I'm trying to add a NAT pool for port 8172 to an existing loadbalancer via Azure cli. I found what I believe is the correct command:

az network lb inbound-nat-pool update --lb-name
                                  --name
                                  --resource-group
                                  [--add]
                                  [--backend-port]
                                  [--frontend-ip-name]
                                  [--frontend-port-range-end]
                                  [--frontend-port-range-start]
                                  [--protocol {All, Tcp, Udp}]
                                  [--remove]
                                  [--set]

and I suppose I need to use the --add option. But what's next? How do I specify the frontend and backend settings in the add command?

I'm trying to add a NAT pool for port 8172 to an existing loadbalancer via Azure cli.

Unfortunately, adding or editing references between load balancers and scale set virtual machines is currently disabled for load balancers that contain an existing association with a scale set.

If you want to add NAT rules for VMSS, maybe we should re-create it.

If we use CLI 2.0 to add or update inbound rules, we will get this error message:

C:\Users>az network lb inbound-nat-rule create -g jasonvmss --lb-name jasonvmsslb --protocol TCP --frontend-port 8172 --backend-port 8172 -n nat1
Adding or updating NAT Rules when NAT pool is present on loadbalancer /subscriptions/5384xxxx-xxxx-xxxx-xxxx-xxxxe29a7b15/resourceGroups/jasonvmss/providers/Microsoft.Network/loadBalancers/jasonvmsslb is not supported. To modify the load balancer, pass in all NAT rules unchanged or remove the LoadBalancerInboundNatRules property from your PUT request.

Update:

We can use az network lb inbound-nat-pool create to create inbound nat pool, it works fine. command like this:

az network lb inbound-nat-pool create --backend-port
                                      --frontend-port-range-end
                                      --frontend-port-range-start
                                      --lb-name
                                      --name
                                      --protocol {All, Tcp, Udp}
                                      --resource-group

Scale sets use NAT Pools, not rules.

Example ARM template showing the config here: https://github.com/gatneil/mvss/blob/load-balancer/azuredeploy.json

I realized the solution is to create an additional nat-pool:

az network lb inbound-nat-pool create

You can actually modify Inbound NAT pools, you just have to make sure they are not in use by the VMSS when you do. I wrote a blog post on a related topic: removing NAT rules that were created by someone who attached a debugger to a Service Fabric cluster.

Disadvantage of this approach is possible downtime because you temporarily disconnect the VMSS and the NAT pool(s).