I'm trying to establish a site-to-site VPN connection between my Azure VNet and an on-premises network. The company I'm connecting with only accepts one private IP address from me to add to their traffic selectors configuration.

In the image below, I have two VMs that need to communicate with the on-premises services through the VPN gateway. Given the limitation of a single IP address, what would be the best way to set this up? Should I use the VPN Gateway's private IP address and add it to the traffic selectors?

Here are the details:

Azure VNet: Configured with two VMs that need to communicate. On-premises VNet: Accepts only one private IP to configure for traffic selectors. How can I make this setup work with just one private IP, and is using the VPN Gateway's private IP address a valid approach?

Any help or suggestions would be greatly appreciated!

I'm trying to establish a site-to-site VPN connection between my Azure VNet and an on-premises network. The company I'm connecting with only accepts one private IP address from me to add to their traffic selectors configuration.

In the image below, I have two VMs that need to communicate with the on-premises services through the VPN gateway. Given the limitation of a single IP address, what would be the best way to set this up? Should I use the VPN Gateway's private IP address and add it to the traffic selectors?

Here are the details:

Azure VNet: Configured with two VMs that need to communicate. On-premises VNet: Accepts only one private IP to configure for traffic selectors. How can I make this setup work with just one private IP, and is using the VPN Gateway's private IP address a valid approach?

Any help or suggestions would be greatly appreciated!

• azure
• cloud
• vpn
• azure-virtual-network
• aws-site-to-site

Share Improve this question Follow asked Jan 31 at 11:02 Holy semicolonHoly semicolon 1,41922 gold badges1818 silver badges3737 bronze badges 3

• 1 You can use the VPN Gateway's Private IP Address for Traffic Selectors,The VPN Gateway has a private IP address assigned to it in your Azure Virtual Network (VNet). When you set up the site-to-site VPN, you will configure the on-premises firewall or VPN appliance to use this private IP as the traffic selector for inbound and outbound communication over the VPN – Venkat V Commented Jan 31 at 12:58
• 1 If you have a requirement for more complex traffic selectors or need to use multiple IPs, you could set up a NAT Gateway or a similar solution that can translate traffic from multiple VMs to a single IP address. – Venkat V Commented Jan 31 at 13:02
• @VenkatV thank you for your valuable information, but by doing the first approach is it going to allow the two VMs to communicate with On Premises without any added configurations, like editing on there inbound and outbound rules. – Holy semicolon Commented Jan 31 at 15:28

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?

If you want to use a single IP address for on-premises connectivity, you can use Dynamic NAT on Azure VPN Gateway. This will route traffic to the on-premises network using a single IP address within the private network.

When dynamic NAT rules are used in,Azure VPN Gateway the traffic is unidirectional, which means that communication must be initiated from the site that is represented in the internal mapping field of the rule. If traffic is initiated from the external mapping, the connection will not be established.

If you require bidirectional communication, then you can use a static NAT rule to define a 1:1 mapping.

Note: static NAT would have a wider Address range

Reference: How can I configure NAT on my VM subnets to route traffic through a single allowed IP address for accessing the client's system via the Site-to-Site VPN? by KapilAnanth-MSFT

NAT mode: ingress & egress