How to configure NAT for Azure VPN Gateway

This article helps you configure NAT (Network Address Translation) for Azure VPN Gateway using the Azure portal.

About NAT

NAT defines the mechanisms to translate one IP address to another in an IP packet. It's commonly used to connect networks with overlapping IP address ranges. NAT rules or policies on the gateway devices connecting the networks specify the address mappings for the address translation on the networks.

For more information about NAT support for Azure VPN Gateway, see About NAT and Azure VPN Gateway.


  • NAT is supported on the the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.

Getting started

Each part of this article helps you form a basic building block for configuring NAT in your network connectivity. If you complete all three parts, you build the topology as shown in Diagram 1.

Diagram 1

Screenshot of diagram 1.


Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

Part 1: Create VNet and gateways

In this section, you create a virtual network, a VPN gateway, and the local network gateway resources to correspond to the resources shown in Diagram 1.

To create these resources, use the steps in the Site-to-Site Tutorial article. Complete the following sections of the article, but don't create any connections.


When using the steps in the following articles, do not create the connection resources in the articles. The operation will fail because the IP address spaces are the same between the VNet, Branch 1, and Branch 2. Use the steps in the following section to create the NAT rules, then create the connections with the NAT rules.

The following screenshots show examples of the resources to create.

  • VNet

    Screenshot showing VNet address space.

  • VPN gateway

    Screenshot showing the gateway.

  • Branch 1 local network gateway

    Screenshot showing Branch 1 local network gateway.

  • Branch 2 local network gateway

    Screenshot showing Branch 2 local network gateway.

Part 2: Create NAT rules

Before you create connections, you must create and save NAT rules on the VPN gateway. The following table shows the required NAT rules. Refer to Diagram 1 for the topology.

NAT rules table

Name Type Mode Internal External Connection
VNet Static EgressSNAT Both connections
Branch_1 Static IngressSNAT Branch 1 connection
Branch_2 Static IngressSNAT Branch 2 connection

Use the following steps to create all the NAT rules on the VPN gateway.

  1. In the Azure portal, navigate to the Virtual Network Gateway resource page and select NAT Rules.

  2. Using the NAT rules table, fill in the values.

    Screenshot showing NAT rules.

  3. Click Save to save the NAT rules to the VPN gateway resource. This operation can take up to 10 minutes to complete.

In this section, you create the connections, and then associate the NAT rules with the connections to implement the sample topology in Diagram 1.

1. Create connections

Follow the steps in Create a site-to-site connection article to create the two connections as shown in the following screenshot:

Screenshot showing the Connections page.

2. Associate NAT rules with the connections

In this step, you associate the NAT rules with each connection resource.

  1. In the Azure portal, navigate to the connection resources, and select Configuration.

  2. Under Ingress NAT Rules, select the NAT rules created previously.

    Screenshot showing the configured NAT rules.

  3. Click Save to apply the configurations to the connection resource.

  4. Repeat the steps to apply the NAT rules for other connection resources.

  5. If BGP is used, select Enable BGP Route Translation in the NAT rules page and click Save. Notice that the table now shows the connections linked with each NAT rule.

    Screenshot showing Enable BGP.

After completing these steps, you'll have a setup that matches the topology shown in Diagram 1.

NAT limitations


There are a few constraints for the NAT feature.

  • NAT is supported on the following SKUs: VpnGw2~5, VpnGw2AZ~5AZ.
  • NAT is supported for IPsec/IKE cross-premises connections only. VNet-to-VNet connections or P2S connections aren't supported.
  • NAT rules can't be associated with connection resources during the create connection process. Create the connection resource first, then associate the NAT rules in the Connection Configuration page.
  • Address spaces for different local network gateways (on-premises networks or branches) can be the same with IngressSNAT rules to map to nonoverlapping prefixes as shown in the configuration for Diagram 1 in the NAT configuration article.
  • NAT rules aren't supported on connections that have Use Policy Based Traffic Selectors enabled.
  • The maximum supported external mapping subnet size for Dynamic NAT is /26.
  • NAT configuration isn't available for Dynamic NAT.
  • Port ranges can't be entered at this time. Individual ports need to be entered. Port ranges can be configured with Static NAT types only. This can be configured for Static NAT type only.
  • Port mappings can be used for both TCP and UDP protocols.

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual Machine for steps.