External Gateway
The external gateway is a managed Network Address Translation (NAT) gateway that provides connectivity between your VPC and the public internet. Each resource group includes an external gateway that is created automatically and cannot be modified or deleted independently.
How the external gateway works
The external gateway sits at the boundary between your private VPC and the public internet. It manages the routing and translation of traffic between your VPC and the internet, enabling both outbound and inbound connectivity.
Outbound connectivity
By default, all VMs can make outbound connections to the internet through the external gateway. The gateway handles the network address translation needed to route traffic from your private VPC to the public internet.
For VMs without an attached Public IP:
- Outbound traffic is routed through the external gateway
- The source IP address seen by external services is a shared public IP
- Return traffic is automatically routed back to the originating VM (the gateway maintains stateful connections)
For VMs with an attached Public IP:
- Outbound traffic is routed through the external gateway
- The source IP address seen by external services is the VM's Public IP
- This allows external services to identify and distinguish traffic from specific VMs
Inbound connectivity
The external gateway does not allow unsolicited inbound connections from the internet to VMs. To accept inbound traffic, a VM must have:
- A Public IP attached
- Security group rules that permit the desired inbound traffic
The external gateway ensures that inbound traffic to Public IPs reaches the associated VM's private IP address within the VPC.
Automatic configuration
The external gateway is created automatically when you create a resource group. You cannot:
- Create additional external gateways in a resource group
- Delete the external gateway while the resource group exists
- Modify the external gateway's configuration
This automatic setup ensures that all VMs have internet connectivity without requiring manual networking configuration.
External gateway and security
The external gateway works in conjunction with security groups to control traffic:
- Outbound traffic: Allowed by default for all VMs (can be restricted with security group rules)
- Inbound traffic: Blocked by default unless the VM has a Public IP and appropriate security group rules
Even with a Public IP attached, inbound traffic is controlled by security groups. The default security group blocks all inbound internet traffic, requiring you to explicitly configure rules for the traffic you want to allow.
Relationship to other networking components
The external gateway connects several networking components:
- VPC - The external gateway provides internet connectivity for the entire VPC
- Subnet - All VMs in the default subnet use the external gateway for internet access
- Public IPs - The gateway routes traffic between Public IPs and the associated VMs
- Security Groups - Work with the gateway to filter allowed traffic
Next steps
- Learn about Public IPs for inbound internet connectivity
- Understand the Default Networking Setup and how all components work together
- Configure Security Groups to control inbound and outbound traffic
- See Virtual Private Clouds for more about VPC isolation