Estimate NAT port usage, identify exhaustion risks, and plan SNAT capacity for cloud and enterprise networks. Essential for Azure, AWS, and on-premises NAT gateway sizing.
You might also find these calculators useful
Calculate download time, required bandwidth, and data transfer
Calculate maximum TCP throughput based on bandwidth, RTT, and window size
Calculate network latency including propagation, transmission, and processing delays
Calculate effective VPN throughput accounting for protocol overhead
NAT port exhaustion occurs when all available SNAT (Source NAT) ports are in use, causing new outbound connections to fail. This is a common issue in cloud environments, VPN gateways, and enterprise networks with many hosts behind a single NAT. Our calculator helps you assess risk and plan capacity before problems occur.
When multiple internal hosts share a single public IP through NAT, each outbound connection requires a unique source port. With only 64,000 ports available per IP (65,535 minus reserved ports), high-traffic environments can exhaust this pool. Connections remain allocated during TCP TIME_WAIT (typically 120 seconds), further reducing available capacity.
Port Utilization Formula
Utilization = (Users ร Connections/User) รท (NAT IPs ร 64,000) ร 100%Port exhaustion causes mysterious connection timeouts and failures that are difficult to diagnose without proper monitoring.
Azure NAT Gateway, AWS NAT Gateway, and GCP Cloud NAT all have port limits. Proper sizing prevents expensive downtime.
Understand how many NAT IPs you need as your infrastructure scales, especially for microservices making many outbound calls.
Public IPs cost money. Calculate the minimum IPs needed rather than over-provisioning.
Identify when connection pooling, keepalives, or TIME_WAIT tuning would help more than adding IPs.
Each Azure NAT Gateway IP provides 64,000 ports. High-traffic AKS clusters or VM scale sets can exhaust ports quickly.
Pods making many external API calls (logging, metrics, external services) can cause node-level port exhaustion.
Service-to-service calls through NAT multiply port usage. Consider service mesh or private endpoints.
Remote users accessing cloud resources through VPN can exhaust NAT ports during peak hours.
Applications making many short-lived HTTP requests to external APIs are prone to port exhaustion.
Applications with large connection pools to external databases can consume significant port ranges.
The full range is 65,535, but ports 1-1024 are reserved for well-known services, and some are reserved for system use. The usable ephemeral port range is typically 64,000 or less depending on OS configuration.
After a TCP connection closes, the port remains in TIME_WAIT state (typically 120 seconds) to handle delayed packets. During this time, the port cannot be reused, effectively reducing available capacity during high-traffic periods.
On Linux: 'ss -tan | grep ESTABLISHED | wc -l'. On Azure: check NAT Gateway metrics for SNAT connection count. On AWS: CloudWatch metrics for NAT Gateway.
Yes, but with caution. Linux: net.ipv4.tcp_fin_timeout. Windows: TcpTimedWaitDelay registry. Reducing below 60s can cause issues with some applications. Consider tcp_tw_reuse instead.
Connection pooling is usually better as it reduces total connections and improves performance. Add IPs when pooling isn't feasible or you've already optimized connection patterns.
Azure NAT Gateway drops new connection requests when ports are exhausted, returning connection timeout errors. It automatically allocates up to 64,000 ports per IP address.