connecting to multiple clients dynamically in site to site VPN

Question

I have a few questions regarding Site to site VPN.

1. if I want to connect my java web app running in azure VM to different clients sites via site to site VPN dynamically depending upon some parameter , is this possible?
2. If multiple clients have same CIDR in their side of VPN then how to connect to different client from same azure VM ?

Answer 1

Hello @Anonymous ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have a few questions regarding site-to-site VPN. I've answered them below:

1. If I want to connect my java web app running in azure VM to different client sites via site-to-site VPN dynamically depending upon some parameter, is this possible?

I'm not sure if I understand this ask correctly, but since you've mentioned "site-to-site VPN dynamically depending upon some parameter", I'm assuming you are referring to dynamic routing or what is called Route-based VPN in Azure.

It is possible to connect to multiple client/on-prem sites via site-to-site VPN using route-based VPN type. The number of tunnels a VPN gateway can have differs according to the VPN gateway SKU that you use.

You can use the default IPsec/IKE parameters of Azure VPN gateway, or you can also use Custom IPsec/IKE parameters with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets. Azure VPN gateways support per-connection, custom IPsec/IKE policy meaning you can create and apply different IPsec/IKE policies on different VPN connections.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-multi-site-to-site-resource-manager-portal

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto

You can also enable BGP, which is an optional feature available with Azure Route-Based VPN gateways to support automatic and flexible prefix updates.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview

https://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto

2. If multiple clients have same CIDR in their side of VPN then how to connect to different client from same Azure VM?

Azure VPN Gateway supports NAT (Network Address Translation) which allows you to connect on-premises networks or branch offices to an Azure virtual network with overlapping IP addresses. NAT defines the mechanisms to translate one IP address to another in an IP packet.

To connect two or more networks with overlapping IP addresses, you can configure NAT on your Azure VPN gateway. NAT on the VPN gateway translates the source and/or destination IP addresses, based on the NAT policies or rules to avoid address conflict. There are different types of NAT translation rules which are used to define address mapping or translating relationship for the corresponding network address spaces. You can find more information in the below docs.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-overview

https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-howto

Make sure to take a look into the NAT limitations before you start.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/nat-overview#nat-limitations

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

hi Rayan, Yes, it is possible to connect your Java web app running in an Azure VM to different client sites via site-to-site VPN dynamically. To achieve this, you can configure Azure VPN Gateway on your Azure Virtual Network to establish a connection with each of your client's on-premises network. You can use either a policy-based or a route-based VPN connection depending on your requirement. Once the VPN connection is established, you can configure your Java web app to use the Azure Virtual Network as the network gateway to reach the client's on-premises network. You may need to modify your Java web app's networking configuration to allow traffic to pass through the VPN tunnel. Regarding your second question, if multiple clients have the same CIDR in their side of the VPN, you can use network address translation (NAT) to differentiate between the clients. You can configure NAT rules on your Azure VPN Gateway to translate the source IP address of the traffic coming from your Java web app to a unique IP address range for each client before sending it over the VPN tunnel. This way, the traffic coming from your Java web app will have a unique IP address that can be used to differentiate between the clients. Here are some Azure documentation links that may provide additional information on site-to-site VPN and network address translation (NAT) in Azure: nullnullnullnull

I hope you find these resources helpful! Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Site-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Answer 4

Here are some Azure documentation links that may provide additional information on site-to-site VPN and network address translation (NAT) in Azure: Site-to-Site VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal NAT in Azure: https://docs.microsoft.com/en-us/azure/virtual-network/nat-overview Azure VPN Gateway: https://docs.microsoft.com/en-us/azure/vpn-gateway/ Azure Networking Best Practices: https://docs.microsoft.com/en-us/azure/architecture/best-practices/network-security-best-practices I hope you find these resources helpful!