How to do NAT on Azure VPN Gateway
What is NAT
NAT is method to translate the one IP address to another IP address in an IP packet. There are multiple Scenarios for NAT, that we use in Enterprise Network.
- To Connect Multiple Network with overlapping IP address
- To Connect from Network with Private IP address to Internet
- Connect IPV6 address network to IPv4 network via NAT64 method.
Azure VPN gateway can be used to support the first scenario to connect the On-Premises network or branch offices to Azure Virtual network with Overlapping Ip address. In this Gateway NAT64 and Internet breakout are NOT supported.
There are two types of NAT rules.
Static NAT: This rule defines one to one mapping relationship between IP addresses. For a Given IP address it will be mapped to same IP address in target pool. Static NAT is stateless because mapping is fixed.
Dynamic NAT: In this rule, an IP address can be translated to different IP address based on availability or with different combination of IP address and TCP/UDP port (this is also called as NAPT: network address and Port translation).
When Dynamic NAT is used, traffic is unidirectional, but if you require both side (bidirectional traffic initiation), use Static NAT to define 1:1 mapping.
If the target pool size is same as original address pool, use Static NAT rule to define 1:1 mapping in sequential order. But in case if target pool is smaller than original address Pool, use Dynamic NAT rule to accommodate the IP shortage.
- NAT is supported on below SKUs: VpnGW2~5, VpnGW2AZ~5AZ.
- NAT is supported on IPSec Cross-Premises connection only. Vnet-to-Vnet connection or P2S connection are not supported.
NAT Mode: Ingress & Egress:
Ingress: An Ingress SNAT rule maps an On-premises network address space to a translated address space to avoid address Overlap.
Egress: An Egress SNAT rule maps the Azure address space to another translated address space.
For Each NAT rule, following two fields specify the address spaces before and after the translation.
Internal Mapping: This is the address space before the translation. For an Ingress rule, this field corresponds to the original address space of the On-premises network. For an egress Rule, this is the original Vnet address Space.
External Mapping: This is the address space after the translation for On-premises network (ingress) or Vnet (egress). For Different networks connected to an Azure VPN Gateway, the address spaces for all External Mapping must not overlap with each other and with the network connected without NAT.
NAT & Routing:
Once a Nat rule is defined for a connection, the effective address space for the connection will change with the rule. If BGP is enabled on the Azure VPN Gateway, Select the "Enable BGP Route Translation" to automatically convert the routes learned and advertised on connections with NAT rules:
- Learned routes: The destination prefixes of the routes learned over a connection with the Ingress SNAT rules will be translated from the Internal Mapping prefixes (pre-NAT) to the External Mapping prefixes (post-NAT) of those rules.
- Advertised routes: Azure VPN gateway will advertise the External Mapping (post-NAT) prefixes of the Egress SNAT rules for the VNet address space, and the learned routes with post-NAT address prefixes from other connections.
- BGP peer IP address consideration for a NAT ‘ed on-premises network:
- APIPA (169.254.0.1 to 169.254.255.254) address: NAT isn't supported with BGP APIPA addresses.
- Non-APIPA address: Exclude the BGP Peer IP addresses from the NAT range.
The Learned routes on connection without Ingress SNAT rule will not ne converted. The VNet route advertised to connection without Egress SNAT rule will also not be converted.