.Compute/virtualMachineScaleSets”,“Microsoft.Compute/availabilitySets”,“Microsoft.Compute/disks”,“Microsoft.Compute/sshPublicKeys”,“Microsoft.Compute/virtualMachines/extensions”,“Microsoft.Storage”,“Microsoft.Storage/storageAccounts”,“Microsoft.Network/networkInterfaces”,“Microsoft.Network/networkSecurityGroups”,“Microsoft.Network/publicIPAddresses”,“Microsoft.Network/virtualNetworks”,“Microsoft.Network/privateEndpoints”,“Microsoft.Network/privateDnsZones”,“Microsoft.Network/privateDnsZones/virtualNetworkLinks”,“Microsoft.Network/loadBalancers”,“Microsoft.Network/routeTables”,“Microsoft.Network/applicationGateways”,“Microsoft.DocumentDB/databaseAccounts”,“Microsoft.Web/serverFarms”,“Microsoft.Web/sites”,“Microsoft.Sql/servers”,“Microsoft.Sql/servers/databases”,“Microsoft.ManagedIdentity/userAssignedIdentities”,“Microsoft.ContainerService/managedClusters”,“Microsoft.ContainerService/managedClusters/agentPools”,“Microsoft.DataLakeAnalytics/accounts”,“Microsoft.Synapse/workspaces”,“Microsoft.Logic/workflows”,“Microsoft.KeyVault/vaults”,“Microsoft.MachineLearningServices/workspaces”,“Microsoft.OperationalInsights/workspaces”,“Microsoft.SecurityInsights/workspaces”,“Microsoft.ContainerRegistry/registries”,“Microsoft.ContainerRegistry/registries/replications”,“Microsoft.ServiceBus/namespaces”,“Microsoft.EventHub/namespaces”],“operator”:“In”}],“reason”:“This resource type is not allowed. Please use an approved service.”},“policyDefinitionId”:”/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/providers/Microsoft.Authorization/policyDefinitions/allowed_services_main-51a72fc83af64f9a",“policySetDefinitionId”:“/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/providers/Microsoft.Authorization/policySetDefinitions/Azure_playground_main-51a72fc83af64f9a”,“policyDefinitionReferenceId”:“allowed_services_main-51a72fc83af64f9a_ref”,“policySetDefinitionName”:“Azure_playground_main-51a72fc83af64f9a”,“policySetDefinitionDisplayName”:“Azure_playground_main-51a72fc83af64f9a”,“policyDefinitionName”:“allowed_services_main-51a72fc83af64f9a”,“policyDefinitionDisplayName”:“allowed_services_main-51a72fc83af64f9a”,“policyDefinitionEffect”:“deny”,“policyAssignmentId”:“/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/resourceGroups/kml_rg_main-51a72fc83af64f9a/providers/Microsoft.Authorization/policyAssignments/Azure_playground_main-51a72fc83af64f9a”,“policyAssignmentName”:“Azure_playground_main-51a72fc83af64f9a”,“policyAssignmentDisplayName”:“Azure_playground_main-51a72fc83af64f9a”,“policyAssignmentScope”:“/subscriptions/a2b28c85-1948-4263-90ca-bade2bac4df4/resourceGroups/kml_rg_main-51a72fc83af64f9a”,“policyAssignmentParameters”:{},“policyExemptionIds”:[]}}]}]}"

rob_kodekloud · November 16, 2024, 3:00am

The error message give us the main idea:

[{“code”:“RequestDisallowedByPolicy”,“target”:“NATGW02”,“message”:“Resource ‘NATGW02’ was disallowed by policy. Reasons: ‘This resource type is not allowed. Please use an approved service.’

We disallow the creation of certain resource types in our playgrounds. My guess is that this particular resource is blocked for safety; NAT gateways let rogue processes see out of the internal network.

What are you trying to do that requires a NAT gateway?

malsaeedi2007 · November 16, 2024, 12:07pm

I created two virtual machines , two subnet , I need to create one public subnet and one private subnet
My vnet is 10.0.0.0/16
Subnet 1 ==> 10.0.10.0/24 Public subnet
Subnet 2 ==> 10.0.20.0/24 private subnet
Create two Linux machine
Machine 1: 10.0.10.10/24
Machine 2: 10.0.20.10/24

Machine 2 has no public ip , I need to provide internet access via NAT gateway

Thanks

malsaeedi2007 · November 16, 2024, 12:08pm

My problem is I can not add NAT GW it gives me error , although my configuration is correct I don’t know where is the error

Alistair_KodeKloud · November 16, 2024, 3:26pm

The “error” is that the playground does not permit the creation of NAT gateways, as @rob_kodekloud has pointed out.

You would need to create a NAT instance which is another linux machine on the public subnet that acts as the gateway. It needs:

IP forwarding enabled
1. Create file /etc/sysctl.d/custom-ip.conf
2. Put the line net.ipv4.ip_forward=1 in and save
3. Run sudo sysctl -p /etc/sysctl.d/custom-ip.conf
IP tables installed and running
NAT rules added
```
sudo /sbin/iptables -t nat -A POSTROUTING -o XXXX -j MASQUERADE 
sudo /sbin/iptables -F FORWARD
```
where XXX is the name of the machine’s network interface (can be found using ip a command
Ensure there is a route from the private subnet to the public one. Azure isn’t my thing, but there should be.
The default route for 0.0.0.0/0 in the private subnet should be set to the IP of the NAT instance (instead of NAT gateway if you could deploy one, but you can’t)

If you search google specifically for creating NAT instances on Azure, I’m sure you can find a fully worked example. A NAT gateway is simply a cloud-managed version of the above.

malsaeedi2007 · November 16, 2024, 7:41pm

Did you try it and is it working with you ?