0

I have several VMs within the same virtual network on Microsoft Azure and I plan to connect to a vendor's on-premise site. I have setup a site-to-site ipsec VPN with a public IP and about to send out the configuration to my vendor.

The issue is, I plan to fire up multiple VMs depending on demand and they all need to connect through the VPN to the vendor. The issue is that the vendor wants a single public IP and host IP and won't accept a range of IPs.

I'm thinking I should be able to NAT all the VM's internal IPs to the public IP so that the on-premise client sees only one IP and respond to the same. Is this the normal behavior or do I have to apply some more configuration?

keni
  • 139
  • 2
  • 10

1 Answers1

1

The issue is that the vendor wants a single public IP and host IP and won't accept a range of IPs.

To establish the site-to-site VPN, the on-premises VPN device needs to allow the inbound traffic from the public IP address of the Azure VPN gateway.

When he S2S VPN is established, VMs on the VNET communicate with the on-premises computers through their private IP addresses. The public IP addresses of these VMs are only used to access the internet.

Is this the normal behavior or do I have to apply some more configuration?

Normally, we won't NAT a subnet if there is no necessary reason to do this. S2S VPN is used to connect subnets which are separated by internet, so that all computers on these subnets can communicate with each other just like they are connected directly.

===========================================================================

Update:

As I have mentioned in the comment below, the public IP address is transparent when the computers communicate through the VPN. The computer on the local network is only able to see the private IP address of the source computer.

VPN works as a bridge across the internet which connects subnets separated by internet. When the VPN has been established, you can think of these subnets as being connected directly.

So, the answer to your question is quite simple, use NAT.

You can build a VM on Azure to perform NAT. So that the source IP address of every outbound packet from these VMs will be changed to private IP address of the NAT VM.

Steven Lee - MSFT
  • 713
  • 4
  • 8
  • Thanks. It seems however that my on-premise host wants to know the private IPs (1 actually) of the VMs and whitelist only this IP address on-premise (and allow same to connect to their downstream servers). I, on the other hand, plan to start multiple VMs (or containers) which can pick any IP in a subnet and let them connect through the VPN. That's why I'm wondering if I could make all the private IPs "appear" as the public IP to the on-premise. Is this possible? – keni Dec 14 '16 at 08:37
  • @Keni The VPN is used to let computers communicate with each other through their private IP addresses. So there is no public addresses involved. The only public IP address is the one used by Azure VPN gateway, which is used to establish the VPN tunnel. If you want to let all of your VMs use the same IP address as source, you need perform a NAT on Azure. I'll update my answer later. – Steven Lee - MSFT Dec 14 '16 at 09:48
  • Build a VM to perform NAT seems to be the solution to my issue then. – keni Dec 14 '16 at 11:44