Edit

Configure NAT Rules for your Virtual WAN VPN gateway using PowerShell

  • Article

You can configure your Virtual WAN VPN gateway with static one-to-one NAT rules. A NAT rule provides a mechanism to set up one-to-one translation of IP addresses. NAT can be used to interconnect two IP networks that have incompatible or overlapping IP addresses. A typical scenario is branches with overlapping IPs that want to access Azure VNet resources.

This configuration uses a flow table to route traffic from an external (host) IP Address to an internal IP address associated with an endpoint inside a virtual network (virtual machine, computer, container, etc.). In order to use NAT, VPN devices need to use any-to-any (wildcard) traffic selectors. Policy Based (narrow) traffic selectors aren't supported in conjunction with NAT configuration.

Prerequisites

  • Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.
  • This tutorial creates a NAT rule on a VPN gateway that will be associated with a VPN site connection. The steps assume that you have an existing Virtual WAN VPN gateway connection to two branches with overlapping address spaces.

Azure PowerShell

This article uses PowerShell cmdlets. To run the cmdlets, you can use Azure Cloud Shell. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open Cloud Shell, just select Open Cloudshell from the upper-right corner of a code block. You can also open Cloud Shell on a separate browser tab by going to https://shell.azure.com/powershell. Select Copy to copy the blocks of code, paste them into Cloud Shell, and select the Enter key to run them.

You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlets are updated frequently. If you haven't installed the latest version, the values specified in the instructions may fail. To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. To install or update, see Install the Azure PowerShell module.

Sign in

If you're using Azure Cloud Shell you'll automatically be directed to sign into your account after you open Cloudshell. You don't need to run Connect-AzAccount. Once signed in, you can still change subscriptions if necessary by using Get-AzSubscription and Select-AzSubscription.

If you're running PowerShell locally, open the PowerShell console with elevated privileges and connect to your Azure account. The Connect-AzAccount cmdlet prompts you for credentials. After you authenticate, it downloads your account settings so that they're available to Azure PowerShell. You can change subscription by using Get-AzSubscription and Select-AzSubscription -SubscriptionName "Name of subscription".

Configure NAT rules

You can configure and view NAT rules on your VPN gateway settings at any time using Azure PowerShell.

Screenshot showing how to edit rules.

  1. Declare the variables for the existing resources.

    $resourceGroup = Get-AzResourceGroup -ResourceGroupName "testRG" 
$virtualWan = Get-AzVirtualWan -ResourceGroupName "testRG" -Name "myVirtualWAN"
$virtualHub = Get-AzVirtualHub -ResourceGroupName "testRG" -Name "westushub"
$vpnGateway = Get-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"

  2. Create the new NAT rule to ensure the site-to-site VPN gateway is able to distinguish between the two branches with overlapping address spaces.

    You can set the parameters for the following values:

    • Name: A unique name for your NAT rule.
    • Type: Static or Dynamic. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address. The subnet size for both internal and external mapping must be the same for static.
    • Mode: IngressSnat or EgressSnat.
      • IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub’s site-to-site VPN gateway.
      • EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub’s site-to-site VPN gateway.
    • Internal Mapping: An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range.
    • External Mapping: An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range.
    • Link Connection: Connection resource that virtually connects a VPN site to the Azure Virtual WAN hub's site-to-site VPN gateway.

    Syntax

    New-AzVpnGatewayNatRule 
-ResourceGroupName <String> 
-ParentResourceName <String> 
-Name <String>
[-Type <String>] 
[-Mode <String>] 
-InternalMapping <String[]> 
-ExternalMapping <String[]>
[-InternalPortRange <String[]>] 
[-ExternalPortRange <String[]>] 
[-IpConfigurationId <String>] 
[-AsJob]
[-DefaultProfile <IAzureContextContainer>] 
[-WhatIf] 
[-Confirm] [<CommonParameters>]

    $natrule = New-AzVpnGatewayNatRule -ResourceGroupName "testRG" -ParentResourceName "testvpngw" -Name "testNatRule" -InternalMapping "10.0.0.0/24" -ExternalMapping "1.2.3.4/32" -IpConfigurationId "Instance0" -Type Dynamic -Mode EgressSnat

  3. Declare the variable to create a new object for the new NAT rule.

    $newruleobject = New-Object Microsoft.Azure.Commands.Network.Models.PSResourceId
$newruleobject.Id = $natrule.Id

  4. Declare the variable to get the existing VPN connection.

    $conn = Get-AzVpnConnection -Name "Connection-VPNsite1" -ResourceGroupName "testRG" -ParentResourceName "testvpngw"

  5. Set the appropriate index for the NAT rule in the VPN connection.

    $conn.VpnLinkConnections
$conn.VpnLinkConnections[0].EgressNatRules = $newruleobject

  6. Update the existing VPN connection with the new NAT rule.

    Update-AzVpnConnection -Name "Connection-VPNsite1" -ResourceGroupName "testRG" -ParentResourceName "testvpngw" -VpnSiteLinkConnection $conn.VpnLinkConnections

Next steps

For more information about site-to-site configurations, see Configure a Virtual WAN site-to-site connection.