First of all I am fairly new to network topics and Azure itself, so maybe I might oversee a trivial solution here.
We have a production system in Azure and some of our customers want to connect via S2S VPN to our network.
To achieve this we have a Hub-VNet with an AzureVpnGateway that is peered to the production VNet to allow communication between the to VNets.
We have the following setup:
- Production-IP: 10.1.0.0/32 = Network A
- Hub-Network: 172.1.0.0/28 = Network B
- Customer-Target-IPs: 10.3.0.96/28 = Network C
We want to only communicate from our production system to on-premise machine (A => C only).
From this everything looks fine but our customer has already the same IPs that Network A allocates in use and therefore they cannot accept incoming traffic from the same range, hence we can only communicate between B and C, but not A and C.
Additionally they claim that they are not able to NAT the traffic on their VPN-Device, so we need to find a solution on our side.
The Azure VPN-Gateway currently has a preview NAT-feature. We tried it as it was described in the documentation but unfortunately the vpn tunnel always collapsed after turning on the In/Egress-NAT rules. So this feature is not of help here. If anyone knows what causes this problem feel free to enlighten me. I think it's caused by some configuration errors on both vpn devices but debugging this would be time consuming.
Is it possible to do adress translation in the internal network of ours? Like translating the source IP from our production cluster to another? I know that it is possible to do a private to public IP translation as it's usually done with SNAT but for this solution we would need another VPN-Device I assume.
Is there any way to solve this problem on our side without moving our production system to a new Adress space?