NAT rules on VPN Gateway

Question

NAT rules on VPN Gateway

Javon Jackson 1

I'm trying to understand NAT rules according to the published Microsoft Article "About NAT on Azure VPN Gateway". In the FAQ section, there was a question that says "Do I need both Ingress and Egress rules on a NAT connection?". Can someone clarify the second sentence in the answer:

"You need both Ingress and Egress rules on the same connection when the on-premises network address space overlaps with the VNet address space. If the VNet address space is unique among all connected networks, you don't need the EgressSNAT rule on those connections. You can use the Ingress rules to avoid address overlap among the on-premises networks."

What exactly does it mean by "all connected networks"?

Also, I'm using all only Egress rules because when I try Ingress rules I can't ping an IP on the on-premise network to confirm connectivity for some reason. Ping works just fine with Egress rule, which is odd to me. I thought the IP would be translated both ways based on this statement:

It also handles the translation of the destination IP addresses leaving from the VNet to the same on-premises network.

Any advice would help. Thanks!

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-10-11T02:55:50.217+00:00

Hello @Javon Jackson , Welcome to the Microsoft Q&A forum.

What exactly does it mean by "all connected networks"?

These networks should be all the private networks including On-prem and Azure which can establish connectivity via your VPN Gateway, although I think if you can provide more context here about your network that will help better answer your question like if you have any overlapping Ip addresses and how many on-prem networks are currently connected to your VPN Gateway?
Javon Jackson 1 Reputation point

2022-10-11T13:42:38.85+00:00

Thanks for your reply! At the moment we have 7 S2S connections on this particular VPN gateway. At some point we'll reach the max (30 connections), so we're proactively trying to avoid internal IP conflicts by adding ingress NAT rules. Luckily, we haven't had any internal conflicts so far. However, most of our customer ask if we can NAT our internal IP's because it conflict their internal networks. So, that's why we currently have Egress NAT rules.

Also, we have another VPN gateway which is currently maxed out on connections. All customers will be communicating to the same networks and resources over their respective S2S tunnels. So, in total we have 37 connections altogether (30 on VPN Gateway #1 & 7 on VPN Gateway #2). I hope that helps to clarify
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-10-13T01:14:39.107+00:00

Hello @Javon Jackson , Thank you for providing additional details, I am working on this request and will provide a response soon.

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-10-11T02:55:50.217+00:00

Hello @Javon Jackson , Welcome to the Microsoft Q&A forum.

What exactly does it mean by "all connected networks"?

These networks should be all the private networks including On-prem and Azure which can establish connectivity via your VPN Gateway, although I think if you can provide more context here about your network that will help better answer your question like if you have any overlapping Ip addresses and how many on-prem networks are currently connected to your VPN Gateway?
Javon Jackson 1 Reputation point

2022-10-11T13:42:38.85+00:00

Thanks for your reply! At the moment we have 7 S2S connections on this particular VPN gateway. At some point we'll reach the max (30 connections), so we're proactively trying to avoid internal IP conflicts by adding ingress NAT rules. Luckily, we haven't had any internal conflicts so far. However, most of our customer ask if we can NAT our internal IP's because it conflict their internal networks. So, that's why we currently have Egress NAT rules.

Also, we have another VPN gateway which is currently maxed out on connections. All customers will be communicating to the same networks and resources over their respective S2S tunnels. So, in total we have 37 connections altogether (30 on VPN Gateway #1 & 7 on VPN Gateway #2). I hope that helps to clarify
ChaitanyaNaykodi-MSFT 27,481 Reputation points Microsoft Employee Moderator

2022-10-13T01:14:39.107+00:00

Hello @Javon Jackson , Thank you for providing additional details, I am working on this request and will provide a response soon.

Answer 1

Hello @Javon Jackson , apologies for the delayed response and thank you for your patience here.

In Static-NAT there is a fixed address mapping relationship. For a given IP address, it will be mapped to the same address from the target pool

Ingress SNAT:

As mentioned in the documentation An IngressSNAT rule defines the translation of the source IP addresses coming into the Azure VPN gateway from the on-premises network. So basically, for communication from on-prem to Azure, in Ingress SNAT the on-prem's address is translated. As the document further states It also handles the translation of the destination IP addresses leaving from the VNet to the same on-premises network. For communication from Azure to On-prem the destination IP (this is also on-prem's IP) is translated.

For example, if a IngressSNAT rule has Internal Mapping of 10.0.1.0/24 (On-prem) address and External Mapping of 192.168.1.0/24. When an on-prem device with IP 10.0.1.5 initiates a communication with Azure the source IP '10.0.1.5' is translated to 192.168.1.5 and the Azure Device replies with destination IP of 192.168.1.5 which is translated to 10.0.1.5 at gateway and then sent back to on-prem.

In EgressSNAT the Azure VNET IPs are translated with external mapping.

From your question above

Also, I'm using all only Egress rules because when I try Ingress rules I can't ping an IP on the on-premise network to confirm connectivity for some reason. Ping works just fine with Egress rule, which is odd to me. I thought the IP would be translated both ways based on this statement:

I think the connectivity should work even if both IngressSNAT and EgressSNAT are present. To debug this issue you can do a packet capture at both clients and see if SNAT is working as expected and also validate if any firewall, NSG is not blocking this connectivity.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Share via

NAT rules on VPN Gateway

1 answer

Your answer