How to implement Source NATing and conditional DNS forwarding in Azure VWAN for onpremis connections via ExpressRoute?

Question

How to implement Source NATing and conditional DNS forwarding in Azure VWAN for onpremis connections via ExpressRoute?

Schad, Reiner (096) 20

We have setup an Azure VWAN with 3 secure virtual hubs, one in region APAC, EU, NAFTA. We want to integrate our on-premis corporate Network for bi-directional communication via ExpressRoutes that requires:

Source NATing of private Azure IPs to IPs routable in our on-premis network for downstream traffice Azure --> on-premis
DNATing for upstream traffic on-premis --> Azure
conditional DNS forwarding to an on-premis DNS server for on-premis FQDN resolution
private DNS zones/resolution of our Azure private FQDNS for DNS requests from on-premis

Is there a reference architecture document for the above, especially regarding SNAT/DNAT?

How can the required DNS forwarding/resolution be implemented in Azure VWAN or how can we integrate e.g. Azure private DNS resolver into Azure VWAN?

Schad, Reiner (096) 20 Reputation points

2025-10-22T09:02:25.9733333+00:00

Thanks @Jeevan Shanigarapu for the explanations.
add 1 (the NATing topic):
Are you suggesting to stack Firewalls (the secure Hubs already have a firewall deployed) --> to launch an additional Hub with Premium Firewall for solving the NATing and ER integration there? This would mean the traffic would have to pass through like this : Spoke vnet --> Secure Hub (Firewall #1) --> "NATing HUB" (Firewall #2) --> ExpressRoute --> onpremis
add 2 (private DNS resolver):
I know well, how to deploy a private DNS resolver and use private DNS zones in a "normal" vnet based Hub & Spoke architecture. There the private DNS resolver gets deployed into the Hub vnet (create subnets for the in-/outbound endpoints, etc.). How do I connect the private DNS resolver in-/outbound endpoints in a VWAN Hub (I dd not find a way to create subnets in a VWAN Hub) or would I have to dploy these endpoints into every Spoke?
Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator

2025-10-22T11:13:16.4533333+00:00

Hello @Schad, Reiner,
Thank you for your detailed follow-up. Addressed both the points below.

NATing with Secure Virtual Hubs: Secure Virtual Hubs come with Azure Firewall Standard, but they do not support SNAT/DNAT for ExpressRoute traffic or allow custom firewall setups inside the hub. For NATing, you should deploy Azure Firewall Premium in a connected spoke VNet and set it up for SNAT/DNAT between Azure and your on-premises networks. In this configuration, traffic flows as follows: Spoke VNet → Secure Hub → NAT Spoke (Firewall Premium) → ExpressRoute → On-prem. This is a supported and commonly used method for hybrid connectivity.

DNS Private Resolver in VWAN: VWAN hubs cannot host DNS Private Resolver endpoints because they do not support custom subnets. To address this, deploy the Private Resolver in a spoke VNet that is connected to each hub, set up inbound and outbound endpoints, and configure forwarding rulesets for on-premises DNS queries through ExpressRoute. Link Private DNS Zones to these VNets to enable Azure FQDN resolution. This setup allows hybrid DNS to function smoothly across both VWAN and ExpressRoute.

Kindly let us know if the above helps or you need further assistance on this issue.
Schad, Reiner (096) 20 Reputation points

2025-10-23T08:47:30.8466667+00:00
Thanks for the update and more detailed explanation. Got it now and understood how to set this up. This answered my questions.
Are there any plans in the future to support the above scenario directly in VWAN hubs:

Possibiity for upgrading Azure FW in secure VWAN hubs from Standard to Premium to support DNAT?

Possibility to integrate Azure private DNS resolver in (secure) VWAN hubs?

Assigning multiple CIDR ranges to a (secure) VWAN hub to support e.g. NAT to onpremis routable IP ranges?
Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator

2025-10-23T10:40:20.3866667+00:00

Hello @Schad, Reiner,

Here’s the most recent update from the MS:

Upgrading Azure Firewall in Secure VWAN Hubs to Premium:
Currently, Secure Virtual Hubs only support Azure Firewall Standard and do not allow upgrades to Premium within the hub. For DNAT/SNAT requirements, deploying Azure Firewall Premium in a connected spoke VNet remains the recommended approach. Microsoft is aware of the demand for Premium Firewall capabilities in Secure VWAN Hubs and is tracking this feature for possible future updates.

Integrating Azure Private DNS Resolver in VWAN Hubs:
As VWAN hubs do not provide customizable subnets, Private DNS Resolver endpoints cannot be deployed directly in the hub. The supported solution is to deploy the resolver in a spoke VNet connected to the hub. Native integration of Private DNS Resolver within VWAN hubs is being reviewed by the product group, but there is no public ETA at this time.

Assigning Multiple CIDR Ranges to a Secure VWAN Hub:
At present, each Secure VWAN hub supports only a single address space. Assigning multiple CIDR ranges for NAT or custom routing is not supported yet. This feature has been requested and is under consideration for future updates.

Kindly let us know if the above helps or you need further assistance on this issue.

Answer accepted by question author

0 additional answers

Your answer

Schad, Reiner (096) 20 Reputation points

2025-10-22T09:02:25.9733333+00:00

Thanks @Jeevan Shanigarapu for the explanations.
add 1 (the NATing topic):
Are you suggesting to stack Firewalls (the secure Hubs already have a firewall deployed) --> to launch an additional Hub with Premium Firewall for solving the NATing and ER integration there? This would mean the traffic would have to pass through like this : Spoke vnet --> Secure Hub (Firewall #1) --> "NATing HUB" (Firewall #2) --> ExpressRoute --> onpremis
add 2 (private DNS resolver):
I know well, how to deploy a private DNS resolver and use private DNS zones in a "normal" vnet based Hub & Spoke architecture. There the private DNS resolver gets deployed into the Hub vnet (create subnets for the in-/outbound endpoints, etc.). How do I connect the private DNS resolver in-/outbound endpoints in a VWAN Hub (I dd not find a way to create subnets in a VWAN Hub) or would I have to dploy these endpoints into every Spoke?
Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator

2025-10-22T11:13:16.4533333+00:00

Hello @Schad, Reiner,
Thank you for your detailed follow-up. Addressed both the points below.

NATing with Secure Virtual Hubs: Secure Virtual Hubs come with Azure Firewall Standard, but they do not support SNAT/DNAT for ExpressRoute traffic or allow custom firewall setups inside the hub. For NATing, you should deploy Azure Firewall Premium in a connected spoke VNet and set it up for SNAT/DNAT between Azure and your on-premises networks. In this configuration, traffic flows as follows: Spoke VNet → Secure Hub → NAT Spoke (Firewall Premium) → ExpressRoute → On-prem. This is a supported and commonly used method for hybrid connectivity.

DNS Private Resolver in VWAN: VWAN hubs cannot host DNS Private Resolver endpoints because they do not support custom subnets. To address this, deploy the Private Resolver in a spoke VNet that is connected to each hub, set up inbound and outbound endpoints, and configure forwarding rulesets for on-premises DNS queries through ExpressRoute. Link Private DNS Zones to these VNets to enable Azure FQDN resolution. This setup allows hybrid DNS to function smoothly across both VWAN and ExpressRoute.

Kindly let us know if the above helps or you need further assistance on this issue.
Schad, Reiner (096) 20 Reputation points

2025-10-23T08:47:30.8466667+00:00

Thanks for the update and more detailed explanation. Got it now and understood how to set this up. This answered my questions.
Are there any plans in the future to support the above scenario directly in VWAN hubs:

Possibiity for upgrading Azure FW in secure VWAN hubs from Standard to Premium to support DNAT?

Possibility to integrate Azure private DNS resolver in (secure) VWAN hubs?

Assigning multiple CIDR ranges to a (secure) VWAN hub to support e.g. NAT to onpremis routable IP ranges?
Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator

2025-10-23T10:40:20.3866667+00:00

Hello @Schad, Reiner,

Here’s the most recent update from the MS:

Upgrading Azure Firewall in Secure VWAN Hubs to Premium:
Currently, Secure Virtual Hubs only support Azure Firewall Standard and do not allow upgrades to Premium within the hub. For DNAT/SNAT requirements, deploying Azure Firewall Premium in a connected spoke VNet remains the recommended approach. Microsoft is aware of the demand for Premium Firewall capabilities in Secure VWAN Hubs and is tracking this feature for possible future updates.

Integrating Azure Private DNS Resolver in VWAN Hubs:
As VWAN hubs do not provide customizable subnets, Private DNS Resolver endpoints cannot be deployed directly in the hub. The supported solution is to deploy the resolver in a spoke VNet connected to the hub. Native integration of Private DNS Resolver within VWAN hubs is being reviewed by the product group, but there is no public ETA at this time.

Assigning Multiple CIDR Ranges to a Secure VWAN Hub:
At present, each Secure VWAN hub supports only a single address space. Assigning multiple CIDR ranges for NAT or custom routing is not supported yet. This feature has been requested and is under consideration for future updates.

Kindly let us know if the above helps or you need further assistance on this issue.

Answer 1

Hello @Schad, Reiner,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand your question regarding the implementation of Source NATing and conditional DNS forwarding in Azure VWAN for on-premises connections through ExpressRoute.

Azure Virtual WAN Secure Hubs do not provide native SNAT/DNAT support for ExpressRoute traffic. To perform IP translation between Azure and on-premises networks, Here is the suggested approach:

Deploy Azure Firewall Premium in each Secure Hub or in a connected spoke VNet.
Use DNAT rules for inbound (on-prem → Azure) and SNAT rules for outbound (Azure → on-prem) traffic.
Integrate the Firewall with the Secure Hub routing table for traffic inspection and NAT.

For more information, please refer to the link below:

Azure Firewall rule processing logic | Microsoft Learn

What is a secured virtual hub? | Microsoft Learn

To handle both Azure and on-prem DNS resolution,

Conditional Forwarding for On-Premises DNS:

Deploy Azure DNS Private Resolver in each region.
Configure DNS Forwarding Rulesets to send on-prem FQDN queries to your on-prem DNS servers via ExpressRoute.
What is Azure DNS Private Resolver? | Microsoft Learn

Private DNS for Azure Resources:

Set up Azure Private DNS Zones for internal Azure FQDNs and associate them with VNets that are connected to your VWAN hubs.
On-premises DNS servers can resolve these Azure hostnames by forwarding requests to the Private Resolver endpoints.

Integration with VWAN:

Set up a DNS Private Resolver in each VNet that is connected to a Secure Hub.
Make sure that routes are propagated correctly to allow DNS queries to pass through ExpressRoute as needed.

Helpful References:

Azure Virtual WAN Overview | Microsoft Learn

Azure Firewall rule processing logic | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to "Accept the answer” and “up-vote it” wherever the information provided helps you, this can be beneficial to other community members__.__ It would be greatly appreciated and helpful to others.

Share via

How to implement Source NATing and conditional DNS forwarding in Azure VWAN for onpremis connections via ExpressRoute?

0 additional answers

Your answer