diff --git a/main.tf b/main.tf
index bc2c669e..bfde731e 100644
--- a/main.tf
+++ b/main.tf
@@ -174,6 +174,20 @@ module "bastion" {
   tags = local.tags
 }
 
+# Creates a NAT gateway associated with GraphDB's subnet
+module "nat" {
+  source = "./modules/nat"
+
+  resource_name_prefix = var.resource_name_prefix
+  location             = var.location
+  resource_group_name  = azurerm_resource_group.graphdb.name
+  zones                = var.zones
+
+  nat_subnet_id = azurerm_subnet.graphdb-vmss.id
+
+  tags = local.tags
+}
+
 # Creates a VM scale set for GraphDB and GraphDB cluster proxies
 module "vm" {
   source = "./modules/vm"
diff --git a/modules/nat/README.md b/modules/nat/README.md
new file mode 100644
index 00000000..d7ce7faa
--- /dev/null
+++ b/modules/nat/README.md
@@ -0,0 +1 @@
+# GraphDB NAT Module
diff --git a/modules/nat/main.tf b/modules/nat/main.tf
new file mode 100644
index 00000000..084e55dd
--- /dev/null
+++ b/modules/nat/main.tf
@@ -0,0 +1,38 @@
+locals {
+  # TODO: Is it okay to take the first one ?
+  nat_zone = var.zones[0]
+}
+
+resource "azurerm_public_ip" "graphdb-nat-ip-address" {
+  name                = "${var.resource_name_prefix}-nat-gateway"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  sku               = "Standard"
+  allocation_method = "Static"
+  zones             = [local.nat_zone]
+
+  tags = var.tags
+}
+
+resource "azurerm_nat_gateway" "graphdb" {
+  name                = var.resource_name_prefix
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  zones               = [local.nat_zone]
+
+  sku_name                = "Standard"
+  idle_timeout_in_minutes = 10 # TODO: ???? 120 is the max in the portal
+
+  tags = var.tags
+}
+
+resource "azurerm_nat_gateway_public_ip_association" "graphdb-nat" {
+  nat_gateway_id       = azurerm_nat_gateway.graphdb.id
+  public_ip_address_id = azurerm_public_ip.graphdb-nat-ip-address.id
+}
+
+resource "azurerm_subnet_nat_gateway_association" "graphdb-nat" {
+  nat_gateway_id = azurerm_nat_gateway.graphdb.id
+  subnet_id      = var.nat_subnet_id
+}
diff --git a/modules/nat/outputs.tf b/modules/nat/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/nat/variables.tf b/modules/nat/variables.tf
new file mode 100644
index 00000000..493b74b2
--- /dev/null
+++ b/modules/nat/variables.tf
@@ -0,0 +1,34 @@
+# General configurations
+
+variable "resource_name_prefix" {
+  description = "Resource name prefix used for tagging and naming Azure resources"
+  type        = string
+}
+
+variable "location" {
+  description = "Azure geographical location where resources will be deployed"
+  type        = string
+}
+
+variable "zones" {
+  description = "Availability zones to use for resource deployment and HA"
+  type        = list(number)
+}
+
+variable "tags" {
+  description = "Common resource tags."
+  type        = map(string)
+  default     = {}
+}
+
+variable "resource_group_name" {
+  description = "Name of the resource group where GraphDB will be deployed."
+  type        = string
+}
+
+# Networking
+
+variable "nat_subnet_id" {
+  description = "Identifier of the subnet to which the NAT will be associated"
+  type        = string
+}
diff --git a/modules/nat/versions.tf b/modules/nat/versions.tf
new file mode 100644
index 00000000..4811298c
--- /dev/null
+++ b/modules/nat/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.1"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.71.0"
+    }
+  }
+}
diff --git a/modules/vm/main.tf b/modules/vm/main.tf
index ae62fd43..5704589c 100644
--- a/modules/vm/main.tf
+++ b/modules/vm/main.tf
@@ -70,6 +70,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "graphdb" {
   zones        = var.zones
   zone_balance = true
   upgrade_mode = "Manual"
+  overprovision = false
 
   computer_name_prefix = "${var.resource_name_prefix}-"
   admin_username       = "graphdb"
@@ -84,11 +85,6 @@ resource "azurerm_linux_virtual_machine_scale_set" "graphdb" {
       primary                                      = true
       subnet_id                                    = var.graphdb_subnet_id
       application_gateway_backend_address_pool_ids = var.application_gateway_backend_address_pool_ids
-
-      # TODO: Temporary for testing. Remove after configuring the LB
-      public_ip_address {
-        name = "first"
-      }
     }
   }
 
@@ -103,10 +99,12 @@ resource "azurerm_linux_virtual_machine_scale_set" "graphdb" {
   }
 
   tags = var.tags
+
+  depends_on = [azurerm_role_assignment.rg-contributor-role]
 }
 
 resource "azurerm_role_definition" "managed_disk_manager" {
-  name        = "ManagedDiskManager"
+  name        = "ManagedDiskManager2"
   scope       = var.resource_group_id
   description = "This is a custom role created via Terraform required for creating data disks for GraphDB"
 
@@ -132,6 +130,6 @@ resource "azurerm_role_definition" "managed_disk_manager" {
 resource "azurerm_role_assignment" "rg-contributor-role" {
   principal_id         = var.identity_principal_id
   scope                = var.resource_group_id
-  role_definition_name = "ManagedDiskManager"
+  role_definition_name = "ManagedDiskManager2"
   depends_on           = [azurerm_role_definition.managed_disk_manager]
 }
diff --git a/modules/vm/templates/entrypoint.sh.tpl b/modules/vm/templates/entrypoint.sh.tpl
index 17b70640..2c63708a 100644
--- a/modules/vm/templates/entrypoint.sh.tpl
+++ b/modules/vm/templates/entrypoint.sh.tpl
@@ -4,14 +4,9 @@ set -euxo pipefail
 
 echo "Configuring GraphDB instance"
 
+# Stop in order to override configurations
 systemctl stop graphdb
 
-# TODO: If GraphDB is behind closed network, this would break the whole initialization...
-until ping -c 1 google.com &> /dev/null; do
-  echo "waiting for outbound connectivity"
-  sleep 5
-done
-
 # Login in Azure CLI with managed identity (user or system assigned)
 az login --identity
 
diff --git a/output.tf b/output.tf
index 93fcc83b..983ec93e 100644
--- a/output.tf
+++ b/output.tf
@@ -1,4 +1,4 @@
-output "public_address_fqdn" {
-  description = "External FQDN address for GraphDB"
-  value       = module.address.public_ip_address_fqdn
-}
+#output "public_address_fqdn" {
+#  description = "External FQDN address for GraphDB"
+#  value       = module.address.public_ip_address_fqdn
+#}
diff --git a/variables.tf b/variables.tf
index b600da02..0e7546ea 100644
--- a/variables.tf
+++ b/variables.tf
@@ -48,6 +48,12 @@ variable "graphdb_subnet_address_prefix" {
   default     = ["10.0.2.0/24"]
 }
 
+variable "bastion_subnet_address_prefix" {
+  description = "Bastion subnet address prefix"
+  type        = list(string)
+  default     = ["10.0.4.0/27"]
+}
+
 # TLS
 
 variable "tls_certificate_path" {
@@ -158,9 +164,3 @@ variable "deploy_bastion" {
   type        = bool
   default     = false
 }
-
-variable "bastion_subnet_address_prefix" {
-  description = "Bastion subnet address prefix"
-  type        = list(string)
-  default     = ["10.0.3.0/27"]
-}