Technical Lab: Create and configure explicit outbound rules, including source network address translation (SNAT)
Questionsβ
Question 1 β Multiple Choiceβ
A platform team needs to ensure that all VMs in a specific subnet use a fixed and predictable public IP address when accessing the internet. The environment already has a public Azure Load Balancer associated with the backend pool of these VMs, but no outbound rule has been explicitly configured.
What is the default SNAT behavior in this scenario and what is the associated risk?
A. Azure automatically assigns dedicated public IPs per VM, with no risk of port exhaustion.
B. The Load Balancer uses the frontend IP for SNAT automatically, with a fixed and non-configurable number of SNAT ports per instance.
C. Azure applies SNAT via a platform-managed public IP (default outbound access), which will be deactivated for new resources from September 2025, making outbound connectivity unpredictable without explicit configuration.
D. Without an explicit outbound rule, no outbound connectivity is possible when there is an associated public Load Balancer.
Question 2 β Technical Scenarioβ
An engineer configures the following outbound rule on a public Standard Load Balancer:
{
"name": "outbound-rule-prod",
"protocol": "Tcp",
"frontendIPConfigurations": [
{ "id": "/subscriptions/.../frontendIPConfigurations/pip-prod" }
],
"backendAddressPool": {
"id": "/subscriptions/.../backendAddressPools/pool-prod"
},
"allocatedOutboundPorts": 0,
"enableTcpReset": true,
"idleTimeoutInMinutes": 4
}
After deployment, the number of SNAT ports per instance is lower than expected to support simultaneous connections under high load. What is the direct cause of this behavior?
A. The Tcp protocol limits SNAT port allocation to a subset of the total available; it would be necessary to use All.
B. The value 0 in allocatedOutboundPorts activates automatic allocation based on backend pool size, which can result in fewer ports per instance as the pool grows.
C. The enableTcpReset property interferes with the count of available ports by releasing ports prematurely.
D. The idleTimeoutInMinutes with value 4 is the minimum allowed and reduces port reuse in short-duration connections.
Question 3 β True or Falseβ
An Azure NAT Gateway associated with a subnet has precedence over outbound rules of a Standard Load Balancer for traffic originating from that subnet, even if the VMs are in the Load Balancer's backend pool.
True or False?
Question 4 β Technical Scenarioβ
A production application starts experiencing intermittent TCP connection failures to external endpoints. The network team identifies SNAT exhaustion errors in the logs. The environment uses a public Standard Load Balancer with an explicit outbound rule configured with allocatedOutboundPorts: 1024 and a single frontend IP. The backend pool has 60 instances.
Which approach solves the problem most directly, without redesigning the architecture?
A. Increase the idleTimeoutInMinutes to the maximum value of 66 minutes, reducing port turnover.
B. Add more public IPs to the Load Balancer frontend, increasing the total SNAT ports available for distribution among instances.
C. Replace the Standard Load Balancer with a Basic Load Balancer, which has a higher SNAT port limit by default.
D. Enable enableTcpReset in the existing outbound rule, which releases SNAT ports immediately when terminating idle connections.
Question 5 β Multiple Choiceβ
When designing explicit outbound rules on a Standard Load Balancer, which statement correctly describes the relationship between outbound rules and load balancing rules (inbound)?
A. A load balancing rule with disableOutboundSnat: false blocks any explicit outbound rule configured for the same backend pool.
B. For an explicit outbound rule to function in isolation, the disableOutboundSnat property of load balancing rules associated with the same backend pool must be set to true.
C. Outbound rules and load balancing rules are completely independent and never interact, regardless of configurations.
D. The disableOutboundSnat property is only relevant when the Load Balancer has more than one frontend IP configured.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: C
Default outbound access is the mechanism by which Azure provides implicit outbound connectivity for VMs without dedicated public IP or NAT Gateway configured. This behavior uses platform-managed IPs, which are not fixed or predictable. Microsoft announced the discontinuation of this default access for resources created after September 2025, making explicit outbound configuration mandatory to ensure connectivity.
Alternative B partially describes the actual Load Balancer behavior with automatic SNAT, but incorrectly states that allocation is "non-configurable". Alternative D is incorrect: when there is an associated public Load Balancer, automatic SNAT via frontend IP occurs, there is no total blocking. Alternative A never describes actual Azure behavior.
Answer Key β Question 2β
Answer: B
When allocatedOutboundPorts is set to 0, the Load Balancer uses automatic SNAT port allocation, whose calculation is inversely proportional to the backend pool size. As the number of instances grows, the number of ports per instance decreases. For workloads with high volumes of simultaneous connections, explicit allocation (e.g., 1024 or 2048 ports) is preferable to ensure predictability.
Alternative A is incorrect: the Tcp protocol does not reduce port allocation; using All includes UDP and ICMP, but does not increase the total TCP ports. Alternative C is incorrect: enableTcpReset sends an RST packet when terminating idle connections, improving port reuse, not reducing available count. Alternative D confuses timeout with port allocation.
Answer Key β Question 3β
Answer: True
Azure NAT Gateway has precedence over any other SNAT mechanism when directly associated with a subnet. This includes Load Balancer outbound rules and default outbound access. Even if the subnet's VMs are in the backend pool of a Standard Load Balancer with configured outbound rules, outbound traffic will be routed through the NAT Gateway. This behavior is deterministic and documented by Microsoft, making NAT Gateway the recommended solution for predictable SNAT at scale, as it offers fixed IPs, larger port pools, and no risk of conflict with inbound configurations.
Answer Key β Question 4β
Answer: B
Each public IP added to a Standard Load Balancer frontend contributes 64,512 additional SNAT ports to the total available pool. This pool is then distributed among backend instances. With 60 instances and only 1 frontend IP, the total available is insufficient for the load. Adding frontend IPs is the most direct way to scale SNAT capacity without redesigning the architecture.
Alternative A is counterintuitive: increasing idleTimeoutInMinutes prolongs the time each port remains reserved, which worsens exhaustion in high connection turnover scenarios. Alternative C is incorrect: Basic Load Balancer is not an evolution in SNAT capacity and should not be used in production environments. Alternative D describes a real benefit of enableTcpReset, but it only improves port reuse in already terminated connections; it does not solve structural exhaustion caused by insufficient allocated port volume.
Answer Key β Question 5β
Answer: B
By default, when a load balancing rule is associated with a backend pool, the Load Balancer also uses the frontend IP for automatic outbound SNAT (disableOutboundSnat: false). If an explicit outbound rule is created for the same backend pool without disabling this behavior, there may be conflict or unpredictable behavior in outbound IP selection. Setting disableOutboundSnat: true in the load balancing rule ensures that only the explicit outbound rule controls outbound traffic.
Alternative A reverses the logic: disableOutboundSnat: false is the permissive default, not blocking. Alternative C is incorrect: rules directly interact when sharing the same backend pool and frontend. Alternative D is incorrect: the property is relevant whenever there are explicit outbound rules, regardless of the number of frontend IPs.