Oubound Traffic – AWS vs Azure

To receive inbound traffic, you need a public IP – a no-brainer. The concept of public IP exists in both Azure and AWS. An Azure static public IP is AWS’ elastic IP – a public IP that does not change.

Outbound traffic concept is slightly different and is interesting to understand the concept/terminology differences.

By default, all Azure resources in a VNET have outbound internet connectivity. For outbound packets, there must be a source IP. If your VM does not have a public IP, how does it work? If your VM already has a public IP, it is a simple scenario. Azure just uses your public IP as the source IP for the outbound packets. If the VM does not have a public IP, Azure does source network address translation (SNAT). When the VM sends the outbound packet, Azure maps the private IP of the VM to a public IP. Azue uses ephemeral ports on the public IP address – port address translation (PAT), to distinguish individual flows from the VM. So, when the receiver responds, the packets come back to the public IP put in by Azure and Azure sends the packet to the private IP.

With AWS, you have the concept of public and private subnet. If a subnet’s traffic is routed to an internet gateway, the subnet is a public subnet. The route table for a public subet will have an entry for IGW. If an EC2 instance in a public subnet has a public/elastic IP, it can send and receive internet traffic. What about an EC2 instance with only a private IP and this instance happens to be in a public subnet? Will the outbound internet work? Answer is no. Even if the subnet is public, you need a public/elastic IP to send outbound internet traffic. If you don’t have one, you have to route your outbound traffic through a NAT instance or NAT gateway, which will do the SNAT. So, if an instance requires only outbound traffic, you put it in a private subnet. A private subnet is the opposite of public subnet in that the route table does not have an entry for IGW. But there is an entry to a NAT instance/gateway and this NAT instance/gateway will be part of a public subnet. NAT instance/gateway will use a public IP as source IP and send the packets out. On receiving a packet, it sends the packet back to the private IP – very similar to Azure’s implicit SNAT, except that you have to be aware of the NAT instance/gateway concept and have it configured.

Bottom line is you need a public source IP to send an outbound packet. It has to be a public IP you provide or the one Azure/AWS provides and then SNAT magic. Conceptually, it all works the same way but there is a slight difference in terms of implementation/terminology. Some people argue Azure is easy because outbound internet is on by default. Some people argue AWS is safer because you need to enable NAT yourself and that you could do only when there is a need.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.