How to use public IP address NAT for VPN traffic

EddieB 20

We already have multiple VPN connections up and running in our Azure Virtual Network connecting to our on-prem locations.

Now we have an external 3rd party that we need to connect to via VPN as well.

For this new connection, they require that the the traffic going over the VPN is NATed via a PUBLIC IP address. They cannot accept private or shared IP subnet spaces. So this will be in addition to the public gateway IP address... If we can use the same address for the VPN gateway and NATing that would be fine, but not a requirement.

I am able to establish the IKEv2 S2S VPN connection without any problems, but on the other end, AFTER data goes through the VPN runnel, they are seeing the traffic coming from our internal subnets.

I have tried adding a public IP address to the VM on our end that needs to connect to them, but I am not sure how to route traffic, using the public IP address, through the VPN gateway, or if that is even an option.

I was also wondering if there is a setting within the Virtual Network Gateway to enforce this behavior, to force it to NAT the VPN traffic via a public IP address.

Thanks

Rohith Vinnakota 315 Reputation points Microsoft Vendor

2024-08-29T11:11:36.88+00:00
Hello EddieB,

Welcome to Microsoft Q&A and thank you for posting your questions here.

Yes, there is a way in Azure VPN Gateway can use NAT rules to translate private IP addresses to a public IP address.

Make sure that VPN Gateway supports NAT.

These are the NAT is supported on the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.

You can configure an ingress NAT rule to translate incoming traffic from the public IP to the internal subnet, and an egress NAT rule to translate the traffic from the internal network to the public IP address when it goes out to the third-party.

Ensure that the routing tables (UDRs) are correctly set up so that the traffic from the internal subnets is directed through the VPN gateway, which now performs NAT to translate the IP addresses.

Additional information: Configure NAT for Azure VPN Gateway

If you have any further queries, do let us know.
Thank you,

Vinnakota Rohith

If the answer is helpful, please click "Accept Answer" and "Upvote it."
Rohith Vinnakota 315 Reputation points Microsoft Vendor

2024-09-09T01:40:55.35+00:00

Hi EddieB,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Rohith Vinnakota 315 Reputation points Microsoft Vendor

2024-09-10T01:39:30.8166667+00:00

Hi EddieB,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
EddieB 20 Reputation points

2024-09-10T11:14:36.81+00:00

The NAT options on the VPN Gateway only support using Private and Shared space addresses.

I need the traffic to be NATed through a single Public IP address, in this case, the same IP address as the VPN connection gateway, and I was not able to get this working with the NAT options on the VPN Gateway.

I WAS able to get this working in a test environment by using a third party network appliance as the VPN. I did this using "pfSense" running on an Azure VM.
Rohith Vinnakota 315 Reputation points Microsoft Vendor

2024-09-12T04:25:15.57+00:00

Hi EddieB,

Just checking in to see if you had a chance to see my response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.

Thanks,
Rohith
EddieB 20 Reputation points

2024-09-12T10:58:27.6133333+00:00

I set up a pfSense NVA (from the Azure Marketplace) and it appears to be working well, including NATing.

Thank you.
Rohith Vinnakota 315 Reputation points Microsoft Vendor

2024-09-12T13:04:35.6933333+00:00

Hi EddieB,

Greetings of the day!

I've turned my comment into an answer.

If the above response helps to address your concern, please remember to "Accept Answer" and "Upvote it" so that others in the community experiencing similar problems can easily find a solution.

Thanks,
Rohith

Accepted answer

Rohith Vinnakota 315 Reputation points Microsoft Vendor

2024-09-11T05:45:54.2633333+00:00

Hi EddieB,

Welcome to Microsoft Q&A and thank you for posting your questions here.

I recommend implementing a Network Virtual Appliance (NVA).

Azure VPN Gateway's NAT features don't support public IP addresses. To achieve NAT with a public IP, you'll need to use a separate tool, such as a Network Virtual Appliance.

If you have any further concerns, please do not hesitate to contact us. We are pleased to help you.

If the above response helps to address your concern, please remember to "Accept Answer" and "Upvote it" so that others in the community experiencing similar problems can easily find a solution.

Thank,
Rohith Vinnakota,
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to use public IP address NAT for VPN traffic

0 additional answers

Your answer