ExpressRoute Private peering and Configure S2S VPN over ExpressRoute as well as configure the NAT for VPN gatewa

Question

ExpressRoute Private peering and Configure S2S VPN over ExpressRoute as well as configure the NAT for VPN gatewa

John Emil Billones 60

Can we Configure a site-to-site VPN over ExpressRoute private peering and Configure NAT for Azure VPN Gateway inside ExpressRoute

Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-09T09:54:26.92+00:00
Hi John Emil Billones,

Welcome to Microsoft Q&A and thank you for posting your query here!

Yes, it is possible to configure a Site-to-Site (S2S) VPN over ExpressRoute private peering, and you can also enable NAT (Network Address Translation) on the Azure VPN Gateway as part of this configuration. However, there are a few key considerations around routing, gateway SKU, and supported scenarios.

Step-by-Step Explanation:

Site-to-Site VPN Over ExpressRoute Private Peering

Azure allows S2S VPN tunnels to run over private peering of an ExpressRoute connection. This is useful when:

You want end-to-end encryption over ExpressRoute.

You require an IPsec tunnel for compliance reasons.

Official Guide: https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering

Key Points:

The Azure VPN Gateway must be route-based.

You must enable the gateway's private IP address.

The on-premises VPN device should use the private IP of the Azure VPN gateway as its tunnel peer IP.

NAT Support on Azure VPN Gateway

Azure supports NAT rules (SNAT/DNAT) on VPN Gateway to help translate IP addresses — especially useful if:

You have overlapping address spaces between on-prem and Azure.

You need to present different IP ranges to/from your networks.

Official Guide: https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/nat-howto and

https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/nat-overview

Key Requirements:

Use VpnGw2 SKU or higher (NAT is not supported on Basic).

Only route-based VPNs are supported.

NAT applies only to cross-premises S2S VPNs (not VNet-to-VNet or P2S).

Gateway Configuration Considerations

If you're using both ExpressRoute and VPN:

Make sure the GatewaySubnet is at least /27 to support both gateways.

Refer: https://v4.hkg1.meaqua.org/en-us/azure/expressroute/how-to-configure-coexisting-gateway-portal

You must carefully manage routing:

Azure prefers ExpressRoute routes by default.

If you want VPN traffic to take priority, advertise more specific prefixes via VPN.

Refer: https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering#routing-preferen

I hope this helps you set up a secure and reliable connection over ExpressRoute and VPN Gateway.

Please do let me know if you have any questions on this.

Thanks,

Harish.
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-10T08:15:28.12+00:00

Hi John Emil Billones,

Greetings for the day!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
John Emil Billones 60 Reputation points

2025-10-10T08:22:02.41+00:00

Hi @Harish Peddapally ,Thank you for your inputs, and sending the links for documentation which I also read, I al so do think that this is technically and theoretically possible but I we’re still wandering what are the things we should taken account for before setting up this, and we might face challenges in this set up specifically the routings and the Address space that overlaps.
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-13T09:18:48.4466667+00:00
Hi John Emil Billones,

Greetings for the day!

Thanks for your follow-up! You're absolutely right, while it is technically possible to run a Site-to-Site VPN over ExpressRoute private peering and use NAT on Azure VPN Gateway, careful planning is key, especially when it comes to routing and overlapping address spaces.

Let’s walk through some of the key things to consider before implementation, and challenges you may encounter:

1.Routing Preferences Between ER and VPN:

Azure will always prefer ExpressRoute over VPN for the same prefix.

If you want to route specific traffic over VPN (e.g., for encryption or NAT), you need to:

Advertise more specific prefixes over VPN, or

Use custom BGP weights on your on-prem edge device to prefer VPN for certain routes.

Routing preferences explained here

2.GatewaySubnet Size:

If you're deploying both ExpressRoute and VPN gateways in the same VNet (coexistence), your GatewaySubnet must be /27 or larger.

This allows Azure to deploy both gateways side-by-side.

Refer: Coexistence gateway subnet sizing

3.Overlapping Address Spaces:

If you have overlapping IP ranges between on-prem and Azure, NAT is essential — but comes with challenges:

Use SNAT/DNAT on the Azure VPN Gateway to translate IPs in a way that avoids conflicts.

Plan your NAT mappings carefully:

For example, map overlapping on-prem 10.0.0.0/16 to a different non-overlapping range like 172.16.0.0/24 when entering Azure.

You may need to update your on-prem firewall policies to accept the translated IPs.

Refer: NAT rule planning guide

4.NAT Rule Scope:

NAT on VPN Gateway only applies to S2S VPN connections — not to ExpressRoute.

You can define per-connection NAT rules (useful if you connect to multiple sites).

DNAT + SNAT is supported, but not dynamic NAT — so you'll need to manage the translation mappings explicitly.

Please do let me know if you need anything on this.

Thanks,

Harish.
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-15T03:04:19.1+00:00

Hi John Emil Billones,

Greetings for the day!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
John Emil Billones 60 Reputation points

2025-10-15T03:13:20.7033333+00:00

Hi @Harish Peddapally , Appreciate your detailed response. I have follow up question, is this going to work if that there's two disjoint CIDR of network advertised separately,
let say for example we advertise via BGP in ExpressRoute is the CIDR of 192.168.0.0/16 on-premise network routing to Azure, And in S2S over ExpressRoute connection we don't use BGP but we advertise to that IPsec tunnel is the 10.100.0.0/16 address space on-prem network to Azure, and that 10.100.0.0/ have overlapped one VNet in Azure and we're going to use the NAT of the S2S
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-15T08:10:13.2033333+00:00
Hi John Emil Billones,

Thanks for the detailed follow-up and great question.

Yes, your scenario of advertising two disjoint CIDR blocks over ExpressRoute and S2S VPN with NAT can work effectively, given some important considerations:

1.Advertising Disjoint CIDRs

You can advertise one CIDR (e.g., 192.168.0.0/16) over ExpressRoute private peering using BGP.

Separately, advertise a different CIDR (e.g., 10.100.0.0/16) over the IPsec S2S VPN connection (without BGP).

As long as these CIDRs are disjoint, Azure will route traffic appropriately based on prefix matches.

Azure supports this approach to let you encrypt specific traffic via VPN while other traffic flows over ExpressRoute.

2.Handling the Overlapping VNet Address Space with NAT

Since your Azure VNet has an overlapping address space with the 10.100.0.0/16 on-prem range, you will need to use Azure VPN Gateway NAT capability on the S2S VPN connection.

This NAT translates IP addresses for traffic on the VPN tunnel, allowing the overlapping on-prem 10.100.0.0/16 to map to a non-conflicting IP range in Azure, preventing conflicts.

NAT rules must be carefully planned — for example, mapping on-prem 10.100.0.0/16 to a different range like 172.16.x.x when traffic enters Azure.

Remember that NAT only applies to the VPN connection, not ExpressRoute.

3.Routing and Preference

The ExpressRoute path has routing priority by default. So, if there is any overlap or more specific prefixes advertised on VPN, Azure routes traffic accordingly based on prefix specificity.

Since your CIDRs are disjoint, routing should split correctly with ExpressRoute handling 192.168.0.0/16 range and VPN (with NAT) handling 10.100.0.0/16.

Ensuring no overlapping or conflicting advertisements in routes to avoid routing issues.

4.Additional Recommendations

Ensure GatewaySubnet is sized properly (/27 or larger) if VPN and ExpressRoute gateways coexist.

Test connectivity carefully, especially encrypted traffic flows and NAT translations.

Update firewall and NSG rules to accommodate NAT translated IPs.

5.Relevant official docs you might want to review again:

Site-to-Site VPN over ExpressRoute Private Peering: https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering

NAT configuration on VPN Gateway: https://v4.hkg1.meaqua.org/en-us/azure/vpn-gateway/nat-howto

Configure ExpressRoute and VPN coexistence: https://v4.hkg1.meaqua.org/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

Feel free to reach out if you want assistance on this.

Thanks,

Harish
John Emil Billones 60 Reputation points

2025-10-15T08:27:29.69+00:00

Your explanation is very helpful. But there's another thing that makes the set-up more complex.
We are also having Azure Firewall in the VNet, and our plan is to create a UDR and with GatewaySubnet is attached, and we want to route that traffic through Azure firewall(NVA) to spoke(conflicted IP).
Does the set-up will still work and Do you have any inputs or suggestion on that set-up?

should we remove the associated route in GatewaySubnet? if yes, how can we route the traffics from on-prem to spoke (conflicted IP) through azure firewall?
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-16T07:20:25.24+00:00
Hi John Emil Billones,

Good day, i hope you are doing great!

Thanks again for your great follow-up! You’re absolutely right, introducing Azure Firewall into the mix adds another layer of complexity, but it’s a perfectly valid and achievable setup when done correctly. Let’s walk through how this architecture can work, and clarify your questions around GatewaySubnet UDRs, traffic flow, and routing on-prem to a conflicting spoke via Azure Firewall.

1. High-Level Architecture Flow:

Here’s the simplified traffic pattern based on your topology:

On-prem (10.100.0.0/16, NAT’d)

→ Azure VPN Gateway (S2S with NAT)

→ Azure Firewall (in Hub VNet)

→ Spoke VNet (overlapping range)

This ensures encrypted on-prem traffic traverses through the firewall before reaching the destination spoke network.

2. Should You Associate a UDR with the GatewaySubnet?

Microsoft strongly recommends not associating any UDRs to the GatewaySubnet. The VPN Gateway manages its own system routes, and attaching UDRs can disrupt VPN or ExpressRoute connectivity or cause unexpected behaviors.

Instead of applying a route table directly on the GatewaySubnet, manage routing using UDRs on the spoke and hub subnets to steer traffic through Azure Firewall.

Reference: Azure virtual network traffic routing

3. How to Route On-Prem Traffic Through Azure Firewall to a Conflicted Spoke:

Step 1 – Enable NAT on the VPN Gateway:

Translate your on-prem 10.100.0.0/16 to a non-overlapping address range (for example, 172.16.100.0/24) using SNAT on the S2S connection. This allows traffic to enter Azure safely without conflicting with your spoke VNet.

Reference: Configure NAT on Azure VPN Gateway

Step 2 – Use UDRs on Spoke Subnets:

On the spoke network, create a UDR sending traffic bound for the translated on-prem range (e.g., 172.16.100.0/24) to the Azure Firewall private IP. This ensures return traffic flows through the firewall for inspection and logging.

Step 3 – Configure Routes on AzureFirewallSubnet (Hub):

On the subnet hosting Azure Firewall, create a route to send traffic destined for the spoke’s IP range (e.g., 10.100.0.0/16) directly to the spoke VNet via VNet peering. Double-check that route propagation doesn’t create loops or override system routes.

Step 4 – Firewall Policy Rules

Add appropriate DNAT/SNAT or network rules to:

Accept traffic from the NAT’d on-prem range (e.g., 172.16.100.0/24)

Forward it to the target spoke IPs This setup ensures symmetric two-way communication through the firewall.

4. Important Considerations:

Avoid placing UDRs on the GatewaySubnet; rely on UDRs in the spoke and hub subnets for route control.

Ensure VNet peering between hub and spoke allows both directions of traffic flow.

Add proper allow rules on Azure Firewall for both inbound (from NAT’d on-prem range) and outbound (to spoke networks).

Disable route propagation on spoke route tables to avoid on-prem BGP routes overriding your custom paths.

Confirm GatewaySubnet is at least /27 to support coexistence of ExpressRoute and VPN gateways. Reference: Hub-spoke network topology in Azure

By following this model, your Azure Firewall will correctly handle NAT’d VPN traffic between on-prem and Azure spokes, maintaining a secure, inspected path even when overlapping address spaces exist.

i hope this helps, please do let me know if you have any questions on this.

Thanks,

Harish.
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-22T02:58:21.1833333+00:00

Hi John Emil Billones,

Greetings for the day!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
John Emil Billones 60 Reputation points

2025-10-22T03:17:36.6633333+00:00

Hi @Harish Peddapally I don't have any additional questions for now, I appreciate your response to my queries. I will reach out to this QnA thread if I have more question related to this, your inputs helped clear things for this topic!

Answer accepted by question author

0 additional answers

Your answer

Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-10T08:15:28.12+00:00

Hi John Emil Billones,

Greetings for the day!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
John Emil Billones 60 Reputation points

2025-10-10T08:22:02.41+00:00

Hi @Harish Peddapally ,Thank you for your inputs, and sending the links for documentation which I also read, I al so do think that this is technically and theoretically possible but I we’re still wandering what are the things we should taken account for before setting up this, and we might face challenges in this set up specifically the routings and the Address space that overlaps.
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-15T03:04:19.1+00:00

Hi John Emil Billones,

Greetings for the day!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
John Emil Billones 60 Reputation points

2025-10-15T03:13:20.7033333+00:00

Hi @Harish Peddapally , Appreciate your detailed response. I have follow up question, is this going to work if that there's two disjoint CIDR of network advertised separately,
let say for example we advertise via BGP in ExpressRoute is the CIDR of 192.168.0.0/16 on-premise network routing to Azure, And in S2S over ExpressRoute connection we don't use BGP but we advertise to that IPsec tunnel is the 10.100.0.0/16 address space on-prem network to Azure, and that 10.100.0.0/ have overlapped one VNet in Azure and we're going to use the NAT of the S2S
John Emil Billones 60 Reputation points

2025-10-15T08:27:29.69+00:00

Your explanation is very helpful. But there's another thing that makes the set-up more complex.
We are also having Azure Firewall in the VNet, and our plan is to create a UDR and with GatewaySubnet is attached, and we want to route that traffic through Azure firewall(NVA) to spoke(conflicted IP).
Does the set-up will still work and Do you have any inputs or suggestion on that set-up?

should we remove the associated route in GatewaySubnet? if yes, how can we route the traffics from on-prem to spoke (conflicted IP) through azure firewall?
Harish Peddapally 1,745 Reputation points Microsoft External Staff Moderator

2025-10-22T02:58:21.1833333+00:00

Hi John Emil Billones,

Greetings for the day!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
John Emil Billones 60 Reputation points

2025-10-22T03:17:36.6633333+00:00

Hi @Harish Peddapally I don't have any additional questions for now, I appreciate your response to my queries. I will reach out to this QnA thread if I have more question related to this, your inputs helped clear things for this topic!

Answer 1

Hi John Emil Billones,

Greetings for the day!

Welcome to Microsoft Q&A and Thanks for the consistent follow-ups and for providing detailed context throughout our discussion! Let’s consolidate and close this thread with a full summary of the supported configuration, best practices, and key references for setting up Site-to-Site (S2S) VPN over ExpressRoute private peering with NAT and an Azure Firewall hub integration.

Overview:

Yes, it is technically and practically possible to configure a Site-to-Site (S2S) VPN tunnel over ExpressRoute Private Peering, and you can also enable NAT on an Azure VPN Gateway for resolving overlapping address spaces — even when using an Azure Firewall in a hub-spoke topology.

This approach is useful when:

You require IPsec encryption over ExpressRoute for compliance.

You need NAT to handle overlapping address ranges.

You plan to pass all on-prem traffic through an Azure Firewall before reaching spokes.

Step-by-Step Breakdown:

1. Configure S2S VPN over ExpressRoute Private Peering:

Azure supports building an IPsec tunnel between your on-premises VPN device and the Azure VPN Gateway over the ExpressRoute private peering. Key prerequisites:

VPN Gateway must be route-based.

Use the private IP of the VPN Gateway for the IPsec tunnel.

ExpressRoute circuit must have private peering configured. Reference: Site-to-Site VPN over ExpressRoute Private Peering

2. Enable NAT on Azure VPN Gateway:

NAT resolves overlapping or conflicting IP address spaces between Azure VNets and on-premises networks. Key points:

Supported on VpnGw2 and higher SKUs.

Only available for S2S VPNs, not ExpressRoute.

Supports both SNAT and DNAT; static NAT mappings are required.
Reference: VPN Gateway NAT overview

Configure NAT on VPN Gateway

Example mapping: If the on-premises network is 10.100.0.0/16 and overlaps with Azure, SNAT translate it to 172.16.100.0/24 when routing into Azure.

3. Coexistence of ExpressRoute and VPN Gateways:

When both gateways exist in the same VNet:

The GatewaySubnet must be /27 or larger.

ExpressRoute routes take precedence by default.

To prefer VPN tunnels for specific prefixes, advertise more specific routes via VPN. Reference: Configure ExpressRoute and VPN Coexistence

4. Handling Disjoint and Overlapping CIDRs:

When advertising multiple CIDRs (e.g., 192.168.0.0/16 over ExpressRoute and 10.100.0.0/16 via S2S VPN):

Traffic segmentation works as long as address spaces are disjoint.

Overlapping ranges (like Azure VNets sharing 10.100.0.0/16) must rely on NAT for translation.

ExpressRoute handles standard traffic, and VPN (with NAT) carries encrypted or remapped flows.

5. Integrating Azure Firewall in the Hub:

Including an Azure Firewall adds inspection and control between on-prem and spoke networks. Recommended design:

Traffic flow: On-prem (10.100.0.0/16 NAT’d) → VPN Gateway (S2S with NAT) → Azure Firewall → Spoke VNet

Implementation guidance:

Do not associate UDRs with the GatewaySubnet — it can disrupt gateway operations.

Apply custom routes only on hub and spoke subnets to steer traffic through Firewall.

Create a UDR on the spoke subnet directing NAT’d on-prem ranges (e.g. 172.16.100.0/24) to the Firewall’s private IP.

On AzureFirewallSubnet, set routes to forward spoke-bound traffic via VNet peering.

Add corresponding firewall network rules for NAT’d ranges.

References:

Azure virtual network traffic routing

Hub-spoke network topology in Azure

Key Considerations:

NAT is applied only on the VPN Gateway (not ExpressRoute).

Maintain symmetric routing by updating firewall UDRs and NAT translation rules.

Ensure appropriate GatewaySubnet sizing and Firewall policies to prevent routing loops.

Disable route propagation in spoke VNets when using custom UDRs.

Additional Microsoft Resources

Configure ExpressRoute Private Peering – Azure Portal

ExpressRoute Overview

This combination of ExpressRoute, VPN (with NAT), and Azure Firewall provides both secure encrypted connectivity and flexible route control, even across overlapping or segmented address spaces.

Glad to hear your setup is clearer now! Feel free to revisit this thread anytime if you have additional questions during implementation.

If the provided information answers your query, do click "Upvote" and "Accept Answer", it will help others who might be facing similar challenges.

Thanks,

Harish.

John Emil Billones 60 Reputation points

2025-10-27T03:47:44.2166667+00:00

Hi @Harish Peddapally ,

I Have follow-up question for this items:

How can I achieve this "Traffic flow: On-prem (10.100.0.0/16 NAT’d) → VPN Gateway (S2S with NAT) → Azure Firewall → Spoke VNet" if I am not going to associate GatewaySubnet to a UDR that is next hop is Azure firewall to Spoke?

In Azure Firewall from on-prem traffic, the source will be the NAT'd IP address and what would be the destination? is it the Internal mappings(original overlapped IP) or External mappings (NAT'd egressIP)?

How about the spoke to on-premises traffic what IP address as source I should allow? the Internal mappings (original overlapped IP) or the External mappings(NAT'd IP) as Source? and I understand that the destination of the rule will be NAT'd IP of on-premise.

Looking forward for your response! thank you.

Share via

ExpressRoute Private peering and Configure S2S VPN over ExpressRoute as well as configure the NAT for VPN gatewa

0 additional answers

Your answer