![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 51%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 96%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
Hey @Scott Herndon ,
Please see below for the answers to your questions. I have kept them in a Q & Ans format for clarity and ease of reference.
Q- If we are not sending traffic the internet from the container as part of the application, does the NAT gateway requirement still apply?
Ans- Yes. When you deploy Azure Container Instances into a virtual network, Microsoft requires a NAT Gateway on that subnet. Even if your application doesn’t use the internet, ACI still depends on Azure-managed outbound connectivity. Without a NAT Gateway, the setup is not considered a supported configuration.
Q. Does the NAT Gateway come into play for traffic to ACR Container Repository, or is that traffic happening outside the container/VNET its linked to?
Ans- Yes, it does work for ACR — unless you’re using ACR with a Private Endpoint.
- If ACR is public → traffic goes out through the NAT Gateway
- If ACR uses a Private Endpoint → traffic stays inside Azure’s private network
Even with Private Endpoints, Azure still requires the NAT Gateway to be present on the ACI subnet for supportability.
Q. What the requirements are around port 19390 when the default route for the container subnet is directed to Azure firewall or an NVA (we are using an NVA)?
Ans- No. Microsoft documentation for Azure Container Instances does not mention port 19390.
If you’ve seen that port mentioned, it’s likely related to:
- A firewall product
- A network virtual appliance (NVA)
- Or another service
But ACI itself does not require port 19390.
Q. Is it supported to have default route UDR pointing to an NVA for the ACI subnet for a private network container??
Ans- Yes, that is supported. Here’s how it works:
- Your user-defined routes (UDRs) decide where traffic goes
- NAT Gateway applies SNAT after routing
- NAT Gateway does not need a route pointing to it
Just make sure your firewall or NVA does not block required Azure service traffic (like ACR, Storage, etc.).
References:
- Deploy container group to Azure virtual network - Azure Container Instances | Microsoft Learn
- Configure Container Group Egress with NAT Gateway - Azure Container Instances | Microsoft Learn
- Set Up Private Endpoint with Private Link for ACR - Azure Container Registry | Microsoft Learn
Hope it helped to answer your queries, please do click on "Accept Answer" and Yes for was this answer helpful!
If there are any follow-up queries, please do let me know in the comments.
and click on Yes for was this answer helpful. And, if you have any further query do let us know.