Hi All,
Currently have a requirement to setup a VPN connection from our azure subscription to a 3rd party, but they require all traffic from Azure to be NAT’ed through one private IP.
The requests will be coming only from Azure, over the vpn to the 3rd party.
I’m not fully versed with all the options on Azure and I can’t see an obvious way to do this currently,
I’ve looked at the VPN’s, the w2-5 ones appear to offer NAT translation of IP ranges rather than all through one IP,
NAT gateway requires a public IP presumably because it goes onto the internet rather than through a VPN.
are there other options that can handle this?
Thanks
The discord for our subreddit can be found here: Microsoft Azure - feel free to join us for a more realtime level of discussion!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Centos or Debian VM with masquerading. A cheap simple and reliable solution. Set your default route to route through it.
So the requirements are:
- Source NAT from private IP to private IP
- Forward the traffic to the VPN gateway
I would suggest Azure Firewall in this case, it can source NAT internal IP’s depending on your requirement.
For routing the traffic, if the Firewall VNet is the same as the VPN Gateway Vnet it will have the VPN in it’s default route table, other options would be to peer the vnets and make the FW vnet use the remote fateway vnet or manually with UDR’s.
If your trafic source is a web app it makes no difference, you need to use VNet integration to make sure the traffic originates from within your VNet and then treat it just like any other connection.
Implement an internal load balancer, give it a private IP and configure your VMs behind it.
Have to setup rules for the different apps on the VMs, but this could be an option??
What’s the restriction by them for a single private IP rather than a range?. They doing it to try and avoid address conflicts with other clients? Using BGP?
You could use a forward proxy server.
yeap looks like this is significantly cheaper than even the basic azure firewall.
will have to explore how as i’ve only ever dabbled when needed on linux,
Thanks for the suggestion
Thanks, i’ll have a look at putting an Azure Firewall in the same Vnet as the WebApp & VPN,
Currently the VPN gateway is in 10.120.0.0/24 and the webapp in 10.120.1.0/24,
Guessing i can drop the firewall in either subnet and use a route table to route through it
does a load balancer work on egress?
the requests will be coming from an azure webapp, not a VM in this case, sent out to the 3rd party application.
Not using BGP currently,
yes i think it’s to avoid address conflicts on their side as we already have an onsite VPN connection to them and were stubborn/resistive when adding our local subnets to the connection.
Using BGP
You could use a range with an IP mask of /32 bits which would be a single IP.
This is what I have had to use for several environments as the azure nat solution was unreasonably expensive or wouldn’t nat things like icmp, which I found annoying. However keep your monitoring and redundancy in mind. This could easily turn into a bad SPOF.
Except it’s not scalable or resilient. Do you need redundancy or the ability to scale horizontaly? Then at the very least you need 2 VMs and an azure load balancer is required to sit in front of them.
Damn, doesn’t seem to, apologies for bad recommendations based on the Web App use.
Unsure what else? Maybe a Privatelink setup?? I have seen configs used for services to access on prem resources over a VPN??
No problem, i’ll explore privatelink,
Thanks
