How to configure NAT for Azure VPN Gateway
This article helps you configure NAT (Network Address Translation) for Azure VPN Gateway using the Azure portal.
NAT defines the mechanisms to translate one IP address to another in an IP packet. It's commonly used to connect networks with overlapping IP address ranges. NAT rules or policies on the gateway devices connecting the networks specify the address mappings for the address translation on the networks.
For more information about NAT support for Azure VPN Gateway, see About NAT and Azure VPN Gateway.
- NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.
Each part of this article helps you form a basic building block for configuring NAT in your network connectivity. If you complete all three parts, you build the topology as shown in Diagram 1.
Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.
Part 1: Create VNet and gateways
In this section, you create a virtual network, a VPN gateway, and the local network gateway resources to correspond to the resources shown in Diagram 1.
To create these resources, use the steps in the Site-to-Site Tutorial article. Complete the following sections of the article, but don't create any connections.
When using the steps in the following articles, do not create the connection resources in the articles. The operation will fail because the IP address spaces are the same between the VNet, Branch 1, and Branch 2. Use the steps in the following section to create the NAT rules, then create the connections with the NAT rules.
The following screenshots show examples of the resources to create.
Part 2: Create NAT rules
Before you create connections, you must create and save NAT rules on the VPN gateway. The following table shows the required NAT rules. Refer to Diagram 1 for the topology.
NAT rules table
|Branch_1||Static||IngressSNAT||10.0.1.0/24||188.8.131.52/24||Branch 1 connection|
|Branch_2||Static||IngressSNAT||10.0.1.0/24||184.108.40.206/24||Branch 2 connection|
Use the following steps to create all the NAT rules on the VPN gateway.
In the Azure portal, navigate to the Virtual Network Gateway resource page and select NAT Rules.
Using the NAT rules table, fill in the values.
Click Save to save the NAT rules to the VPN gateway resource. This operation can take up to 10 minutes to complete.
Part 3: Create connections and link NAT rules
In this section, you create the connections, and then associate the NAT rules with the connections to implement the sample topology in Diagram 1.
1. Create connections
Follow the steps in Create a site-to-site connection article to create the two connections as shown in the following screenshot:
2. Associate NAT rules with the connections
In this step, you associate the NAT rules with each connection resource.
In the Azure portal, navigate to the connection resources, and select Configuration.
Under Ingress NAT Rules, select the NAT rules created previously.
Click Save to apply the configurations to the connection resource.
Repeat the steps to apply the NAT rules for other connection resources.
If BGP is used, select Enable BGP Route Translation in the NAT rules page and click Save. Notice that the table now shows the connections linked with each NAT rule.
After completing these steps, you'll have a setup that matches the topology shown in Diagram 1.
There are a few constraints for the NAT feature.
- NAT is supported on the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.
- NAT is supported for IPsec/IKE cross-premises connections only. VNet-to-VNet connections or P2S connections aren't supported.
- NAT rules can't be associated with connection resources during the create connection process. Create the connection resource first, then associate the NAT rules in the Connection Configuration page.
- Address spaces for different local network gateways (on-premises networks or branches) can be the same with IngressSNAT rules to map to nonoverlapping prefixes as shown in the configuration for Diagram 1 in the NAT configuration article.
- NAT rules aren't supported on connections that have Use Policy Based Traffic Selectors enabled.
- The maximum supported external mapping subnet size for Dynamic NAT is /26.
- NAT configuration isn't available for Dynamic NAT.
- Port ranges can't be entered at this time. Individual ports need to be entered. Port ranges can be configured with Static NAT types only. This can be configured for Static NAT type only.
- Port mappings can be used for both TCP and UDP protocols.
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual Machine for steps.
Submit and view feedback for