Share via

Express Route - NAT traffic with Public IP Instead of Private IP

Muthukumar, Harinarayanan 6 Reputation points
2023-10-20T06:35:36.8333333+00:00

Hi ,

We have a requirement where we have to peer to one of our customer environment using Azure Express route Private Peering. The customer has also requested that we have to NAT traffic via this circuit via Public IP Address as there is a network overap between our Azure VNET and Customers Network.

Is there a way to acheive this ? And if yes whats the easiest approach ? How can we NAT a traffic from Private IP to Public IP in Azure via a Express route ? I was told that we can use Virtual Network appliance like Palo Alto but we wanted to see if this is something we can acheive by leveraging Azure native resources (Azure Firewall , NAT Gateway etc.) .

The requirement in crux is for us to peer via Express route and not worry about IP address overap with our customer network and hence the option of NAT / exposing via public IP addressed was put forward. We need ways to receive and also send traffic via this pipe (Express route private peering) while advertising public IP's to avoid potential IP overlap.

Any help would be highly appretiated.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,401 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
327 questions
Azure NAT Gateway
Azure NAT Gateway
NAT Gateway is a fully managed service that securely routes internet traffic from a private virtual network with enterprise-grade performance and low latency.
24 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee
    2023-10-21T05:08:56.8333333+00:00

    @Muthukumar, Harinarayanan

    Thank you for reaching out.

    I understand you are looking for a way to NAT traffic via Azure Express Route Private Peering using a public IP address to avoid IP overlap with your customer's network.

    If I have understood your question correctly and depending on your requirements, I think you can try configuring a Site-to-Site VPN connection over ExpressRoute private peering as described here.

    I am suggesting this approach because in this scenario you can utilize NAT on the Site-to-Site Azure VPN Gateway above which will help with the overlapping IP address issue. The advantage of such architecture will be that the communication will happen over a private network and no public IP will be required.

    Based on your statement above

    I was told that we can use Virtual Network appliance like Palo Alto but we wanted to see if this is something we can acheive by leveraging Azure native resources (Azure Firewall , NAT Gateway etc.)

    Yes, you can use Azure Firewall to route your traffic over the internet, but the customer will also need to expose their services over a public IP for such communication to take place. You can use Azure Firewall Network and application rules to control such traffic flow.

    Reference :

    https://learn.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps

    If this does not help answer your question, it would help if could provide a rough network diagram.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments