How can I configure NAT on my VM subnets to route traffic through a single allowed IP address for accessing the client's system via the Site-to-Site VPN?

Faisal Kabeer 40

I have established a Site-to-Site VPN connection with my client, and it is active. However, when using my VM in the default subnet, I am unable to access the client's system because the client has permitted only one IP address. Therefore, I need to configure NAT on my VM subnets to route traffic through the allowed IP address to reach the client.

How can I NAT my source address in Azure?

Deepanshu katara 12,965 Reputation points

2025-01-21T13:29:53.76+00:00
Hello, Welcome to MS Q&A

To configure NAT on VM subnets in Azure to route traffic through a specific IP address, you can follow these general steps:

Create a NAT Gateway Service: Set up a NAT gateway in your Azure environment. This will allow you to manage outbound connectivity for your VM subnets.

Associate the NAT Gateway with Subnets: Once the NAT gateway is created, associate it with the specific subnets where your VMs are located. This will enable the VMs in those subnets to use the NAT gateway for outbound traffic.

Configure IP Forwarding: For the virtual machines that need to route traffic through a specific IP address, ensure that IP forwarding is enabled on the network interface of the VM. This allows the VM to send traffic through the NAT gateway.

Set Up Routing: If necessary, configure the routing on the VM to ensure that traffic is directed through the NAT gateway. This may involve setting up appropriate routes in the VM's operating system.

Testing Connectivity: After configuration, test the outbound connectivity from the VM to ensure that traffic is being routed correctly through the specified IP address.

For detailed steps and examples, you can refer to the Azure documentation on configuring NAT gateways and managing IP configurations.

References:

Tutorial: Use a NAT gateway with a hub and spoke network

Assign private IP address prefixes to virtual machines using the Azure portal - Preview

Assign multiple IP addresses to virtual machines using the Azure portal

Please let us know if any questions

Kindly accept answer if it helps

Thanks

Deepanshu
Faisal Kabeer 40 Reputation points

2025-01-21T16:09:53.1366667+00:00

@Deepanshu katara

So will it be a 2 way communication?

Because my requirement is my VM's in the default subnet is acting as a jumpserver, where engineer's will access access my VM's from which they will take RDP to client system. So will this be possible after configuring NAT Gateway?
Faisal Kabeer 40 Reputation points

2025-01-21T16:12:26.4033333+00:00

Okay so is it a 02 way communication?

My requirement is the VM's on my default subnet will be acting as a Jumpserver, where our engineer's log into it and take RDP to client systems. So does configuring NAT Gateway make it possible?
Rohith Vinnakota 2,180 Reputation points Microsoft Vendor

2025-01-21T16:58:02.4933333+00:00

Hi @Faisal Kabeer,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Okay so is it a 02 way communication? My requirement is the VM's on my default subnet will be acting as a Jumpserver, where our engineer's log into it and take RDP to client systems. So does configuring NAT Gateway make it possible?

It not possible.

Refer this doc:

https://learn.microsoft.com/en-us/azure/nat-gateway/faq#can-a-nat-gateway-be-used-to-connect-inbound

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Rohith
Rohith Vinnakota 2,180 Reputation points Microsoft Vendor

2025-01-22T15:14:51.7033333+00:00

Hi @Faisal Kabeer ,

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Regards,

Rohith.
Faisal Kabeer 40 Reputation points

2025-01-23T05:02:32.43+00:00

Rohith Vinnakota

So my requirement is have the VPN connected with the Client network and then the subnet where my VM's are in (Default subnet) to be able to connect with the clients system (engineer log into our server and from our server they RDP to client system). So I need my VM subnet to be translated to a single IP which will be allowed in there ACL. So can you suggest me a solution for this or does NAT Gateway fix this issue?
Faisal Kabeer 40 Reputation points

2025-01-24T04:49:21.23+00:00

@Rohith Vinnakota @Deepanshu katara

So my requirement is have the VPN connected with the Client network and then the subnet where my VM's are in (Default subnet) to be able to connect with the clients system (engineer log into our server and from our server they RDP to client system). So I need my VM subnet to be translated to a single IP which will be allowed in there ACL. So can you suggest me a solution for this or does NAT Gateway fix this issue?
Rohith Vinnakota 2,180 Reputation points Microsoft Vendor

2025-01-24T10:20:47.9066667+00:00
Hi @Faisal Kabeer,

Sorry for delay.

You can achieve this using Azure Firewall. First, create the firewall and the route table to direct all on-premises traffic through the firewall. Then, create a DNAT rule in the firewall.

How to create firewall refer this doc: https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal-policy#deploy-the-firewall-and-policy

How to create the route table: https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

Please associate this route table with the default VM subnet.

In the firewall we have to create the DNAT rule.

Configure a NAT rule

Select Add NAT rule collection.

For Name, type RC-DNAT-01.

For Priority, type 200.

Under Rules, for Name, type RL-01.

For Protocol, select TCP.

For Source type, select IP address.

For Source, type your default subnet ip.

For Destination Addresses, type the firewall's public or private IP address.

For Destination ports, type 3389.

For Translated Address type the private IP address for the Srv-Workload virtual machine.

For Translated port, type 3389.

Select Add.

Refer this doc: https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat

Using the private of the firewall you can connect the client system.

Note: If use firewall you have to allow necessary traffic.

Hope this clarifies!

If above is unclear and/or you are unsure about something add a comment below.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Regards,

Rohith
Rohith Vinnakota 2,180 Reputation points Microsoft Vendor

2025-01-27T16:39:21.57+00:00

Hi @Faisal Kabeer ,

Greetings!

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Regards,

Rohith.
Faisal Kabeer 40 Reputation points

2025-01-27T16:55:39.66+00:00

Hi @Rohith Vinnakota

So as per your solution using Azure Firewall and creating a DNAT Policy translates Inbound Traffic to a Translated Address. My Requirement is I need my Outbound Traffic's of my VM Subnet to NAT so then I only have to provide my On Prem Client the NAT Address.

So Example lets says my Default Subnet (Where my VM's sit) is - 10.0.0.0/26

I need the outbound traffic of my VM to go as a NAT Address - 172.15.16.0/30 instead of using the subnet address 10.0.0.0/26. So then I only have to provide my client 172.15.16.0/30 so they can allow this address on their network.
Faisal Kabeer 40 Reputation points

2025-01-27T16:56:32.65+00:00

Hi @Rohith Vinnakota So as per your solution using Azure Firewall and creating a DNAT Policy translates Inbound Traffic to a Translated Address. My Requirement is I need my Outbound Traffic's of my VM Subnet to NAT so then I only have to provide my On Prem Client the NAT Address. So Example lets says my Default Subnet (Where my VM's sit) is - 10.0.0.0/26 I need the outbound traffic of my VM to go as a NAT Address - 172.15.16.0/30 instead of using the subnet address 10.0.0.0/26. So then I only have to provide my client 172.15.16.0/30 so they can allow this address on their network.
Faisal Kabeer 40 Reputation points

2025-01-28T12:53:39.7566667+00:00

@Rohith Vinnakota Any sugestions?

Accepted answer

KapilAnanth-MSFT 48,571 Reputation points Microsoft Employee

2025-01-29T12:04:28.24+00:00
Faisal Kabeer,

Greetings.

Points to Note:

Azure does not have an out of the box Private Traffic NAT Solution as of today.

Azure NAT Gateway is used for Internet Bound communications, not for S2S traffic

There are 2 options you can consider,

1.

You can consider using Dynamic NAT on Azure VPN Gateway

When Dynamic NAT rules are used, traffic is unidirectional which means communication must be initiated from the site that is represented in the Internal Mapping field of the rule. If traffic is initiated from the External Mapping, the connection will not be established.

You should use an EgressSNAT Rule

If you require bidirectional traffic initiation, then use a static NAT rule to define a 1:1 mapping. (But static NAT would have a wider Address range)

You can also use the Azure Firewall SNAT ***with private IP address ranges *and not DNAT

Again, this requires that the OnPrem (Destination) whitelist the entire AzureFirewallSubnet range

As Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet range

The AzureFirewallSubnet should be a minimum of /26 - meaning, you should whitelist the 62 IP Addresses that are part of the /26 AzureFirewallSubnet

Hope this is clear.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Faisal Kabeer 40 Reputation points

2025-01-29T12:27:16.4133333+00:00

Thank you this was clear enough

KapilAnanth-MSFT 48,571 Reputation points Microsoft Employee

2025-01-29T12:38:29.4+00:00

@KapilAnanth-MSFT ,

You're welcome. Glad we could be of assistance.

Please Accept an answer if it helps, as original posters help the community find answers faster by identifying the correct answer.

And, if you have any further query do let us know.

Thanks,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How can I configure NAT on my VM subnets to route traffic through a single allowed IP address for accessing the client's system via the Site-to-Site VPN?

0 additional answers

Your answer