Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Optimal Idle Timeout Configuration

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that TCP idle timeout is appropriately configured for your Microsoft Azure NAT gateways in order to prevent connection failures and optimize resource utilization. The TCP idle timeout setting, configurable from 4 to 120 minutes, defines when Azure NAT Gateway terminates idle flows. If a connection is reused after timing out, a TCP reset is sent. Setting this timeout appropriately helps maintain stable connections for long-idle applications while efficiently releasing resources for applications with frequent, short-lived traffic.

Performance
efficiency
Operational
excellence

Configuring the TCP idle timeout to match an application's requirements is crucial because an incorrect setting can lead to connection failures and performance issues. If the timeout is too short, the NAT Gateway will prematurely close connections that are actually still needed by the application, forcing it to re-establish them. Conversely, if the timeout is too long, the NAT Gateway will hold onto resources for unused connections, which can lead to resource exhaustion and impact the performance of new connections.

Audit

To determine if your Azure NAT gateways are using an appropriate TCP idle timeout configuration, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and NAT gateway for Value, then choose Apply to list the Microsoft Azure NAT gateways available in the selected subscription.

05 Click on the name (link) of the Azure NAT gateway that you want to examine.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration information available for the selected NAT gateway.

07 On the Configuration page, check the value available in the TCP idle timeout (minutes) box to determine the TCP idle timeout (in minutes) configured for the selected NAT gateway. If the TCP idle timeout (minutes) value does not match your application requirements, the selected Microsoft Azure NAT gateway is not using an appropriate TCP idle timeout configuration.

08 Repeat steps no. 5 - 7 for each Azure NAT gateway deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nat gateway list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure NAT gateway available in the selected subscription: 

az network nat gateway list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested NAT gateway identifiers: 

Name                          ResourceGroup
---------------------------   ------------------------------
cc-project5-managed-gateway   cloud-shell-storage-westeurope
cc-prod-stack-nat-gateway     cloud-shell-storage-westeurope

06 Run network nat gateway show command (Windows/macOS/Linux) with the name of the Azure NAT gateway that you want to examine as the identifier parameter, to determine the TCP idle timeout configured for the selected NAT gateway: 

az network nat gateway show
	--name cc-project5-managed-gateway
	--resource-group cloud-shell-storage-westeurope
	--query 'idleTimeoutInMinutes'

07 The command output should return the TCP idle timeout (in minutes) defined for the NAT gateway: 

15

If the TCP idle timeout value (in minutes) returned by the network nat gateway show command output does not match your application requirements, the selected Microsoft Azure NAT gateway is not using an appropriate TCP idle timeout configuration.

08 Repeat steps no. 6 and 7 for each Azure NAT gateway deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure NAT gateways are using an appropriate TCP idle timeout configuration, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and NAT gateway for Value, then choose Apply to list the Microsoft Azure NAT gateways available in the selected subscription.

05 Click on the name (link) of the Azure NAT gateway that you want to configure.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration information available for the selected NAT gateway.

07 On the Configuration page, enter the appropriate TCP idle timeout value for the selected NAT gateway in the TCP idle timeout (minutes) box and choose Save to apply the configuration changes. TCP idle timeout is configurable from 4 to 120 minutes and determines when your NAT gateway removes idle flows. The following are recommended TCP idle timeout values:

  1. For web APIs and HTTP requests: 4 – 10 min (short-lived, default value).
  2. For database connections: 15 – 30 min (periodic but long-lived).
  3. For SSH and remote management: 30 – 60 min (interactive sessions with idle periods).
  4. For IoT device connections: 60 – 120 min (persistent low-traffic connections).

08 Repeat steps no. 5 – 7 for each Azure NAT gateway that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for Azure each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nat gateway update command (Windows/macOS/Linux) to set the appropriate TCP idle timeout value (in minutes) for the selected Azure NAT gateway: 

az network nat gateway update
	--name cc-project5-managed-gateway
	--resource-group cloud-shell-storage-westeurope
	--idle-timeout 5

05 The command output should return the information available for the configured NAT gateway: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/natGateways/cc-project5-managed-gateway",
	"idleTimeoutInMinutes": 5,
	"location": "westeurope",
	"name": "cc-project5-managed-gateway",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Standard"
	},
	"subnets": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-vnet-subnet-001",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"tags": {},
	"type": "Microsoft.Network/natGateways"
}

06 Repeat steps no. 4 and 5 for each Azure NAT gateway that you want to configure, deployed in the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 11, 2025

Related NatGateway rules