Azure Secure NAT Gateway Getting Started
This guide provides information to get you signed up for the Azure Secure NAT Gateway by Aviatrix. The NAT Gateway is part of the Platform-as-a-Service offering.
The Secure NAT Gateway provides security on outbound traffic for any Azure VNet-based workload, including Kubernetes.
For more information about how Aviatrix PaaS and the Secure NAT Gateway can help make your network more secure, see:
You can subscribe, onboard, and secure your cloud resources in four simple steps:

Subscribe to Azure Secure NAT Gateway
Subscribe to the Aviatrix Secure NAT Gateway offer on the Azure Marketplace.

-
Go to the Aviatrix Secure NAT Gateway listing on Azure Marketplace and click Get it now.
-
Accept the Azure terms of use and privacy policy and click Continue.
-
On the Aviatrix Secure NAT Gateway page, do one of the following.
Both options open a subscription page.
-
From the Plan field, select the plan suitable to your needs and click Subscribe.
-
Click Plans + Pricing, review the details of each plan, and then click Subscribe for the plan suitable to your needs.
If you select the Developer Evaluation Trial plan, you can upgrade to a paid plan at any time.
-
-
On the Subscribe to Aviatrix Secure NAT Gateway page, do the following:
-
Under Project details > Resource group, click Create New and enter a name for the group.
Microsoft requires a resource group to contain the resource metadata.
-
Select a Resource group location.
-
Under SaaS details, enter a descriptive Name for the subscription.
You can leave other fields with their defaults.
-
Click Review + Subscribe, and then click Subscribe on the next page.
-
-
On the Subscription progress page, click Configure account now when the process completes.
Alternatively, you can click the Configure Account button in the email you receive from Azure Marketplace.
-
On the Sign Up screen that displays, enter your name.
The email address you used for your Azure account is auto-populated.
-
Agree to the Aviatrix Terms of Service and Privacy Policy and click Finish Sign Up.
You are signed in to the Aviatrix Platform UI and a Welcome screen displays, from which you can onboard your Azure cloud account.
Only one account is permitted per company email domain.
If you subscribe to an Aviatrix PaaS offering when another user has already subscribed and set up Single Sign-on (SSO), you will be redirected to the Aviatrix PaaS Platform.
If you are subscribing without SSO and another account already exists for your email domain, you will receive an email acknowledgement, but your subscription will be denied.
To access an existing Aviatrix PaaS account, you must ask an administrator on that account to invite you as a user. |
Next Steps
After subscribing to Aviatrix Secure NAT Gateway, onboard your cloud account and VNets.
Onboard Cloud Account
Onboarding connects your cloud account to Aviatrix Platform and allows the platform to discover your cloud resources, such as VNets, subnets, and VMs.

Onboard Your Azure Cloud Account (click to expand)
After signing up with Aviatrix PaaS, the Aviatrix Platform opens to a Welcome page. From this page you can connect your cloud accounts with the Aviatrix Platform. After you have onboarded a cloud account, the Welcome page no longer displays when you sign in.
The onboarding process creates the Azure roles and resources required for Aviatrix Platform to monitor and manage your Azure network. It also allows Aviatrix PaaS to discover the resources in your cloud account.
-
On Welcome to Aviatrix PaaS, click Begin.
-
In Begin Aviatrix Journey Step 1, click Onboard Cloud Account and select Azure.
-
Select one of the following methods and complete the related tasks:
Use Azure CLI to Onboard Azure Cloud (click to expand)
The CLI method automates creation of and connection to an application in Azure, so it is easy and quick.
Prerequisite: The Azure CLI and the jq command-line processor must already be installed on your system.
Perform the following steps to onboard Azure.
-
In a terminal window, log in to the Azure CLI.
Example:
az login
-
Copy the command provided in the Onboard dialog, paste it into the terminal, and press Enter to run the script.
-
When prompted, enter a unique name for the Aviatrix Service Principal.
Example of the command and the command output:
$ /bin/bash -c "$(curl -fsSL --compressed https://console.avx-cloud.com/assets/scripts/onboarding_azure/azure-cloud-account-onboarding.sh)" ########################################################### đ Starting Aviatrix PaaS Onboarding Configuration ########################################################### âŗ Please wait while we perform the necessary checks... â Azure CLI and jq are installed. ########################################################### đ Setting up Azure Aviatrix Service Principal with Contributor Role ########################################################### Enter a user-friendly name for the Aviatrix Service Principal: <service-principal-name> đ You entered: <service-principal-name> âšī¸ This name will appear in the Azure Portal under: Home > Your Subscription > Access control (IAM) > Check Access > <service-principal-name> â Subscription ID detected: <your-subscription-id> âŗ Creating Azure Service Principal... WARNING: Creating 'contributor' role assignment under scope '/subscriptions/<your-subscription-id>' WARNING: The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli â Azure Service Principal created successfully. ########################################################### đ Creating Bootstrap File: avx_tf_sp.env â ī¸ IMPORTANT: Keep this file and avx_tf_sp_20250410143127.json safe! ########################################################### â Bootstrap file created: avx_tf_sp.env đ File contents: # Aviatrix PaaS SP created on 20250410143127 Subscription ID <your-subscription-id> Directory ID <your-directory-id> Application ID <your-application-id> Client Secret <your-client-secret> âšī¸ The following is the decoded JSON output (pre-base64 encoding): {"subscription_id":"<subscription-id-value>","tenant_id":"<tenant-id-value>","client_id":"<client-id-value>","client_secret":"<client-secret-value>"} ########################################################### đ Paste the following base64-encoded value into the PaaS console to onboard your Azure account: <your base64-encoded value> ########################################################### $
-
Copy the base64-encoded value from the terminal output and paste it into the Command Output field in the Onboard dialog box.
-
Click Next.
You will see a Discovering Cloud Resources message that changes to a success message after resources are discovered.
-
Click Close.
-
Verify that the new cloud account displays in the list on Cloud Accounts > Overview.
It can take a couple of minutes before your VNets display under Cloud Resources > Cloud Assets. These resources need to be onboarded to Aviatrix Platform.
Next Step:
Use Azure Portal to Onboard Azure Cloud (click to expand)
The Aviatrix Console method requires manually collecting several IDs from Azure Portal and entering them in Aviatrix Platform to create the connection.
Have the following information available for the Azure application you will associate with Aviatrix PaaS:
-
Subscription ID
-
Directory ID
-
Application ID
-
Client Secret
If you are uncertain how to collect this information, see Gather Information for Azure Onboarding. |
Perform the following steps to onboard Azure.
-
If you have not already created an Azure application and gathered the necessary IDs, click Launch Microsoft Azure Portal and create an application.
See Create a New Application in Azure, if you need more information. -
Enter the following IDs from your Azure account.
-
Subscription ID
-
Directory ID
-
Application ID
-
Client Secret
-
-
Click Next.
As your account is onboarded, the cloud assets in your account are discovered. When the discovery process completes, a success message displays.
-
Click Close.
Your onboarded account is named aviatrix-account and displays on the Cloud Resources pages and in the Dashboard.
It can take a couple of minutes before your VNets display under Cloud Resources > Cloud Assets.
Your onboarded regions will also display in the Dashboard geographic map.
If you want to onboard another cloud account, you can do so from Cloud Resources > Cloud Accounts. |
Next Steps
Onboard VNets
Onboarding VNets allows Aviatrix Platform to manage the cloud resources you select.

Onboard VNets (click to expand)
After onboarding your cloud account in Aviatrix, the VPCs or VNets associated with the account display as unmanaged resources in Aviatrix Platform. You can see a list of VPCs and VNets, and associated VM resources, on the Cloud Assets page.
To bring the resources under Aviatrix management, you must onboard the VPCs or VNets. The recommended (default) performance size for VPCs and VNets is Medium.
It is recommended that you deploy each VPC or VNet with at least two subnets in two different zones to provide high availability.
For information about Kubernetes clusters, see "Onboard Kubernetes Clusters". |
During onboarding, an Aviatrix Spoke Gateway is created on each subnet in the managed VPC or VNet. This gateway is displayed on the Topology map, along with other network resources.
You can onboard only one VPC or VNet at a time, but you can begin the onboarding process for multiple VPCs or VNets at one time. You do not have to wait until a VPC or VNet finishes onboarding to start onboarding another one. |
You can also onboard VPCs and VNets from Security > Egress > Protected VPC/VNets.
To onboard your VPCs or VNets, do the following.
-
Go to Cloud Resources > Cloud Assets > VPC/VNets & Subnets.
-
Click the Onboard link for a VPC or VNet you want Aviatrix to manage.
You can only onboard resources that have public IPs. By default, the 10.0.0.0/16 CIDRs are private.
-
On Onboard a VPC/VNet you can do the following:
-
From Performance Size, select the instance size for your VPC or VNet.
The recommended default size is Medium.
-
Remove a subnet from the onboarding list by clicking the "x" next to the subnet IP address.
This action only removes the subnet from being managed, it does not remove the subnet from the VPC or VNet.
-
Add a subnet to the list by clicking the down arrow and selecting the subnet IP address.
-
Click Onboard.
The Aviatrix Managed column changes status to In Progress. When onboarding of all subnets for the VPC or VNet is complete, status changes to Yes.
-
-
Expand the VPC or VNet listing to see the status of individual subnets in the VPC or VNet.
-
Click the Name of the VPC or VNet to display related route tables.
As subnets are onboarded, they also appear in the Cloud Fabric > Topology map as managed resources.
You can offboard a VPC or VNet from the Aviatrix Platform by using the Manage menu. |
Secure Your Network
Use either the Distributed Cloud Firewall (DCF) or Egress Security workflow.

-
Protect Your Traffic with Distributed Cloud Firewall
DCF provides granular network security rules for distributed applications in the cloud.
-
Protect Your Traffic with Egress Security
Egress Security involves monitoring network traffic to the Internet and protecting the traffic using DCF Rules, SmartGroups, and WebGroups.