Azure VPN connection and public IP

Question

On Azure, http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/

the following is stated in relation to site to site connectivity.

A VPN device with a public IPv4 address. You'll need the IP address in order to complete the wizard.

The VPN device cannot be located behind a network address translator (NAT) and must meet the minimum device standards.

I'm assuming this is accurate, but could anyone confirm? it seems very limiting, since my peer vpn device can support NAT-T. Does the Azure VPN g/w device support IPsec NAT-T?

Is the same restriction applicable to point to site, where my peer is the point and I want to connect/be connected to by the Azure VPN gateway device with VNet behind the Azure VPN g/w device.

thank you.

Answer 1

I don't see to be limiting at all. And yes, this is the case. It is on the official documentation before all.

When talk about Point-to-Site, I believe you missunderstand the service a bit. Azure Point-to-Site connectivity allows a single computer or laptop (named Point) to connect to Azure VPN Gateway (Site). In that case, the client only has to be connected to the internet.

When you connect to Azure VPN Gateway, you will be part of the whole Azure Virtual Network that Gateway connects.

Answer 2

To tell you the truth I am not sure that the Azure VPN gateway device supports IPSec NAT of any kind at all, whether Point-to-Site or Site-to-Site. Below are my findings. My best lead so far is finding #4.

1. In all my research over the past week, it seems like it’s presently impossible to achieve this with Azure. See https://social.msdn.microsoft.com/Forums/en-US/19eb5ac0-5fb1-4afa-8081-5afc32cb04fd/is-nat-supported-within-an-ipsec-vpn-connection?forum=WAVirtualMachinesVirtualNetwork. According to this, “At the moment there cannot be a IPSec VPN connection established when either of the devices involve NAT. . .you cannot have an on premise VPN device behind a NAT and this cannot be applied on a VNet gateway since customers will not have access to configuring such rules for a VPN gateway.” That was April 2017.

2. In fact, in February 2017, Microsoft seemed to discard any chances we have of applying NAT over VPN. On their feedback forum at https://feedback.azure.com/forums/217313-networking/suggestions/5525129-please-make-site-to-site-vpn-avaiable-for-devices, an Azure Networking Team member declines the possibility of Site-to-Site VPN for devices behind a NAT. So Site-to-Site is not expected, which is where it makes the most sense because it would help resolve common subnet overlap issues between a cloud virtual network and an on-premises hardware network. I'm not so sure how NAT over VPN would benefit a Point-to-Site situation (what's the application?)

3. Then, contradictorily as of December 2017 (later that year), Microsoft seems to announce they’re just now in the planning stages to implement this for Azure (see https://feedback.azure.com/forums/217313-networking/suggestions/15488244-offer-nat-as-a-service).

4. Only on http://nullsession.com/2015/02/02/connecting-to-your-azure-site-to-site-vpn-over-nat/, I found a method from 2017 that is, “unsupported by Microsoft – but works according to RFC.” I’m still processing this but I’m not convinced I should try it because it’s unsupported.

Let me know what you think because I am personally trying to get a satisfactory solution for this too.