- VNET default NAT features is only provided to VM
- Compute instances & compute clusters are not VM
- But they need access to public IP (AAD, etc)
- Thus, you need to provide them a public IP
- Solutions are Azure Firewall, VNET NAT, Gateway...
- In the example above, we choose Firewall
- We use UDR to route trafic to Firewall
- in Azure Firewall, all approved traffic is automatically (S)Nated
- No inbound rules makes this environment support No public IP only (= a public IP compute won't work.)
- Make sure you are using an image builder cluster as ACR can't build image when it is using a private endpoint. I've put one for you in this template.
- Destination VNET has a route more specific than 0.0.0.0/0 thus per routes priority redirection to the Firewall of routes with destination VNET won't apply.