Set-AzVirtualNetworkSubnetConfig doesn't seem to able to set a NAT Gateway to a subnet

Description

Az.Network 6.2.0 the Set-AzVirtualNetworkSubnetConfig doesn't seem to able to set a NAT Gateway to a subnet, it does not error but never sets. The same exact command (replacing NATGAteway with NSG) works as expected when applying an NSG to a subnet.

Issue script & Debug output

Returned data is too long, I have pasted a subset, I have the full output if needed.
PS D:\Scripts> $DebugPreference='Continue'
PS D:\Scripts> Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $Vnet -Name $Name -AddressPrefix $Prefix -InputObject $NatGW | Set-AzVirtualNetwork
DEBUG: 10:45:24 AM - SetAzureVirtualNetworkSubnetConfigCommand begin processing with ParameterSet 'SetByResource'.
DEBUG: 10:45:24 AM - using account id ''...
DEBUG: 10:45:24 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:45:24 AM - SetAzureVirtualNetworkCommand begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 10:45:24 AM - using account id '...
DEBUG: 10:45:24 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: 'j', environment: 'AzureCloud', tenant: 'f'
DEBUG: 10:45:24 AM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 10:45:24 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:''
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - bdaa1c9c-0a22-4a72-975d-65163fdcdf66] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z] Found 4 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z] Returning 4 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(5060335b-4389-4e5d-9bba-b0ce946aa9e3)
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 5060335b-4389-4e5d-9bba-b0ce946aa9e3
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] Access token is not expired. Returning the found cache entry. [Current time (10/19/2023 14:45:24) - Expiration Time (10/19/2023 16:01:00 +00:00) - Extended Expiration Time (10/19/2023 16:01:00 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 7.0.11 Microsoft Windows 10.0.22621 [2023-10-19 14:45:24Z - 5060335b-4389-4e5d-9bba-b0ce946aa9e3]  AT expiration time: 10/19/2023 4:01:00 PM +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-10-19T16:01:00.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'f93a8abd-5bb6-4d51-87d1-d660b57030ee', UserId: 'jbeeden@dev.beeden.net'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001?api-version=2023-05-01

Headers:
Accept-Language               : en-US
x-ms-client-request-id        : 13f8a06b-15c7-4194-aab4-cac65d9494f9

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
ETag                          : W/"57220700-7c35-4e66-be18-40938487f4ac"
x-ms-request-id               : 37038b34-4844-4250-aca0-946f1acaa400
x-ms-correlation-request-id   : 532a124f-1666-4a0e-b2de-bd1048c7c3c0
x-ms-arm-service-request-id   : 31161935-e7fb-4211-a967-5bf0c872987a
Strict-Transport-Security     : max-age=31536000; includeSubDomains
Server                        : Microsoft-HTTPAPI/2.0,Microsoft-HTTPAPI/2.0
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-routing-request-id       : CANADACENTRAL:20231019T144524Z:532a124f-1666-4a0e-b2de-bd1048c7c3c0
X-Content-Type-Options        : nosniff
Date                          : Thu, 19 Oct 2023 14:45:24 GMT

Body:
{
  "name": "vnet-ScriptTest-eus-001",
  "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001",
  "etag": "W/\"57220700-7c35-4e66-be18-40938487f4ac\"",
  "type": "Microsoft.Network/virtualNetworks",
  "location": "eastus",
  "properties": {
    "provisioningState": "Succeeded",
    "resourceGuid": "a5dc312f-7a7b-4f16-a924-c167d73d1716",
    "addressSpace": {
      "addressPrefixes": [
        "10.251.1.0/24"
      ]
    },
    "subnets": [
      {
        "name": "AzureFirewallSubnet",
        "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001/subnets/AzureFirewallSubnet",
        "etag": "W/\"57220700-7c35-4e66-be18-40938487f4ac\"",
        "properties": {
          "provisioningState": "Succeeded",
          "addressPrefix": "10.251.1.0/26",
          "serviceEndpoints": [],
          "delegations": [],
          "privateEndpointNetworkPolicies": "Disabled",
          "privateLinkServiceNetworkPolicies": "Enabled"
        },
        "type": "Microsoft.Network/virtualNetworks/subnets"
      },
      {
        "name": "GatewaySubnet",
        "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001/subnets/GatewaySubnet",
        "etag": "W/\"57220700-7c35-4e66-be18-40938487f4ac\"",
        "properties": {
          "provisioningState": "Succeeded",
          "addressPrefix": "10.251.1.160/27",
          "serviceEndpoints": [],
          "delegations": [],
          "privateEndpointNetworkPolicies": "Disabled",
          "privateLinkServiceNetworkPolicies": "Enabled"
        },
        "type": "Microsoft.Network/virtualNetworks/subnets"
      },
      {
        "name": "AzureBastionSubnet",
        "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001/subnets/AzureBastionSubnet",
        "etag": "W/\"57220700-7c35-4e66-be18-40938487f4ac\"",
        "properties": {
          "provisioningState": "Succeeded",
          "addressPrefix": "10.251.1.192/26",
          "serviceEndpoints": [],
          "delegations": [],
          "privateEndpointNetworkPolicies": "Disabled",
          "privateLinkServiceNetworkPolicies": "Enabled"
        },
        "type": "Microsoft.Network/virtualNetworks/subnets"
      },
      {
        "name": "snet-msad-eus-001",
        "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001/subnets/snet-msad-eus-001",
        "etag": "W/\"57220700-7c35-4e66-be18-40938487f4ac\"",
        "properties": {
          "provisioningState": "Succeeded",
          "addressPrefix": "10.251.1.128/28",
          "networkSecurityGroup": {
            "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-nsg-test-eus-001/providers/Microsoft.Network/networkSecurityGroups/nsg-adlockdown-eus-001"
          },
          "serviceEndpoints": [],
          "delegations": [],
          "privateEndpointNetworkPolicies": "Disabled",
          "privateLinkServiceNetworkPolicies": "Enabled"
        },
        "type": "Microsoft.Network/virtualNetworks/subnets"
      },
      {
        "name": "snet-prod-eus-001",
        "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001/subnets/snet-prod-eus-001",
        "etag": "W/\"57220700-7c35-4e66-be18-40938487f4ac\"",
        "properties": {
          "provisioningState": "Succeeded",
          "addressPrefix": "10.251.1.64/26",
          "ipConfigurations": [
            {
              "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/RG-VM-LINUX-001/providers/Microsoft.Network/networkInterfaces/NIC-LINUX-VM-001/ipConfigurations/IPCONFIG1"
            },
            {
              "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/RG-VM-LINUX-002/providers/Microsoft.Network/networkInterfaces/NIC-LINUX-VM-002/ipConfigurations/IPCONFIG1"
            }
          ],
          "serviceEndpoints": [],
          "delegations": [],
          "privateEndpointNetworkPolicies": "Disabled",
          "privateLinkServiceNetworkPolicies": "Enabled"
        },
        "type": "Microsoft.Network/virtualNetworks/subnets"
      }
    ],
    "virtualNetworkPeerings": [
      {
        "name": "Peer-East-West",
        "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-eus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-eus-001/virtualNetworkPeerings/Peer-East-West",
        "etag": "W/\"57220700-7c35-4e66-be18-40938487f4ac\"",
        "properties": {
          "provisioningState": "Succeeded",
          "resourceGuid": "ecef0abb-dfb3-0602-02a6-6ae01ba94c4f",
          "peeringState": "Connected",
          "peeringSyncLevel": "FullyInSync",
          "remoteVirtualNetwork": {
            "id": "/subscriptions/5f80d186-121e-4502-b608-b57079edf27d/resourceGroups/rg-ScriptTest-wus-001/providers/Microsoft.Network/virtualNetworks/vnet-ScriptTest-wus-001"
          },
          "allowVirtualNetworkAccess": true,
          "allowForwardedTraffic": false,
          "allowGatewayTransit": false,
          "useRemoteGateways": false,
          "doNotVerifyRemoteGateways": false,
          "peerCompleteVnets": true,
          "remoteAddressSpace": {
            "addressPrefixes": [
              "10.251.2.0/24"
            ]
          },
          "remoteVirtualNetworkAddressSpace": {
            "addressPrefixes": [
              "10.251.2.0/24"
            ]
          },
          "routeServiceVips": {}
        },
        "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
      }
    ],
    "enableDdosProtection": false
  }
}

DEBUG: AzureQoSEvent:  Module: Az.Network:6.2.0; CommandName: Set-AzVirtualNetworkSubnetConfig; PSVersion: 7.3.8; IsSuccess: True; Duration: 00:00:02.0257844
DEBUG: 10:45:26 AM - SetAzureVirtualNetworkSubnetConfigCommand end processing.
DEBUG: 10:45:26 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:45:26 AM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent:  Module: Az.Network:6.2.0; CommandName: Set-AzVirtualNetwork; PSVersion: 7.3.8; IsSuccess: True; Duration: 00:00:02.0761042
DEBUG: 10:45:26 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:45:26 AM - SetAzureVirtualNetworkCommand end processing.
ResourceGroupName     Name                    Location ProvisioningState EnableDdosProtection
-----------------     ----                    -------- ----------------- --------------------
rg-ScriptTest-eus-001 vnet-ScriptTest-eus-001 eastus   Succeeded         False

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.8
PSEdition                      Core
GitCommitId                    7.3.8
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.13.1                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     6.2.0                 Az.Network                          {Add-AzApplicationGatewayAuthenticationCertificat…

Error output

PS D:\Scripts> Resolve-AzError
DEBUG: 10:47:44 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 10:47:44 AM - using account id 'jbeeden@dev.beeden.net'...
DEBUG: 10:47:44 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].

DEBUG: 10:47:44 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:47:44 AM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.13.1; CommandName: Resolve-AzError; PSVersion: 7.3.8; IsSuccess: True; Duration: 00:00:00.0013459
DEBUG: 10:47:44 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:47:44 AM - ResolveError end processing

Azure / azure-powershell

Set-AzVirtualNetworkSubnetConfig doesn't seem to able to set a NAT Gateway to a subnet #23027

Description

Issue script & Debug output

Environment data

Module versions

Error output