Context
The azure_natgateway_snat_connection_count_high alert rule in python-pulumi/src/ptd/grafana_alerts/azure_natgateway.yaml has a hardcoded threshold of 60000 SNAT connections. This assumes a single public IP (Azure NAT Gateway supports 64,512 SNAT ports per public IP).
Problem
Deployments with multiple public IPs have proportionally higher capacity and would need a higher threshold (e.g., 120,000 for two IPs). There is currently no per-deployment override mechanism — the threshold must be manually adjusted in the YAML.
What needs to be done
- Evaluate whether NAT gateway deployments in PTD ever use multiple public IPs.
- If yes, consider a mechanism to make the threshold configurable per deployment, or document the manual adjustment process clearly for operators.
- If a single public IP is always used, document this assumption as intentional.
Related file
python-pulumi/src/ptd/grafana_alerts/azure_natgateway.yaml, rule uid: azure_natgateway_snat_connection_count_high
Context
The
azure_natgateway_snat_connection_count_highalert rule inpython-pulumi/src/ptd/grafana_alerts/azure_natgateway.yamlhas a hardcoded threshold of60000SNAT connections. This assumes a single public IP (Azure NAT Gateway supports 64,512 SNAT ports per public IP).Problem
Deployments with multiple public IPs have proportionally higher capacity and would need a higher threshold (e.g., 120,000 for two IPs). There is currently no per-deployment override mechanism — the threshold must be manually adjusted in the YAML.
What needs to be done
Related file
python-pulumi/src/ptd/grafana_alerts/azure_natgateway.yaml, ruleuid: azure_natgateway_snat_connection_count_high