NAT gateway SNAT connection threshold assumes single public IP

[ian-flores]

Context

The azure_natgateway_snat_connection_count_high alert rule in python-pulumi/src/ptd/grafana_alerts/azure_natgateway.yaml has a hardcoded threshold of 60000 SNAT connections. This assumes a single public IP (Azure NAT Gateway supports 64,512 SNAT ports per public IP).

Problem

Deployments with multiple public IPs have proportionally higher capacity and would need a higher threshold (e.g., 120,000 for two IPs). There is currently no per-deployment override mechanism — the threshold must be manually adjusted in the YAML.

What needs to be done

• Evaluate whether NAT gateway deployments in PTD ever use multiple public IPs.
• If yes, consider a mechanism to make the threshold configurable per deployment, or document the manual adjustment process clearly for operators.
• If a single public IP is always used, document this assumption as intentional.

Related file

python-pulumi/src/ptd/grafana_alerts/azure_natgateway.yaml, rule uid: azure_natgateway_snat_connection_count_high