How can I configure NAT on my VM subnets to route traffic through a single allowed IP address for accessing the client's system via the Site-to-Site VPN?

Faisal Kabeer 20

I have established a Site-to-Site VPN connection with my client, and it is active. However, when using my VM in the default subnet, I am unable to access the client's system because the client has permitted only one IP address. Therefore, I need to configure NAT on my VM subnets to route traffic through the allowed IP address to reach the client.

How can I NAT my source address in Azure?

Deepanshu katara 12,965 Reputation points

2025-01-21T13:29:53.76+00:00
Hello, Welcome to MS Q&A

To configure NAT on VM subnets in Azure to route traffic through a specific IP address, you can follow these general steps:

Create a NAT Gateway Service: Set up a NAT gateway in your Azure environment. This will allow you to manage outbound connectivity for your VM subnets.

Associate the NAT Gateway with Subnets: Once the NAT gateway is created, associate it with the specific subnets where your VMs are located. This will enable the VMs in those subnets to use the NAT gateway for outbound traffic.

Configure IP Forwarding: For the virtual machines that need to route traffic through a specific IP address, ensure that IP forwarding is enabled on the network interface of the VM. This allows the VM to send traffic through the NAT gateway.

Set Up Routing: If necessary, configure the routing on the VM to ensure that traffic is directed through the NAT gateway. This may involve setting up appropriate routes in the VM's operating system.

Testing Connectivity: After configuration, test the outbound connectivity from the VM to ensure that traffic is being routed correctly through the specified IP address.

For detailed steps and examples, you can refer to the Azure documentation on configuring NAT gateways and managing IP configurations.

References:

Tutorial: Use a NAT gateway with a hub and spoke network

Assign private IP address prefixes to virtual machines using the Azure portal - Preview

Assign multiple IP addresses to virtual machines using the Azure portal

Please let us know if any questions

Kindly accept answer if it helps

Thanks

Deepanshu
Faisal Kabeer 20 Reputation points

2025-01-21T16:09:53.1366667+00:00

@Deepanshu katara

So will it be a 2 way communication?

Because my requirement is my VM's in the default subnet is acting as a jumpserver, where engineer's will access access my VM's from which they will take RDP to client system. So will this be possible after configuring NAT Gateway?
Faisal Kabeer 20 Reputation points

2025-01-21T16:12:26.4033333+00:00

Okay so is it a 02 way communication?

My requirement is the VM's on my default subnet will be acting as a Jumpserver, where our engineer's log into it and take RDP to client systems. So does configuring NAT Gateway make it possible?
Rohith Vinnakota 2,090 Reputation points Microsoft Vendor

2025-01-21T16:58:02.4933333+00:00

Hi @Faisal Kabeer,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Okay so is it a 02 way communication? My requirement is the VM's on my default subnet will be acting as a Jumpserver, where our engineer's log into it and take RDP to client systems. So does configuring NAT Gateway make it possible?

It not possible.

Refer this doc:

https://learn.microsoft.com/en-us/azure/nat-gateway/faq#can-a-nat-gateway-be-used-to-connect-inbound

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Rohith
Rohith Vinnakota 2,090 Reputation points Microsoft Vendor

2025-01-22T15:14:51.7033333+00:00

Hi @Faisal Kabeer ,

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Regards,

Rohith.
Faisal Kabeer 20 Reputation points

2025-01-23T05:02:32.43+00:00

Rohith Vinnakota

So my requirement is have the VPN connected with the Client network and then the subnet where my VM's are in (Default subnet) to be able to connect with the clients system (engineer log into our server and from our server they RDP to client system). So I need my VM subnet to be translated to a single IP which will be allowed in there ACL. So can you suggest me a solution for this or does NAT Gateway fix this issue?
Faisal Kabeer 20 Reputation points

2025-01-24T04:49:21.23+00:00

@Rohith Vinnakota @Deepanshu katara

So my requirement is have the VPN connected with the Client network and then the subnet where my VM's are in (Default subnet) to be able to connect with the clients system (engineer log into our server and from our server they RDP to client system). So I need my VM subnet to be translated to a single IP which will be allowed in there ACL. So can you suggest me a solution for this or does NAT Gateway fix this issue?

1 answer

Rohith Vinnakota 2,090 Reputation points Microsoft Vendor

2025-01-24T10:20:47.9066667+00:00
Hi @Faisal Kabeer,

Sorry for delay.

You can achieve this using Azure Firewall. First, create the firewall and the route table to direct all on-premises traffic through the firewall. Then, create a DNAT rule in the firewall.

How to create firewall refer this doc: https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal-policy#deploy-the-firewall-and-policy

How to create the route table: https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

Please associate this route table with the default VM subnet.

In the firewall we have to create the DNAT rule.

Configure a NAT rule

Select Add NAT rule collection.

For Name, type RC-DNAT-01.

For Priority, type 200.

Under Rules, for Name, type RL-01.

For Protocol, select TCP.

For Source type, select IP address.

For Source, type your default subnet ip.

For Destination Addresses, type the firewall's public or private IP address.

For Destination ports, type 3389.

For Translated Address type the private IP address for the Srv-Workload virtual machine.

For Translated port, type 3389.

Select Add.

Refer this doc: https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat

Using the private of the firewall you can connect the client system.

Note: If use firewall you have to allow necessary traffic.

Hope this clarifies!

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Rohith
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How can I configure NAT on my VM subnets to route traffic through a single allowed IP address for accessing the client's system via the Site-to-Site VPN?

1 answer

Your answer