question

ShawnMorrissey-5257 avatar image
0 Votes"
ShawnMorrissey-5257 asked ShawnMorrissey-5257 answered

Use public IP of Azure VM over an IPSec VPN

I have an existing Azure VM webserver with a public IP, and have it connected to a customer's private network using Azure S2S VPN, with a Palo Alto device on their end. The Azure VNet uses 10.0.0.x range of addresses to connect to the customers range of reserved 10.0.252.x/24 addresses. Traffic passes the Azure S2S VPN. However, customer will not allow reserved address traffic to transit the VPN; I am only allowed to connect using my Azure webserver's public IP of 13.78.x.x. How can I NAT my webserver's IP to be able to access all the addresses in the customers range?

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered SaiKishor-MSFT commented

@ShawnMorrissey-5257 Thank you for reaching out to Microsoft Q&A.

I understand that you want to NAT your Webserver IP to its Public IP when connecting to the on-premise over the S2S VPN. This is not possible to do over the S2S VPN as the S2S VPN will only advertise the Vnets IP range and it will not advertise the Public IP of the Web server to the on-premise VPN device. There is no other way to NAT the IP to its Public IP via the Azure S2S VPN.

In order to achieve this, I would suggest you to use a NVA from the Azure Marketplace and setup a VPN between Azure and on-premise using the same. Using this NVA, you can NAT the outbound traffic from the web server to on-premise.

Another option is to deploy your virtual network with a Public IP address range instead of a private range. As seen from - Creating a Virtual Network document -

Address space: The address space for a virtual network is composed of one or more non-overlapping address ranges that are specified in CIDR notation. The address range you define can be public or private (RFC 1918). Whether you define the address range as public or private, the address range is reachable only from within the virtual network, from interconnected virtual networks, and from any on-premises networks that you have connected to the virtual network. You cannot add the following address ranges:
224.0.0.0/4 (Multicast)
255.255.255.255/32 (Broadcast)
127.0.0.0/8 (Loopback)
169.254.0.0/16 (Link-local)
168.63.129.16/32 (Internal DNS, DHCP, and Azure Load Balancer health probe)

With this setup, you will have Public IP addresses for the resources in the VM and when this is presented to your on-premise via VPN, it will be presented with the Public IP addresses itself. This is the only way to have Public IP addresses on both inside and outside of the tunnel i.e., before and after encryption when using the Azure S2S VPN. Hope this helps.

If you require any further assistance, please do let us know and we will be glad to assist. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SaiKishor-MSFT

If I create the new VNET using the public IP range, do I have to deallocate and move the existing webserver to the new VNET, or can I just use peering to connect the two vnets together?

Thanks,
Shawn Morrissey

0 Votes 0 ·

@ShawnMorrissey-5257 Thank you for accepting the answer. Regarding the Public IP range, if you create a new VNET, then you have to de-allocate and move the Webserver to the new vnet as you want that Web server traffic to use the Public IP to reach the on-premise.

0 Votes 0 ·

Hello @SaiKishor-MSFT,

I created a new VNET using a public IP range as per your suggestion, and moved my webserver to that range. I also created a new S2S VPN; however, I am still not getting transport over the VPN from by webserver. The webserver is able to access existing clients outside of the VPN, but no traffic is flowing over the VPN to the private IP range. Routing tests from within Azure show that the flow setup is correct...Can I possibly share a system diagram with you to see if you can find what I might have configured wrong?

Thanks in advance,

Shawn Morrissey

0 Votes 0 ·
Show more comments
ShawnMorrissey-5257 avatar image
0 Votes"
ShawnMorrissey-5257 answered ShawnMorrissey-5257 commented

@SaiKishor-MSFT

Here is a PDF of the Azure config I have in place. I can provide any other details you need via PM so as not to disclose that info on a public forum. I created the webserver DDI-WS2016 first so that I would know the IP range I needed to use for my VPN; then I created the VNET and S2S VPN after that...

Thanks,
Shawn Morrissey

144243-uofu-azure.pdf



uofu-azure.pdf (88.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ShawnMorrissey-5257

  1. Is the VPN in connected state?

  2. Is it a Route based or policy based VPN?

  3. What routes are being shared over the VPN?

  4. Can you do a packet capture on both sides i.,e., Azure and on-premise side while trying to connect and share the captures if possible?




0 Votes 0 ·
  1. Yes, VPN shows connected state

  2. Route Based

  3. List of routes attached

  4. I will try to capture from our side; the other side is customer owned and I don't have access

Shawn
144216-vng-routes.txt


0 Votes 0 ·
vng-routes.txt (2.6 KiB)
ShawnMorrissey-5257 avatar image
0 Votes"
ShawnMorrissey-5257 answered

OK, email request sent as directed...

thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.