Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Availability Zone Configuration

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-028

To maintain service resilience and prevent single points of failure in network connectivity, ensure that your Microsoft Azure NAT gateways are configured with appropriate Availability Zone (AZ) settings. For optimal resilience, always align your NAT gateway's Availability Zone (AZ) with the cloud resources it serves.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability
Performance
efficiency
Operational
excellence

In Azure cloud, a NAT gateway is a zonal resource, meaning it can be deployed to and operate from an individual Availability Zone (AZ). To achieve zone resiliency against outages, you should align your zonal NAT gateway resources with zonally designated IP-based resources, such as virtual machines (VMs). This configuration prevents a single point of failure by ensuring that if one Availability Zone experiences an infrastructure event, outbound internet connectivity for critical applications is maintained through the NAT gateway instances in the other healthy zones. By properly configuring your resources in this manner, you ensure business continuity and a highly available architecture.

Audit

To determine if your Azure NAT gateways are using appropriate Availability Zone settings, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and NAT gateway for Value, then choose Apply to list the Microsoft Azure NAT gateways available in the selected subscription.

05 Click on the name (link) of the Azure NAT gateway that you want to examine.

06 In the NAT resource navigation panel, under Settings, select Properties, and check the Availability zone attribute value to identify the Availability Zone where the selected NAT gateway is deployed. If the Availability zone value is set to No Zone, the selected NAT gateway was placed in a unknown Availability Zone for you by Microsoft Azure.

07 In the resource navigation panel, under Settings, select Outbound IP, and click on the name (link) of the associated public IP address, listed in the Public IP addresses section.

08 In the IP resource navigation panel, under Settings, select Properties, and check the Availability zone attribute value to identify the Availability Zone configured for the selected public IP. If the NAT gateway's Availability Zone, identified in step no. 6, doesn't match the public IP address's zone, the selected Azure NAT gateway is not using compatible Availability Zone (AZ) settings."

09 Repeat steps no. 5 - 8 for each Azure NAT gateway deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network nat gateway list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure NAT gateway available in the selected subscription: 

az network nat gateway list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested NAT gateway identifiers: 

Name                          ResourceGroup
---------------------------   ------------------------------
cc-project5-managed-gateway   cloud-shell-storage-westeurope
cc-prod-stack-nat-gateway     cloud-shell-storage-westeurope

06 Run network nat gateway show command (Windows/macOS/Linux) with the name of the Azure NAT gateway that you want to examine as the identifier parameter, to identify the Availability Zone (AZ) where the selected NAT gateway is deployed: 

az network nat gateway show
	--name cc-project5-managed-gateway
	--resource-group cloud-shell-storage-westeurope
	--query 'zones'

07 The command output should return the number of the configured Availability Zone. If the network nat gateway show command does not return an output, the selected NAT gateway was placed in a unknown Availability Zone for you by Microsoft Azure: 

[
	"3"
]

08 Run network nat gateway show command (Windows/macOS/Linux) with the name of the Azure NAT gateway that you want to examine as the identifier parameter, to list the ID of the public IP address associated with the selected NAT gateway: 

az network nat gateway show
	--name cc-project5-managed-gateway
	--resource-group cloud-shell-storage-westeurope
	--query "publicIpAddresses[*].id"

09 The command output should return the associated public IP address: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-nat-pip"
]

10 Run network public-ip show command (Windows/macOS/Linux) to describe the Availability Zone configured for the associated public IP address: 

az network public-ip show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-nat-pip"
	--query 'zones'

11 The command output should return the number of the configured Availability Zone: 

[
	"1"
]

If the NAT gateway's Availability Zone, identified in step no. 7, doesn't match the public IP address's zone identified in step no. 11, the selected Azure NAT gateway is not using compatible Availability Zone (AZ) settings.

12 Repeat steps no. 6 - 11 for each Azure NAT gateway deployed in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure NAT gateways are using appropriate Availability Zone (AZ) settings, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to NAT gateways blade available at https://portal.azure.com/#view/HubsExtension/AssetMenuBlade/~/NATGateways/assetName/NetworkFoundation/extensionName/Microsoft_Azure_Network.

03 Choose Create and perform the following actions to create a new Azure NAT gateway:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the NAT gateway in the NAT gateway name box.
    4. For Region, choose the appropriate Azure cloud region.
    5. For Availability zone, select the name of the Availability Zone where the NAT gateway instance will be deployed. Must be in the same Availability Zone as your virtual network (VNet). Your NAT gateway's Availability Zone (AZ) must align with the Azure cloud resources it serves.
    6. For TCP idle timeout (minutes), provide the optimal TCP idle timeout value for the new NAT gateway resource. TCP idle timeout is configurable from 4 to 120 minutes and determines when your NAT gateway removes idle flows.
    7. Choose Next : Outbound IP > to continue the setup process.
  2. For Outbound IP, perform the following actions:
    1. For Public IP addresses, choose Create a new public IP address, enter a name for the new public IP in the Name box, and ensure that Availability zone value is correct. Choose OK to save the changes.
    2. Choose Next : Subnet > to continue the setup.
  3. For Subnet, select the virtual network (VNet) that contains your Azure cloud resources from the Virtual network dropdown list. The compatible VNet subnets should be listed on this page. Choose Next : Tags > to continue the setup.
  4. For Tags, use the Name and Value fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the NAT gateway setup.
  5. For Review + create, review the resource configuration details, then choose Create to create your new, compliant Azure NAT gateway.

04 Repeat steps no. 3 for each Azure NAT gateway that you want to re-create, available in the selected Azure subscription.

05 Repeat steps no. 3 and 4 for Azure each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network public-ip create command (Windows/macOS/Linux) to create a public IP address resource for your new Azure NAT gateway: 

az network public-ip create
	--name cc-project5-nat-ip
	--resource-group cloud-shell-storage-westeurope
	--allocation-method Static
	--sku Standard
	--location westeurope
	--zone 1

05 The command output should return the information available for the new public IP address: 

{
	"publicIp": {
		"ddosSettings": {
			"protectionMode": "VirtualNetworkInherited"
		},
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-nat-ip",
		"idleTimeoutInMinutes": 4,
		"ipAddress": "xxx.xxx.xxx.xxx",
		"ipTags": [],
		"location": "westeurope",
		"name": "cc-project5-nat-ip",
		"provisioningState": "Succeeded",
		"publicIPAddressVersion": "IPv4",
		"publicIPAllocationMethod": "Static",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"resourceGuid": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"sku": {
			"name": "Standard",
			"tier": "Regional"
		},
		"type": "Microsoft.Network/publicIPAddresses",
		"zones": [
			"1"
		]
	}
}

06 Run network nat gateway create command (Windows/macOS/Linux) to create a new Azure NAT gateway in the appropriate Availability Zone (AZ): 

az network nat gateway create
	--name cc-project5-new-nat-gateway
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--public-ip-addresses  cc-project5-nat-ip
	--idle-timeout 4
	--zone 1

07 The command output should return the information available for the configured NAT gateway: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/natGateways/cc-project5-new-nat-gateway",
	"idleTimeoutInMinutes": 4,
	"location": "westeurope",
	"name": "cc-project5-new-nat-gateway",
	"provisioningState": "Succeeded",
	"publicIpAddresses": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-nat-ip",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"resourceGroup": "cloud-shell-storage-westeurope",
	"resourceGuid": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"sku": {
		"name": "Standard"
	},
	"type": "Microsoft.Network/natGateways",
	"zones": [
		"1"
	]
}

08 Repeat steps no. 4 - 7 for each Azure NAT gateway that you want to re-create, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 11, 2025

Related Network rules