Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Private Network Integration

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

To maintain network isolation and ensure that only authorized Azure resources can utilize outbound connectivity, make sure that your Microsoft Azure NAT gateways are associated with designated private subnets within a virtual network (VNet).

Security

Proper subnet association is fundamental to a NAT gateway's security architecture. The NAT gateway operates on a zero-trust network security model and requires explicit subnet configuration to maintain network isolation. Incorrect subnet associations can lead to unauthorized network paths, expose sensitive workloads, or allow resources to bypass intended outbound connectivity controls.

Audit

To determine if your Azure NAT gateways are associated with private virtual network (VNet) subnets, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and NAT gateway for Value, then choose Apply to list the Microsoft Azure NAT gateways available in the selected subscription.

05 Click on the name (link) of the Azure NAT gateway that you want to examine.

06 In the resource navigation panel, under Settings, select Subnets to access the virtual network (VNet) integration information available for the selected NAT gateway.

07 If there are no VNet integration information available on the Subnets page, the selected NAT gateway is not associated with a VNet subnet and the Audit process ends here. If VNet integration information is available (i.e., VNet and subnet name), click on the Manage subnets > link available under the list of associated VNet subnets.

08 Click on the name (link) of the associated subnet that you want to examine and verify the Enable private subnet (no default outbound access) setting checkbox available in the Private subnet section. If the setting checkbox is unchecked, the selected Microsoft Azure NAT gateway is associated with a public virtual network (VNet) subnet.

09 Repeat step no. 8 for each VNet subnet associated with the selected Azure NAT gateway.

10 Repeat steps no. 5 - 9 for each Azure NAT gateway deployed in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nat gateway list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure NAT gateway available in the selected subscription: 

az network nat gateway list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested NAT gateway identifiers: 

Name                          ResourceGroup
---------------------------   ------------------------------
cc-project5-managed-gateway   cloud-shell-storage-westeurope
cc-prod-stack-nat-gateway     cloud-shell-storage-westeurope

06 Run network nat gateway show command (Windows/macOS/Linux) with custom output filters to list the IDs of subnets configured for virtual network (VNet) integration with the selected Azure NAT gateway: 

az network nat gateway show
	--name cc-project5-managed-gateway
	--resource-group cloud-shell-storage-westeurope
	--query 'subnets[*].id'

07 The command output should return the ID of the associated VNet subnet. If the command does not return an output, the selected NAT gateway is not associated with a VNet subnet and the Audit process ends here. Otherwise, you can continue the Audit process with the next step: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-vnet-subnet-001",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-vnet-subnet-002"
]

08 Run resource show command (Windows/macOS/Linux) to determine if the virtual network subnet associated with your NAT gateway, returned in the previous step, is public or private: 

az resource show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-subnet-001"
	--query '{"defaultOutboundAccess":properties.defaultOutboundAccess}'

09 The command output should return the requested configuration information: 

{
	"defaultOutboundAccess": null
}

Check the "defaultOutboundAccess" attribute value returned by the resource show command output to determine if the verified VNet subnet is public or private. If "defaultOutboundAccess" is set to true or null, as shown in the example above, the selected Microsoft Azure NAT gateway is associated with a public virtual network (VNet) subnet.

10 Repeat steps no. 8 and 9 for each VNet subnet associated with the selected Azure NAT gateway.

11 Repeat steps no. 6 - 10 for each Azure NAT gateway deployed in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure NAT gateways are associated with private virtual network (VNet) subnets, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and NAT gateway for Value, then choose Apply to list the Microsoft Azure NAT gateways available in the selected subscription.

05 Click on the name (link) of the Azure NAT gateway that you want to configure.

06 In the resource navigation panel, under Settings, select Subnets to access the virtual network (VNet) integration information available for the selected NAT gateway.

07 Click on the Manage subnets > link available under the list of associated VNet subnets.

08 On the Subnets page, perform the following actions to change the subnet configuration for the selected NAT gateway:

  1. Click on the name (link) of the private subnet that you want to associate with your NAT gateway, ensure that Enable private subnet (no default outbound access) checkbox is selected under Private subnet, select the name of your NAT gateway from the NAT gateway dropdown list under Security, and choose Save to apply the changes.
  2. Click on the name (link) of the public subnet that you want to remove from your NAT gateway, ensure that Enable private subnet (no default outbound access) checkbox is not selected under Private subnet, select None from the NAT gateway dropdown list under Security, and choose Save to apply the changes.

09 Repeat steps no. 5 - 8 for each Azure NAT gateway that you want to configure, available in the selected Azure subscription.

10 Repeat steps no. 3 - 9 for Azure each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network vnet subnet list command (Windows/macOS/Linux) to list the IDs of your virtual network (VNet) subnets: 

az network vnet subnet list
	--vnet-name cc-project5-network
	--resource-group cloud-shell-storage-westeurope
	--query 'subnets[*].id'

05 The command output should return the full resource IDs for your VNet subnets: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-private-subnet",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-public-subnet"
]

06 Run network vnet subnet update command (Windows/macOS/Linux) to remove the public, non-compliant virtual network (VNet) subnet from your Azure NAT gateway configuration: 

az network vnet subnet update
	--name "cc-project5-private-subnet"
	--vnet-name "cc-project5-network"
	--resource-group "cloud-shell-storage-westeurope"
	--nat-gateway "cc-project5-managed-gateway"

07 The command output should return the configuration information available for the modified NAT gateway: 

{
	"addressPrefix": "10.0.3.0/24",
	"defaultOutboundAccess": false,
	"delegations": [],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-private-subnet",
	"name": "cc-project5-private-subnet",
	"natGateway": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/natGateways/cc-project5-managed-gateway",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"privateEndpointNetworkPolicies": "Disabled",
	"privateLinkServiceNetworkPolicies": "Enabled",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Network/virtualNetworks/subnets"
}

08 Run network vnet subnet update command (Windows/macOS/Linux) to add a private, compliant virtual network (VNet) subnet to your Azure NAT gateway configuration: 

az network vnet subnet update
	--name "cc-project5-public-subnet"
	--vnet-name "cc-project5-network"
	--resource-group "cloud-shell-storage-westeurope"
	--nat-gateway null

09 The command output should return the configuration information available for the modified NAT gateway: 

{
	"addressPrefix": "10.0.0.0/24",
	"defaultOutboundAccess": true,
	"delegations": [],
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-network/subnets/cc-project5-public-subnet",
	"name": "cc-project5-public-subnet",
	"privateEndpointNetworkPolicies": "Disabled",
	"privateLinkServiceNetworkPolicies": "Enabled",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Network/virtualNetworks/subnets"
}

10 Repeat steps no. 8 - 9 for each Azure NAT gateway that you want to re-create, deployed in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 11, 2025

Related NatGateway rules