Use public IP of Azure VM over an IPSec VPN

Shawn Morrissey 21 Reputation points

I have an existing Azure VM webserver with a public IP, and have it connected to a customer's private network using Azure S2S VPN, with a Palo Alto device on their end. The Azure VNet uses 10.0.0.x range of addresses to connect to the customers range of reserved 10.0.252.x/24 addresses. Traffic passes the Azure S2S VPN. However, customer will not allow reserved address traffic to transit the VPN; I am only allowed to connect using my Azure webserver's public IP of 13.78.x.x. How can I NAT my webserver's IP to be able to access all the addresses in the customers range?

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
27,007 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 16,776 Reputation points

    @Shawn Morrissey Thank you for reaching out to Microsoft Q&A.

    I understand that you want to NAT your Webserver IP to its Public IP when connecting to the on-premise over the S2S VPN. This is not possible to do over the S2S VPN as the S2S VPN will only advertise the Vnets IP range and it will not advertise the Public IP of the Web server to the on-premise VPN device. There is no other way to NAT the IP to its Public IP via the Azure S2S VPN.

    In order to achieve this, I would suggest you to use a NVA from the Azure Marketplace and setup a VPN between Azure and on-premise using the same. Using this NVA, you can NAT the outbound traffic from the web server to on-premise.

    Another option is to deploy your virtual network with a Public IP address range instead of a private range. As seen from - Creating a Virtual Network document -

    Address space: The address space for a virtual network is composed of one or more non-overlapping address ranges that are specified in CIDR notation. The address range you define can be public or private (RFC 1918). Whether you define the address range as public or private, the address range is reachable only from within the virtual network, from interconnected virtual networks, and from any on-premises networks that you have connected to the virtual network. You cannot add the following address ranges:
    224. 0.0.0/4 (Multicast)
    255. 255.255.255/32 (Broadcast)
    127. 0.0.0/8 (Loopback)
    169. 254.0.0/16 (Link-local)
    168. 63.129.16/32 (Internal DNS, DHCP, and Azure Load Balancer health probe)

    With this setup, you will have Public IP addresses for the resources in the VM and when this is presented to your on-premise via VPN, it will be presented with the Public IP addresses itself. This is the only way to have Public IP addresses on both inside and outside of the tunnel i.e., before and after encryption when using the Azure S2S VPN. Hope this helps.

    If you require any further assistance, please do let us know and we will be glad to assist. Thank you!


    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

2 additional answers

Sort by: Most helpful
  1. Shawn Morrissey 21 Reputation points


    Here is a PDF of the Azure config I have in place. I can provide any other details you need via PM so as not to disclose that info on a public forum. I created the webserver DDI-WS2016 first so that I would know the IP range I needed to use for my VPN; then I created the VNET and S2S VPN after that...

    Shawn Morrissey


  2. Shawn Morrissey 21 Reputation points

    OK, email request sent as directed...


    0 comments No comments