Azure Secure NAT Gateway Getting Started
This guide provides information to get you signed up for the Azure Secure NAT Gateway by Aviatrix. The NAT Gateway is part of the Platform-as-a-Service offering.
The Secure NAT Gateway provides security on outbound traffic for any Azure VNet-based workload, including Kubernetes.
For more information about how Aviatrix PaaS and the Secure NAT Gateway can help make your network more secure, see:
You can subscribe, onboard, and secure your cloud resources in four simple steps:

Subscribe to Azure Secure NAT Gateway
Subscribe to the Aviatrix Secure NAT Gateway offer on the Azure Marketplace.

-
Go to the Aviatrix Secure NAT Gateway listing on Azure Marketplace and click Get it now.
-
Accept the Azure terms of use and privacy policy and click Continue.
-
On the Aviatrix Secure NAT Gateway page, do one of the following.
Both options open a subscription page.
-
From the Plan field, select the plan suitable to your needs and click Subscribe.
-
Click Plans + Pricing, review the details of each plan, and then click Subscribe for the plan suitable to your needs.
If you select the Developer Evaluation Trial plan, you can upgrade to a paid plan at any time.
-
-
On the Subscribe to Aviatrix Secure NAT Gatewy page, do the following:
-
Under Project details > Resource group, click Create New and enter a name for the group.
Microsoft requires a resource group to contain the resource metadata.
-
Select a Resource group location.
-
Under SaaS details, enter a descriptive Name for the subscription.
You can leave other fields with their defaults.
-
Click Review + Subscribe, and then click Subscribe on the next page.
-
-
On the Subscription progress page, click Configure account now when the process completes.
Alternatively, you can click the Configure Account button in the email you receive from Azure Marketplace.
-
On the Sign Up screen that displays, enter your name.
The email address you used for your Azure account is auto-populated.
-
Agree to the Aviatrix Terms of Service and Privacy Policy and click Finish Sign Up.
You are signed in to the Aviatrix Platform UI and a Welcome screen displays, from which you can onboard your Azure cloud account.
Next Steps
After subscribing to Aviatrix Secure NAT Gateway, onboard your cloud account and VNets.
Onboard Cloud Account
Onboarding connects your cloud account to Aviatrix Platform and allows the platform to discover your cloud resources, such as VNets, subnets, and VMs.

Onboard Your Azure Cloud Account (click to expand)
After signing up with Aviatrix PaaS, the Aviatrix Platform opens to a Welcome page. From this page you can connect your cloud accounts with the Aviatrix Platform. After you have onboarded a cloud account, the Welcome page no longer displays when you sign in.
The onboarding process creates the Azure roles and resources required for Aviatrix Platform to monitor and manage your Azure network. It also allows Aviatrix PaaS to discover the resources in your cloud account.
-
On Welcome to Aviatrix PaaS, click Begin.
-
In Begin Aviatrix Journey Step 1, click Onboard Cloud Account and select Azure.
-
If you have not already created an Azure application and gathered the necessary IDs, click Launch Microsoft Azure Portal and create an application.
See Create a New Application in Azure, if you need more information. -
Enter the following IDs from your Azure account.
-
Subscription ID
-
Directory ID
-
Application ID
-
Client Secret
-
-
Click Next.
As your account is onboarded, the cloud assets in your account are discovered. When the discovery process completes, a success message displays.
-
Click Close.
Your onboarded account is named aviatrix-account and displays on the Cloud Resources pages and in the Dashboard.
It can take a couple of minutes before your VNets display under Cloud Resources > Cloud Assets.
Your onboarded regions will also display in the Dashboard geographic map.
If you want to onboard another cloud account, you can do so from Cloud Resources > Cloud Accounts. |
Onboard VNets
Onboarding VNets allows Aviatrix Platform to manage the cloud resources you select.

Onboard VNets (click to expand)
After onboarding your cloud account in Aviatrix, the VPCs or VNets associated with the account display as unmanaged resources in Aviatrix Platform. You can see a list of VPCs and VNets, and associated VM resources, on the Cloud Assets page.
To bring the resources under Aviatrix management, you must onboard the VPCs or VNets. The recommended (default) performance size for VPCs and VNets is Medium.
It is recommended that you deploy each VPC or VNet with at least two subnets in two different zones to provide high availability.
To onboard Kubernetes clusters, see Onboard Kubernetes Clusters. |
During onboarding, an Aviatrix Spoke Gateway is created on each subnet in the managed VPC or VNet. This gateway is displayed on the Topology map, along with other network resources.
You can onboard only one VPC or VNet at a time, but you can begin the onboarding process for multiple VPCs or VNets at one time. You do not have to wait until a VPC or VNet finishes onboarding to start onboarding another one. |
You can also onboard VPCs and VNets from Security > Egress > Protected VPC/VNets.
To onboard your VPCs or VNets, do the following.
-
Go to Cloud Resources > Cloud Assets > VPC/VNets & Subnets.
-
Click the Onboard link for a VPC or VNet you want Aviatrix to manage.
You can only onboard resources that have public IPs. By default, the 10.0.0.0/16 CIDRs are private.
-
On Onboard a VPC/VNet you can do the following:
-
From Performance Size, select the instance size for your VPC or VNet.
The recommended default size is Medium.
-
Remove a subnet from the onboarding list by clicking the "x" next to the subnet IP address.
This action only removes the subnet from being managed, it does not remove the subnet from the VPC or VNet.
-
Add a subnet to the list by clicking the down arrow and selecting the subnet IP address.
-
Click Onboard.
The Aviatrix Managed column changes status to In Progress. When onboarding of all subnets for the VPC or VNet is complete, status changes to Yes.
-
-
Expand the VPC or VNet listing to see the status of individual subnets in the VPC or VNet.
-
Click the Name of the VPC or VNet to display related route tables.
As subnets are onboarded, they also appear in the Cloud Fabric > Topology map as managed resources.
You can offboard a VPC or VNet from the Aviatrix Platform by using the Manage menu. |
Secure Your Network
Use either the Distributed Cloud Firewall (DCF) or Egress Security workflow.

-
Protect Your Traffic with Distributed Cloud Firewall
DCF provides granular network security rules for distributed applications in the cloud.
-
Protect Your Traffic with Egress Security
Egress Security involves monitoring network traffic to the Internet and protecting the traffic using DCF Rules, SmartGroups, and WebGroups.