Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,197 questions
IP subnet already in use on premise. Any way to NAT Azure Virtual Network addresses rather than On premise VPN address
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 70%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Joe Stravers
0
Reputation points
We have an Azure subscription which has 20 Site to Site VPN's connected to seperate customers, there is no public ip address access, all access is S2S VPN only.
In the Azure subscription there are 2 regions setup with failover from primary to secondary region with 3 App-Services, SQL server (2 databases), several VM's and file share.
There is a new customer with multiple internal subnets and 2 of their internal subnets are already used for their own Site to Site VPN tunnels to their other sites with the exact same IP addressing as the Virtual subnets containing the resources in Azure. As these subnets are in use at both the customer on-premise site and the in use in the Azure subscription there is no way to create a S2S VPN for them so we are looking for possible solutions to this problem.
There appears to be no way of NATing internal Azure subnets, only NATing customer inbound subnets. There also seems to be no way to add a second network interface to an app-service or file share on place it on a second Virtual network.
Azure application gateway looked like it might work by putting it on a new virtual network and then passing the traffic through to the app-service, but I don't know if it NATs or if it would pass Files through on port 445?
{count} votes
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee2023-12-11T11:33:41.3433333+00:00 Hello @Joe Stravers ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Did you take a look into NAT on Azure VPN Gateway?
Azure VPN Gateway NAT supports connecting on-premises networks or branch offices to an Azure virtual network with overlapping IP addresses.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-overview
https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-howto
Regards,
Gita
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
Joe Stravers 0 Reputation points
2023-12-11T11:52:16.2766667+00:00 Hi Gita,
That only works if the conflicting subnet is used to access Azure over the S2SVPN and It isn't.
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2023-12-12T11:05:30.45+00:00 Hello @Joe Stravers , I'm not sure I understand the existing setup and your requirement clearly.
As these subnets are in use at both the customer on-premise site and the in use in the Azure subscription there is no way to create a S2S VPN for them so we are looking for possible solutions to this problem.
Are you saying that the existing subnets on their on-premises side cannot be used to create S2S VPN to Azure as those subnets are already used in other S2S connections?
That only works if the conflicting subnet is used to access Azure over the S2SVPN and It isn't.
What are you trying to access with the conflicting subnet?
I would request you to provide more details on the existing setup for better clarity.
Regards,
Gita
-
Joe Stravers 0 Reputation points
2023-12-12T11:24:29.6966667+00:00 Ok, lets say the Azure app-service is on IP 10.0.1.4 in subnet 10.0.1.0/24 and an Azure file share is on 10.0.2.4 in subnet 10.0.2.0/24 (These are used by 20 individual customer sites over S2S VPN so can't be changed)
The new customer has internal Network in Office 1 of 192.168.0.0/23 and has VPN tunnels to office 1 on 10.0.1.0/24 to office 2 on 10.0.2.0/24, office 3 on 10.0.3.0/24. (These cannot be changed)
There is no way to create a tunnel into Azure as the Azure IP addresses and subnets are already in use in the on premise network firewall.
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2023-12-12T12:20:37.2733333+00:00 @Joe Stravers , okay but why do you think that Azure VPN NAT won't help in this case?
NAT on the VPN gateway translates the source and/or destination IP addresses, based on the NAT policies or rules to avoid address conflict.
- You need both Ingress and Egress rules on the same connection when the on-premises network address space overlaps with the virtual network address space.
- If the virtual network address space is unique among all connected networks, you don't need the EgressSNAT rule on those connections. You can use the Ingress rules to avoid address overlap among the on-premises networks.
- If the virtual network address space is overlapping with any connected network, then you need an EgressSNAT rule on those connections.
You've the point 3, where Azure Vnet and other connected network are overlapping but the on-premises network itself is unique. So, you can configure EgressSNAT mode on your VPN gateway.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-overview#mode
EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure Vnet's Site-to-site VPN gateway towards on-premises.
An EgressSNAT rule maps the Azure VNet address space to another translated address space.
An example of this would be Azure has a Vnet of 10.0.0.0/16 with a VM IP of 10.0.1.5. The OnpremServer1 with the IP 192.168.0.5 needs to connect to AzureVM1 (10.0.1.5). But the CX already has 10.0.0.0/16 in use elsewhere and wants to use 172.28.1.5/32 to connect to the AzureVM1. So, we create a EgressSNAT rule on the virtual network gateway when translates 10.0.1.5/32 to 172.28.1.5/32. So, when servers that are on-premises such as OnpremServer1 they use the IP address of 172.28.1.5 it will get translated at the VNG from 172.28.1.5 to 10.0.1.5. When the traffic returns to on-premises, they will see as the sender address 172.28.1.5.
For each NAT rule, the mapping fields specify the address spaces before and after the translation: Internal mapping for IP range that will be translated for example 10.0.1.5. External mapped is the result 172.28.1.5
Regards,
Gita
-
Joe Stravers 0 Reputation points
2023-12-12T13:24:48.3833333+00:00 That doesn't work, I have already tried that and the VPN download configuration file keeps the same Azure internal address space not the NAT'd address space (Also tried replacing with NAT subnet and the tunnel won't connect). The NAT only works to translate the on-premise address and not the Azure internal addreses.
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2023-12-13T08:29:49.44+00:00 @Joe Stravers , I've seen many customers using EgressSNAT mode on their VPN gateways to NAT Azure subnets.
So, if it didn't work for you, it could be related to misconfiguration or any other limitations or some ongoing platform bug. Without checking the setup & configuration, it is difficult to say why NAT didn't work in your case.
But like I mentioned above, it should work. And if you are interested in using S2S VPN with NAT, I would request you to open a support request for further assistance. If you don't have a support plan and need help with a one-time free technical support, do let us know.
Now coming back to your initial question:
Azure application gateway looked like it might work by putting it on a new virtual network and then passing the traffic through to the app-service, but I don't know if it NATs or if it would pass Files through on port 445?
Azure Application gateway is a reverse proxy or web traffic (OSI layer 7) load balancer that enables you to manage traffic to your web applications.
To understand how you should select load-balancing options in Azure, you can refer the below doc:
You can find more information about how Application gateway works in the below docs:
https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works
Now, if you would like to use Azure Application gateway, you would be using a Public IP address to access your web application over Internet. As private Application gateway would again need some type of connectivity between Azure and on-premises like VPN or ExR.
So, in case you are interested to use Application gateway, I would request you to share your exact requirements here. What will you be accessing from Azure? Is it a web application?
Regards,
Gita
-
Joe Stravers 0 Reputation points
2023-12-13T08:41:26.6+00:00 I have used NAT and I could only ever get it to NAT the On-premise IP addresses and not the Azure Virtual network addresses. The on premise NAT works well, but only for the subnet being used on to access the VPN.
If you google NAT for Azure virtual networks, every answer only ever shows NAT of the on premise subnet, all youtube videos also show this and all the evidence points to the NAT rules in Azure only working against on-premise subnets.
I did put all the details in the original post, but here are the main points:
No internet access, all access is via site-to-site VPN only.
3 x App services (Port 443) and a file share (port 445) are accessed by the customer using Site-site VPN
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2023-12-13T10:34:26.66+00:00 @Joe Stravers , I understand that Azure VPN NAT lacks documentation and this feedback has already been provided to the Azure VPN Product Group team for future improvements.
However, like I mentioned before, EgressSnat mode (also known as Egress Source NAT) which is applicable to traffic leaving the Azure Vnet's Site-to-site VPN gateway towards on-premises, should work in your case. In EgressSNAT, the Azure VNET IPs are translated with external mapping.
So, creating a support request would be the best option to check why it is not working in your case. Hence, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
In case you need help with a one-time free technical support, I would request you to send an email with subject line "ATTN gishar | IP subnet already in use on premise. Any way to NAT Azure Virtual Network addresses rather than On premise VPN address" to AzCommunity[at]Microsoft[dot]com with the following details, I will follow-up with you.
- Reference this Q&A thread
- Your Azure Subscription ID
Coming to Application gateway usage,
3 x App services (Port 443) and a file share (port 445) are accessed by the customer using Site-site VPN.
Application Gateway supports HTTP, HTTPS, HTTP/2, and WebSocket.
If the App services host some web applications and the file share is accessible over REST API or an Azure storage static website, then you can either access these directly over Internet using their public endpoint or add them behind an Application gateway to access them via a common hostname. But the access will be over Internet.
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website
Regards,
Gita
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2023-12-14T12:19:17.8866667+00:00 @Joe Stravers , could you please provide an update on this post? Please let me know how you would like to proceed further on this.
-
Joe Stravers 0 Reputation points
2023-12-14T12:25:52.9+00:00 Hi Gita,
Thanks for trying to help with this, but we are looking at the possibility of using a different access method to replace S2S VPN, so this can be marked as closed.
Thanks
Joe
-
GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
2023-12-15T10:46:56.2366667+00:00 @Joe Stravers , thank you for the update.
You can add Azure App service and Azure Storage in the backend of an Application gateway and access the same over Internet via the Application gateway's Public IP or a custom DNS name.
I'm adding some articles as reference below:
App service:
https://learn.microsoft.com/en-us/azure/app-service/networking-features#use-cases-and-features
Azure File Shares:
Azure Application Gateway primarily works with HTTP/HTTPS traffic for web applications.
Azure Files is a fully managed file share service that supports the Server Message Block (SMB) protocol and Network File System (NFS) protocol, and it's commonly used for shared file storage in cloud scenarios. It's typically accessed directly by clients using SMB or NFS protocols.
If you need to expose file shares over HTTP/HTTPS and utilize the features provided by Azure Application Gateway, you might need to consider alternative solutions. One common approach is to create a web application or an API layer that interacts with Azure Files and exposes the necessary functionalities over HTTP. This web application or API layer can then be fronted by Azure Application Gateway.
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview
If you have any other questions or are still running into more issues, please let me know.
Thank you again for your time and patience throughout this issue.
Regards,
Gita
Sign in to comment