S2S VPN with Inside Public IP

Blane Bunderson 31 Reputation points
2021-07-16T19:39:12.24+00:00

I have an active support ticket open with Microsoft/Azure. I am posting in various places. We are trying to setup a S2S VPN in Azure where our resources in Azure are presented on the IPSEC tunnel as a public IP address instead of the normal IP. We have tried NVA, Azure Firewall, NAT Gateway, VPN Gateway, and even looking at Azure WAN. This is becoming a common request for exchanging healthcare data between sites that have conflicting addresses. In the past we just NAT one private IP to another private IP, but now we have some peers that require a public address on both the outside and the inside of the tunnel. (To my understanding in AWS you can accomplish via a transit gateway.)

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
197 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,436 questions
0 comments
Accepted answer
  1. SaiKishor-MSFT 17,216 Reputation points
    2021-07-20T19:40:21.167+00:00

    @Blane Bunderson Thank you for reaching out to Microsoft Q&A.

    I understand that you want to setup a S2S VPN in Azure with the resources in Azure are presented as Public IP addresses instead of regular private IP address ranges.

    This is possible if you deploy your virtual network with a Public IP address range instead of a private range. As seen from - Creating a Virtual Network document -

    Address space: The address space for a virtual network is composed of one or more non-overlapping address ranges that are specified in CIDR notation. The address range you define can be public or private (RFC 1918). Whether you define the address range as public or private, the address range is reachable only from within the virtual network, from interconnected virtual networks, and from any on-premises networks that you have connected to the virtual network. You cannot add the following address ranges:
    224.0.0.0/4 (Multicast)
    255.255.255.255/32 (Broadcast)
    127.0.0.0/8 (Loopback)
    169.254.0.0/16 (Link-local)
    168.63.129.16/32 (Internal DNS, DHCP, and Azure Load Balancer health probe)

    With this setup, you will have Public IP addresses for the resources in the VM and when this is presented to your on-premise via VPN, it will be presented with the Public IP addresses itself. This is the only way to have Public IP addresses on both inside and outside of the tunnel i.e., before and after encryption. Hope this helps.

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shawn Morrissey 21 Reputation points
    2021-11-03T15:06:56.59+00:00

    @Blane Bunderson

    @SaiKishor-MSFT Kishor

    Hi Blane, I found your post from July 25th in Microsoft Q&A; I'm attempting to configure an S2S VPN similar to yours and have run into the same issues...Thanks for your advice about reserving the Public IP prefix...that makes a lot of sense!
    I have a question about setting up the virtual network gateway; did you use a Public IP address auto assigned by Azure, or did you somehow configure one of your reserved addresses and use that instead? If I try to assign an IP from the reserved range, I get a message that "The SKU type for the public IP address does not match the SKU type for the virtual network gateway". If I let it auto-assign one it looks like it will create it, but I wasn't sure if that was the method you used...

    I'd appreciate any help you can send my way !!

    Thanks,

    Shawn Morrissey

    0 comments