Share via

Migrate site-to-site VPN from VPN Gateway to Virtual WAN and retain public ip address

Blair, Robert 0 Reputation points
2025-10-16T13:43:36.66+00:00

I am trying to migrate our site-to-site VPN from VPN Gateway to Virtual WAN. I have been doing some research on the re-use of the public ip address used for the VPN. What I found is that the only way we can do this is setup a NAT on the firewall for the current public address to the Virtual WAN.

Has anybody used this setup and/or have any other recommendations ?

Thanks ..

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Priya ranjan Jena 1,990 Reputation points Microsoft External Staff Moderator
    2025-10-17T13:57:31.6733333+00:00

    Hi Blair,

    Thanks for the reply..

    Does this setup require our on-prem to support NAT-T ?

    • NAT-T (NAT Traversal) is generally required when IPsec VPN traffic needs to traverse a NAT device. In your scenario, since you plan to reuse the existing public IP by setting up NAT on your firewall, the VPN traffic will indeed pass through a NAT device.
    • Azure Virtual WAN supports IPsec/IKE (IKEv1 and IKEv2) for site-to-site VPNs, and NAT-T is part of the IPsec standard for handling NAT scenarios.
    • Therefore, your on-prem VPN device must support NAT-T if you are doing NAT on the firewall for the public IP reuse. Without NAT-T, IPsec tunnels typically fail when NAT is present.

    Reference link:https://learn.microsoft.com/en-us/azure/virtual-wan/nat-rules-vpn-gateway

    Is BGP routing supported ?

    • Yes, BGP is supported with Azure Virtual WAN site-to-site VPN connections.
    • You can enable BGP on the VPN gateway and configure BGP peering with your on-premises device.

    Hope you find this comment helpful, Please “up-vote” for the information provided , this can be beneficial to community members.

    Kindly let us know if you have any additional questions.

    Thanks

    1 person found this answer helpful.
    0 comments
  2. Priya ranjan Jena 1,990 Reputation points Microsoft External Staff Moderator
    2025-10-16T16:58:43.7066667+00:00

    Hi Blair, Robert ,

    Welcome to Microsoft Q&A forum

    Yes, you are correct that setting up a NAT on the firewall can allow you to reuse your public IP address as you switch to Virtual WAN

    This essentially allows traffic to be redirected from the old public IP address to the new Virtual WAN setup.

    Below you can follow some of the specific steps to understand the setup:

    1. Setup the NAT Rules: You can configure your on-premises firewall to perform NAT. This means any traffic directed to your existing public IP address should be rerouted to the new WAN configuration.
    2. Create VPN Sites in Virtual WAN: Make sure to create the necessary VPN sites in your Virtual WAN before configuring the new connections. This process typically involves:
      • Navigating to your Virtual WAN.
      • Selecting 'VPN sites' and then '+Create site'.
      • Filling out the required information such as region, name, etc.
    3. Link Your On-Premises Device: Ensure that the public IP address you plan to keep is correctly linked to your on-premises device in the new Virtual WAN setup.
    4. Monitor Connectivity: As you switch over, it's crucial to monitor the connectivity carefully. You might need to perform packet captures or consult the diagnostics available in Azure to ensure everything is functioning properly.
    5. Test the Setup: Before fully transitioning, we recommend testing the setup with a dedicated environment to validate that all configurations, including connectivity and NAT, are performing as expected. Some reference links to follow:

    https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal

    https://learn.microsoft.com/en-us/azure/virtual-wan/nat-rules-vpn-gateway

    https://learn.microsoft.com/en-us/azure/virtual-wan/migrate-from-hub-spoke-topology

    Hope you find this comment helpful, if yes,please “up-vote” for the information provided , this can be beneficial to community members.

    Kindly let us know if you have any additional questions.

    Thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.