I have a VPN but the other end requires a specific private IP to allow traffic throughout

Oliver Centeno 0

Hello,

I configured a site-to-site VPN with a client using a public IP, a virtual network gateway with its gateway subnet and the connection gets stablished.

Screenshot 2024-08-27 at 08.51.55

But the client has assigned an specific IP for the traffic from this VPN to be allowed. That IP belongs to the gateway subnet and I tried to get a private IP for the virtual network gateway, but it is assigned automatically and I get precisely the next IP from the one I shall get (.99). I tried many times and it is consistently giving me the same IP (.100).

Screenshot 2024-08-27 at 08.56.00

I also tried an Active-Active mode but that gives as the second private the IP .103

Is there any way to force the IP that I need to be assigned? Shall I proceed in a different way?

Thanks

Marcel van Eck 5 Reputation points

2024-08-27T11:44:45.1833333+00:00

The traffic that is sent to the VPN gateway on the other side will always originate from 172.31.3.100 PUBLIC IP address.
Since the VPN tunnel is establishing OK, it seems no problems there.

Am I right to assume there is a problem with the PRIVATE ip ranges not being allowed on the other side? You should make sure the firewall on the other side properly routes and allows the private (azure) subnet trough.
Oliver Centeno 0 Reputation points

2024-08-27T13:38:53.35+00:00

Thanks for your answer,

First and foremost 172.31.3.100 is not public but private and I need it to be 172.31.3.99 for the traffic to be allowed, but I cannot control such configuration.

The tunnel is stablished but no traffic goes through.

The other side is configured (and immutable) to allow only 99. That was the first thing I thought of but the IT at the other end cannot put me through 100 as it is used by another VPN. They basically have a 172.16.0.0/12 private subnet for VPNs and they want our traffic to NAT specifically through 172.31.3.99
Oliver Centeno 0 Reputation points

2024-08-28T11:33:03.5633333+00:00

Thanks for the answer Ganesh Patapati (Quadrant Resource LLC),

There is a missunderstanding here. The other end of the VPN is not mine and I cannot manage it, thus I cannot whitelist the whole GatewaySubnet. I can only manage the Azure end resources in my subscription.

I do not need it to be active-active, I just need a way to NAT the traffic from the Azure vitual network through 172.31.3.99.

Thanks
Ganesh Patapati (Quadrant Resource LLC) 175 Reputation points Microsoft Vendor

2024-08-29T19:05:02.5933333+00:00
Hi Oliver Centeno,

Thank you for providing further clarification. Based on the details you’ve shared, here’s a consolidated approach to address the NAT and VPN setup with Azure VPN Gateway:

Here are the few steps,

1)NAT Configuration:

Double-check your NAT configuration to ensure that the NAT range does not overlap with the gateway subnet.

Verify that the NAT range is different from the VPN address space.

Private IPs assigned to the VPN gateway are generally used for tunnel establishment and should not be directly involved in NAT.

Unfortunately, in this case the Private IP that needs to be Nated (172.31.3.99) is part of the gateway subnet, which makes it challenging to implement a NAT solution.

Azure VPN Gateway supports Dynamic NAT:

Configure Dynamic NAT in Azure VPN Gateway using the distinct NAT range.

The NAT range should be different from the VPN address space.

Every Dynamic NAT rule can be assigned to a single connection.

Refer: https://video2.skills-academy.com/en-us/azure/vpn-gateway/nat-overview#type

3)Contact the Other side:

Reach out to the other side and request that they whitelist the necessary IP Ranges. If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.

Regards,

Ganesh
Ganesh Patapati (Quadrant Resource LLC) 175 Reputation points Microsoft Vendor

2024-08-30T17:15:17.3266667+00:00

Hello Oliver Centeno,

Hope you are doing well!

I would like to follow up with the thread.

Could you please go through the last comment and provide us the required information to drive the thread further.

If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.

Regards

Ganesh Patapati
Oliver Centeno 0 Reputation points

2024-09-02T07:46:09.75+00:00
Thanks Ganesh,

I followed your explanation and we still experience issues.

Network is 10.0.0.0/16

GatewaySubnet 10.0.1.0/24

2 NAT are created on the VNG (valid generation and SKU, i disabled the private IP)

I apply the NAT to the connection (ingress or egress not both, otherwise it throws an error)

And the connection breaks and still no traffic.

:/I even tried to add the 172.31.3.0/24 network to the Local network gateway Address Space. Same results.
Ganesh Patapati (Quadrant Resource LLC) 175 Reputation points Microsoft Vendor

2024-09-02T19:01:37.9233333+00:00
Hi Oliver Centeno,

I hope you're having a great day!

From the details shared, it would be best to use an Egress SNAT rather than an Ingress SNAT for applying NAT to the connection.

Regards,

Ganesh
Ganesh Patapati (Quadrant Resource LLC) 175 Reputation points Microsoft Vendor

2024-09-04T20:03:20.2166667+00:00

Hi Oliver Centeno,

Greetings of the day!

I would like to follow up with the thread.

Just checking in to see if you have got a chance to see my previous comment to your question in resolving the issue.

If you are still facing any further issues, please don't hesitate to reach out to us. We are happy to assist you.

Looking forward to your response and appreciate your time on this.

Regards,

Ganesh

1 answer

Ganesh Patapati (Quadrant Resource LLC) 175 Reputation points Microsoft Vendor

2024-08-27T15:44:46.9366667+00:00
Hi Oliver Centeno,

Thank you for reaching out to the Microsoft Q&A Platform.

We understand from your query that you are experiencing an issue while trying to allow traffic to VPN, but the other end requires a specific private IP for these queries,

here are the following major reasons to follows-

NOTE: Unfortunately, it's not possible to manually assign a specific IP address to a virtual network gateway in Azure. The IP address is automatically assigned by Azure from the gateway subnet, and it's not configurable.

For S2S connections with an active-active mode VPN gateway, ensure tunnels are established to each gateway VM instance. If you establish a tunnel to only one gateway VM instance, the connection will go down during maintenance. If your VPN device doesn't support this setup, configure your gateway for active-standby mode instead.

It would be best to use an Egress SNAT rather than an Ingress SNAT for applying NAT to the connection.

Refer: https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub

As this something which is not supported. We encourage customers to create a feedback item for this request on the feedback forum

https://feedback.azure.com/d365community

If you are still facing any further issues, please don't hesitate to reach out to us. We are happy to assist you.

If the above response helps to address your concern, please remember to "Accept Answer" so that others in the community experiencing similar problems can easily find a solution.

Your contribution is greatly appreciated.

Regards,

Ganesh Patapati
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

I have a VPN but the other end requires a specific private IP to allow traffic throughout

1 answer

Your answer