Configure Site to Site VPN with PAT

Sandro Alves 41 Reputation points


we have a locality that needs to establish a connection with our environment.

It does not use NAT, that is, only PAT as they have a public IP limit restriction.

How is it possible to make this connection to my environment in Azure?


Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,449 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,386 Reputation points Microsoft Employee

    Hello @Sandro Alves ,

    I understand that you would like to know if it is possible to configure Azure site to site VPN with Port Address Translation (PAT).

    With Port Address Translation (PAT), a single public IP address is used for all internal private IP addresses, but a different port is assigned to each private IP address.

    Azure VPN gateway does not support PAT (Port Address Translation) but it does support NAT (Network Address Translation), which defines the mechanisms to translate one IP address to another in an IP packet. And Azure VPN Gateway NAT supports connection to on-premises networks or branch offices from an Azure virtual network with overlapping IP addresses.

    There are 2 types of NAT translation rules supported by Azure VPN gateway:

    • Static NAT: Static rules define a fixed address mapping relationship.
    • Dynamic NAT: For dynamic NAT, an IP address can be translated to different target IP addresses based on availability, or with a different combination of IP address and TCP/UDP port. The latter is also called NAPT, Network Address and Port Translation. Dynamic rules will result in stateful translation mappings depending on the traffic flows at any given time.

    NOTE : When Dynamic NAT rules are used, traffic is unidirectional which means communication must be initiated from the site that is represented in the Internal Mapping field of the rule.
    NAT is supported on the following VPN gateway SKUs: VpnGw2~5, VpnGw2AZ~5AZ.
    Refer :

    More Information:

    Azure VPN NAT with dynamic NAT rules may help in your case but I think we need more details on the on-premise site network architecture to understand what the actual requirement is and how we can implement it further. I would request you to get more details on the on-premise site setup for further discussion.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments