Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Public IP Association

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure NAT gateways are using public IP addresses or public IP prefixes for outbound connectivity in order to provide consistent, routable outbound IPs for reliable Internet connectivity and proper SNAT handling.

Security
Operational
excellence

An Azure NAT gateway needs at least one public IP address or public IP prefix to work. Until you add one, any subnet associated with the gateway won't be able to connect to the outside internet. To ensure reliable and scalable outbound Internet connectivity, Azure NAT gateways must use public IP addresses or public IP prefixes so that outbound traffic has valid, routable source IPs. This enables consistent egress IP identification, supports SNAT for multiple connections, and avoids connectivity issues with external services.

Audit

To determine if your Azure NAT gateways are using public IP addresses or public IP prefixes, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and NAT gateway for Value, then choose Apply to list the Microsoft Azure NAT gateways available in the selected subscription.

05 Click on the name (link) of the Azure NAT gateway that you want to examine.

06 In the resource navigation panel, under Settings, select Outbound IP to access the IP outbound configuration information available for the selected NAT gateway.

07 On the Outbound IP page, check for any public IP addresses and public IP prefixes, listed in the Public IP addresses and Public IP prefixes sections. If there are no public IP addresses and/or public IP prefixes listed on this page, instead the following message is displayed: No items found, the selected Microsoft Azure NAT gateway is not using public IP addresses or public IP prefixes for outbound connectivity.

08 Repeat steps no. 5 - 7 for each Azure NAT gateway deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nat gateway list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure NAT gateway available in the selected subscription: 

az network nat gateway list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested NAT gateway identifiers: 

Name                          ResourceGroup
---------------------------   ------------------------------
cc-project5-managed-gateway   cloud-shell-storage-westeurope
cc-prod-stack-nat-gateway     cloud-shell-storage-westeurope

06 Run network nat gateway show command (Windows/macOS/Linux) with the name of the Azure NAT gateway that you want to examine as the identifier parameter, to list the IDs of the public IP addresses and public IP prefixes associated with the selected NAT gateway: 

az network nat gateway show
	--name cc-project5-managed-gateway
	--resource-group cloud-shell-storage-westeurope
	--query "{PublicIpAddresses:publicIpAddresses[*].id,PublicIpPrefixes:publicIpPrefixes[*].id}"

07 The command output should return the associated public IP addresses and/or public IP prefixes: 

{
	"PublicIpAddresses": null,
	"PublicIpPrefixes": null
}

If the network nat gateway show command output returns null for both "PublicIpAddresses" and "PublicIpPrefixes" attributes, as shown in the output example above, the selected Microsoft Azure NAT gateway is not using public IP addresses or public IP prefixes for outbound connectivity.

08 Repeat steps no. 6 and 7 for each Azure NAT gateway deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure NAT gateways are using public IP addresses or public IP prefixes for providing reliable and scalable outbound Internet connectivity, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and NAT gateway for Value, then choose Apply to list the Microsoft Azure NAT gateways available in the selected subscription.

05 Click on the name (link) of the Azure NAT gateway that you want to configure.

06 In the resource navigation panel, under Settings, select Outbound IP to access the IP outbound configuration settings available for the selected NAT gateway.

07 On the Outbound IP page, choose Edit and perform one of the following actions to assign a new public IP address or public IP prefix for the selected NAT gateway (at least one is required for outbound Internet connectivity):

  1. To add a public IP address, click inside the Public IP addresses dopdown box and select (New) nat-pip under Can be associated to create a new public IP address resource and assign it to your NAT gateway. Choose Save to apply the configuration changes.
  2. To add a public IP prefix, click inside the Public IP prefixes dopdown box and select (New) nat-prefix under Can be associated to create a new public IP prefix resource and assign it to your NAT gateway. Choose Save to apply the changes.

08 Repeat steps no. 5 – 7 for each Azure NAT gateway that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for Azure each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network public-ip create command (Windows/macOS/Linux) to create a new public IP address resource for your Azure NAT gateway: 

az network public-ip create
	--name cc-project5-nat-pip
	--resource-group cloud-shell-storage-westeurope
	--allocation-method Static
	--sku Standard

05 The command output should return the information available for the new public IP address: 

{
	"publicIp": {
		"ddosSettings": {
			"protectionMode": "VirtualNetworkInherited"
		},
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-nat-pip",
		"idleTimeoutInMinutes": 4,
		"ipAddress": "xxx.xxx.xxx.xxx",
		"ipTags": [],
		"location": "westeurope",
		"name": "cc-project5-nat-pip",
		"provisioningState": "Succeeded",
		"publicIPAddressVersion": "IPv4",
		"publicIPAllocationMethod": "Static",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"sku": {
			"name": "Standard",
			"tier": "Regional"
		},
		"type": "Microsoft.Network/publicIPAddresses"
	}
}

06 Run network public-ip prefix create command (Windows/macOS/Linux) to create a new public IP prefix resource for your Azure NAT gateway: 

az network public-ip prefix create
	--name cc-project5-nat-ip-prefix
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--length 28

07 The command output should return the information available for the new public IP prefix: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPPrefixes/cc-project5-nat-ip-prefix",
	"ipPrefix": "xxx.xxx.xxx.xxx/28",
	"ipTags": [],
	"location": "westeurope",
	"name": "cc-project5-nat-ip-prefix",
	"prefixLength": 28,
	"provisioningState": "Succeeded",
	"publicIPAddressVersion": "IPv4",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Standard",
		"tier": "Regional"
	},
	"type": "Microsoft.Network/publicIPPrefixes"
}

08 Run network nat gateway update command (Windows/macOS/Linux) to assign the new public IP address/public IP prefix to the selected Azure NAT gateway. As an example, the following command is using the --public-ip-addresses parameter to assign a public IP address to the specified NAT gateway. You can use the --public-ip-prefixes parameter to assign an IP prefix instead of an IP address: 

az network nat gateway update
	--name cc-project5-managed-gateway
	--resource-group cloud-shell-storage-westeurope
	--public-ip-addresses "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-nat-pip"

09 The command output should return the information available for the configured NAT gateway: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/natGateways/cc-project5-managed-gateway",
	"idleTimeoutInMinutes": 4,
	"location": "westeurope",
	"name": "cc-project5-managed-gateway",
	"provisioningState": "Succeeded",
	"publicIpAddresses": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-nat-pip",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sku": {
		"name": "Standard"
	},
	"tags": {},
	"type": "Microsoft.Network/natGateways"
}

10 Repeat steps no. 4 - 9 for each Azure NAT gateway that you want to configure, deployed in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 11, 2025

Related NatGateway rules