![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 3%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Not Monitored
Tag not monitored by Microsoft.
35,960 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Shawn Morrissey Thank you for reaching out to Microsoft Q&A.
I understand that you want to NAT your Webserver IP to its Public IP when connecting to the on-premise over the S2S VPN. This is not possible to do over the S2S VPN as the S2S VPN will only advertise the Vnets IP range and it will not advertise the Public IP of the Web server to the on-premise VPN device. There is no other way to NAT the IP to its Public IP via the Azure S2S VPN.
In order to achieve this, I would suggest you to use a NVA from the Azure Marketplace and setup a VPN between Azure and on-premise using the same. Using this NVA, you can NAT the outbound traffic from the web server to on-premise.
Another option is to deploy your virtual network with a Public IP address range instead of a private range. As seen from - Creating a Virtual Network document -
Address space: The address space for a virtual network is composed of one or more non-overlapping address ranges that are specified in CIDR notation. The address range you define can be public or private (RFC 1918). Whether you define the address range as public or private, the address range is reachable only from within the virtual network, from interconnected virtual networks, and from any on-premises networks that you have connected to the virtual network. You cannot add the following address ranges:
224. 0.0.0/4 (Multicast)
255. 255.255.255/32 (Broadcast)
127. 0.0.0/8 (Loopback)
169. 254.0.0/16 (Link-local)
168. 63.129.16/32 (Internal DNS, DHCP, and Azure Load Balancer health probe)
With this setup, you will have Public IP addresses for the resources in the VM and when this is presented to your on-premise via VPN, it will be presented with the Public IP addresses itself. This is the only way to have Public IP addresses on both inside and outside of the tunnel i.e., before and after encryption when using the Azure S2S VPN. Hope this helps.
If you require any further assistance, please do let us know and we will be glad to assist. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.