Private networks - Overlapping

Question

Private networks - Overlapping

Michelangelo Stillante 41

good evening .. i have a question about private networks and Azure. quite long..... from networking knowledge i know that, two private networks can connect to each other if they are connected via internet or VPN as they are behind a public IP address, no matter if the private networks are matching or overlapping.

Hypothesis not real: i have my laptop inside 10.10.10.0/24 behind a public 134.65.5.67 and i want to connect through 45.56.65.3 public ip address to my friend's server 10.10.10.0/24

i have just learnt today that in AZURE this is not possible: two private networks matching or overlapping can't connect one to the other even if they are behind a PUBLIC IP ADDRESS. do you know why ? may you please explain me or send me links able to explain it to me ? thks very much for your support

Accepted answer

1 additional answer

Your answer

Answer 1

Hi @Michelangelo Stillante ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

When using a virtual network as part of a cross-premises architecture, you need to make sure to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way.

Azure VPN Gateway will NOT perform any NAT-like functionality on the inner packets to/from the IPsec tunnels and hence you can't have overlapping IP address ranges between Azure & local sites.

Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#CreatVNet
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-use-nat-t-on-my-vpn-connections
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-there-be-overlapping-address-spaces-among-connected-virtual-networks-and-on-premises-local-sites

So to answer your query in simple terms:

Why between two customers NOT using Azure this is possible : 3rd party VPN devices support NAT, hence this is possible.
Why between two customers using Azure this is NOT possible : Azure VPN gateway doesn't support NAT, hence this is not possible.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Andreas Baumgarten 123.4K MVP Volunteer Moderator

Hi @Michelangelo Stillante ,

There is no NAT component involved in a Site-To-Site Azure VPN Gateway connection.
If you connect your local network via VPN Gateway Site To Site connection it is almost like you connect 2 networks via a layer 3 router. If both networks using the same subnet IP range routing isn't possible.

Basically that's the simple answer to your question.

If you connect local subnet with the Azure subnet with not-overlapping IP ranges the following will happen:

In the local subnet (for instance 192.168.1.0/24) a route to the Azure Subnet (10.0.0.0/24) will be added to send packages to the local Gateway VPN device
In the Azure subnet (10.0.0.0/24) a route to the local Subnet (192.168.0.0/24) will be added to send packages to the Azure VPN Gateway Site To Site connection
This way network packages can be routed from Azure to local resources and vice versa.

The VPN tunnel is using the public IP on both sides as connection point. If the VPN tunnel is established and connected between the 2 endpoints this tunnel is working like a "normal" layer 3 router between 2 subnets.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Michelangelo Stillante 41 Reputation points

2021-03-16T07:32:26.763+00:00
Hi Andreas, maybe i was not clear enough
They are using NAT and both of them are using Azure.. Both of them are behind a public IP Address. and both of them using AZURE

so what is the difference between VPN Tunnel and VPN used in AZURE? maybe AZURE is using a particular protocol since both f them are in the Microsoft cloud?

and what does it mean " .... VPN Gateway Site To Site connection it is almost like you connect 2 networks via a layer 3 router. " ?
is there a technical difference between VPN Gateway Site-to-Site Connection and a normal VPN i can establish between two normal sites (for example home and my office)?

If i'm at home and establishing VPN connection with my office and we both have a public ip address and both of us have same private network this is possibile

if i have two customers in Azure, using both of them public ip address and using the same private network this is not possible

WHY ?
Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator

2021-03-16T07:50:57.2+00:00

How are the 2 Azure subnets should be connected?
Using a VPN Site-To-Site connection or using a peering between the virtual networks?

If you are talking about "VPN" are you talking about VPN with a Site-To-Site connection or a Point-To-Site connection?

If you are at home and establishing a VPN connection to your office, is this a VPN connection from your device to your office netwok? Or are you connecting your home full home network with your office network?

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
Michelangelo Stillante 41 Reputation points

2021-03-16T07:58:20.8+00:00

Hi Andreas,
home was just an example, maybe not correct .... i want to connect VPN SITE -to SITE , full network

10.10.10.0/24 NAT 134.65.5.67 (public) --> 45.56.65.3 (public) NAT 10.10.10.0/24 IMPORTANT(this is just an example, not real, academic)

why between two customers NOT using Azure this is possible
why between two customers using Azure this is NOT possible

?

Share via

Private networks - Overlapping

1 additional answer

Your answer