Files

.github
.whatsnew
articles
- active-directory-b2c
- active-directory-domain-services
- active-directory
- advisor
- aks
- analysis-services
- api-management
- app-service
- application-gateway
- applied-ai-services
- attestation
- automanage
- automation
- availability-zones
- avere-vfxt
- azure-app-configuration
- azure-arc
- azure-cache-for-redis
- azure-edge-hardware-center
- azure-fluid-relay
- azure-functions
- azure-government
- azure-maps
- azure-monitor
- azure-netapp-files
- azure-percept
- azure-portal
- azure-relay
- azure-resource-manager
- azure-signalr
- azure-sql-edge
- azure-video-analyzer
- azure-video-indexer
- azure-vmware
- azure-web-pubsub
- backup
- baremetal-infrastructure
- bastion
- batch
- blockchain
- cdn
- certification
- chaos-studio
- cloud-services-extended-support
- cloud-services
- cloud-shell
- cloudfoundry
- cognitive-services
- communication-services
- compliance
- confidential-computing
- confidential-ledger
- connectors
- container-apps
- container-instances
- container-registry
- containers
- cosmos-db
- cost-management-billing
- data-catalog
- data-factory
- data-lake-analytics
- data-lake-store
- data-share
- databox-gateway
- databox-online
- databox
- ddos-protection
- dedicated-hsm
- defender-for-cloud
- defender-for-iot
- devops-project
- devtest-labs
- devtest
- digital-twins
- dms
- dns
- docker
- education-hub
- event-grid
- event-hubs
- expressroute
- firewall-manager
- firewall
- frontdoor
- fxt-edge-filer
- genomics
- germany
- governance
- guides
- hdinsight
- healthcare-apis
- hpc-cache
- import-export
- industrial-iot
- industry
- internet-analyzer
- internet-peering
- iot-accelerators
- iot-central
- iot-develop
- iot-dps
- iot-edge
- iot-fundamentals
- iot-hub-device-update
- iot-hub
- key-vault
- kinect-dk
- lab-services
- lighthouse
- load-balancer
- load-testing
- logic-apps
- machine-learning
- managed-grafana
- managed-instance-apache-cassandra
- mariadb
- marketplace
- media
- messaging-services
- migrate
- monitoring
- mysql
- network-function-manager
- network-watcher
- networking
- notification-hubs
- object-anchors
- open-datasets
- openshift
- orbital
- partner-solutions
- payment-hsm
- peering-service
- postgresql
- private-5g-core
- private-link
- private-multi-access-edge-compute-mec
- public-multi-access-edge-compute-mec
- purview
- pytorch-enterprise
- remote-rendering
- resource-mover
- role-based-access-control
- route-server
- scheduler
- search
- security
- sentinel
- service-bus-messaging
- service-connector
- service-fabric
- service-health
- site-recovery
- site-reliability-engineering
- spatial-anchors
- spring-cloud
- sql-database
- sql-server-stretch-database
- static-web-apps
- storage
- storsimple
- stream-analytics
- synapse-analytics
- time-series-insights
- traffic-manager
- virtual-desktop
- virtual-machine-scale-sets
- virtual-machines
- virtual-network-manager
- virtual-network
- virtual-wan
  - media
  - TOC.yml
  - about-client-address-pools.md
  - about-nva-hub.md
  - about-virtual-hub-routing-preference.md
  - about-virtual-hub-routing.md
  - about-vpn-profile-download.md
  - azure-monitor-insights.md
  - certificates-point-to-site.md
  - connect-virtual-network-gateway-vwan.md
  - create-bgp-peering-hub-portal.md
  - cross-tenant-vnet.md
  - disaster-recovery-design.md
  - effective-routes-virtual-hub.md
  - gateway-settings.md
  - global-hub-profile.md
  - how-to-forced-tunnel.md
  - how-to-nva-hub.md
  - how-to-routing-policies.md
  - how-to-virtual-hub-routing.md
  - howto-always-on-device-tunnel.md
  - howto-always-on-user-tunnel.md
  - howto-connect-vnet-hub-powershell.md
  - howto-connect-vnet-hub.md
  - howto-firewall.md
  - howto-openvpn-clients.md
  - howto-private-link.md
  - howto-virtual-hub-routing-preference.md
  - hub-settings.md
  - index.yml
  - interconnect-china.md
  - manage-secure-access-resources-spoke-p2s.md
  - migrate-from-hub-spoke-topology.md
  - monitor-point-to-site-connections.md
  - monitor-virtual-wan.md
  - nat-rules-vpn-gateway-powershell.md
  - nat-rules-vpn-gateway.md
  - openvpn-azure-ad-client-mac.md
  - openvpn-azure-ad-client.md
  - openvpn-azure-ad-mfa.md
  - openvpn-azure-ad-tenant-multi-app.md
  - openvpn-azure-ad-tenant.md
  - packet-capture-site-to-site-portal.md
  - packet-capture-site-to-site-powershell.md
  - path-selection-multiple-links.md
  - point-to-site-ipsec.md
  - pricing-concepts.md
  - quickstart-any-to-any-template.md
  - quickstart-route-shared-services-vnet-template.md
  - scenario-365-expressroute-private.md
  - scenario-any-to-any.md
  - scenario-bgp-peering-hub.md
  - scenario-isolate-virtual-networks-branches.md
  - scenario-isolate-vnets-custom.md
  - scenario-isolate-vnets.md
  - scenario-route-between-vnets-firewall.md
  - scenario-route-through-nva.md
  - scenario-route-through-nvas-custom.md
  - scenario-secured-hub-app-gateway.md
  - scenario-shared-services-vnet.md
  - sd-wan-connectivity-architecture.md
  - site-to-site-powershell.md
  - upgrade-virtual-wan.md
  - virtual-wan-about.md
  - virtual-wan-configure-automation-providers.md
  - virtual-wan-custom-ipsec-portal.md
  - virtual-wan-expressroute-portal.md
  - virtual-wan-faq.md
  - virtual-wan-global-transit-network-architecture.md
  - virtual-wan-ipsec.md
  - virtual-wan-locations-partners.md
  - virtual-wan-point-to-site-azure-ad.md
  - virtual-wan-point-to-site-portal.md
  - virtual-wan-point-to-site-powershell.md
  - virtual-wan-route-table-nva-portal.md
  - virtual-wan-route-table-nva.md
  - virtual-wan-site-to-site-portal.md
  - vpn-over-expressroute.md
  - vpn-profile-intune.md
  - work-remotely-support.md
- visual-studio
- vmware-cloudsimple
- vpn-gateway
- web-application-firewall
- azure-glossary-cloud-terminology.md
- cloud-services-php-create-web-role.md
- dotnet-develop-multitenant-applications.md
- index.yml
- nodejs-use-node-modules-azure-apps.md
- third-party-notices.md
- vs-azure-tools-storage-explorer-accessibility.md
- vs-azure-tools-storage-explorer-blobs.md
- vs-azure-tools-storage-explorer-files.md
- vs-azure-tools-storage-manage-with-storage-explorer.md
- zone-pivot-groups.yml
bread
includes
markdown templates
media
.acrolinx-config.edn
.gitattributes
.gitignore
.markdownlint.json
.openpublishing.build.ps1
.openpublishing.publish.config.json
.openpublishing.redirection.active-directory.json
.openpublishing.redirection.azure-australia.json
.openpublishing.redirection.azure-blob.json
.openpublishing.redirection.azure-monitor.json
.openpublishing.redirection.azure-percept.json
.openpublishing.redirection.azure-productivity.json
.openpublishing.redirection.azure-web-pubsub.json
.openpublishing.redirection.defender-for-cloud.json
.openpublishing.redirection.defender-for-iot.json
.openpublishing.redirection.healthcare-apis.json
.openpublishing.redirection.iot-hub.json
.openpublishing.redirection.json
.openpublishing.redirection.key-vault.json
.openpublishing.redirection.security-benchmark.json
.openpublishing.redirection.sql-database.json
CODEOWNERS
CODE_OF_CONDUCT.md
CONTRIBUTING.md
ISSUE_TEMPLATE
LICENSE
LICENSE-CODE
README.md
ThirdPartyNotices.md
azure-pipelines.yml
docfx.json
service-limits.md

nat-rules-vpn-gateway-powershell.md

Apr 12, 2022

84a25cd · Apr 12, 2022

title	titleSuffix	description	services	author	ms.service	ms.topic	ms.date	ms.author
Configure VPN NAT rules for your gateway using PowerShell	Azure Virtual WAN	Learn how to configure NAT rules for your VWAN VPN gateway using PowerShell.	virtual-wan	cherylmc	virtual-wan	how-to	04/11/2022	cherylmc

Configure NAT Rules for your Virtual WAN VPN gateway using PowerShell

You can configure your Virtual WAN VPN gateway with static one-to-one NAT rules. A NAT rule provides a mechanism to set up one-to-one translation of IP addresses. NAT can be used to interconnect two IP networks that have incompatible or overlapping IP addresses. A typical scenario is branches with overlapping IPs that want to access Azure VNet resources.

This configuration uses a flow table to route traffic from an external (host) IP Address to an internal IP address associated with an endpoint inside a virtual network (virtual machine, computer, container, etc.). In order to use NAT, VPN devices need to use any-to-any (wildcard) traffic selectors. Policy Based (narrow) traffic selectors are not supported in conjunction with NAT configuration.

Prerequisites

Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.
This tutorial creates a NAT rule on a VPN gateway that will be associated with a VPN site connection. The steps assume that you have an existing Virtual WAN VPN gateway connection to two branches with overlapping address spaces.

Azure PowerShell

[!INCLUDE PowerShell]

Sign in

[!INCLUDE sign in]

Configure NAT rules

You can configure and view NAT rules on your VPN gateway settings at any time using Azure PowerShell.

:::image type="content" source="./media/nat-rules-vpn-gateway/edit-rules.png" alt-text="Screenshot showing how to edit rules."lightbox="./media/nat-rules-vpn-gateway/edit-rules.png":::

Declare the variables for the existing resources.

$resourceGroup = Get-AzResourceGroup -ResourceGroupName "testRG" 
$virtualWan = Get-AzVirtualWan -ResourceGroupName "testRG" -Name "myVirtualWAN"
$virtualHub = Get-AzVirtualHub -ResourceGroupName "testRG" -Name "westushub"
$vpnGateway = Get-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"

Create the new NAT rule to ensure the site-to-site VPN gateway is able to distinguish between the two branches with overlapping address spaces.

You can set the parameters for the following values:
- Name: A unique name for your NAT rule.
- Type: Static or Dynamic. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address. The subnet size for both internal and external mapping must be the same for static.
- Mode: IngressSnat or EgressSnat.
  - IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub’s site-to-site VPN gateway.
  - EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub’s site-to-site VPN gateway.
- Internal Mapping: An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range.
- External Mapping: An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range.
- Link Connection: Connection resource that virtually connects a VPN site to the Azure Virtual WAN hub's site-to-site VPN gateway.
Syntax
```
New-AzVpnGatewayNatRule 
-ResourceGroupName <String> 
-ParentResourceName <String> 
-Name <String>
[-Type <String>] 
[-Mode <String>] 
-InternalMapping <String[]> 
-ExternalMapping <String[]>
[-InternalPortRange <String[]>] 
[-ExternalPortRange <String[]>] 
[-IpConfigurationId <String>] 
[-AsJob]
[-DefaultProfile <IAzureContextContainer>] 
[-WhatIf] 
[-Confirm] [<CommonParameters>]
```
```
$natrule = New-AzVpnGatewayNatRule -ResourceGroupName "testRG" -ParentResourceName "testvpngw" -Name "testNatRule" -InternalMapping "10.0.0.0/24" -ExternalMapping "1.2.3.4/32" -IpConfigurationId "Instance0" -Type Dynamic -Mode EgressSnat 
```

Declare the variable to create a new object for the new NAT rule.

$newruleobject = New-Object Microsoft.Azure.Commands.Network.Models.PSResourceId
$newruleobject.Id = $natrule.Id

Declare the variable to get the existing VPN connection.

$conn = Get-AzVpnConnection -Name "Connection-VPNsite1" -ResourceGroupName "testRG" -ParentResourceName "testvpngw"

Set the appropriate index for the NAT rule in the VPN connection.

$conn.VpnLinkConnections
$conn.VpnLinkConnections[0].EgressNatRules = $newruleobject

Update the existing VPN connection with the new NAT rule.

Update-AzVpnConnection -Name "Connection-VPNsite1" -ResourceGroupName "testRG" -ParentResourceName "testvpngw" -VpnSiteLinkConnection $conn.VpnLinkConnections

Next steps

For more information about site-to-site configurations, see Configure a Virtual WAN site-to-site connection.