S2S Connection

Question

S2S Connection

Mushtaq Ahmad 0

Hello Community,

I am configuring an Azure VPN Gateway connection and need to meet the following requirements:

Enable custom IPsec policy with partner-required parameters (e.g., IKEv2, AES-256, SHA-256, DH Group 14, PFS enabled).
Attach an Egress NAT rule so that outbound traffic appears from a specific static IP address.

The issue arises only when I enable Use Custom Traffic Selector. After enabling this option and saving the configuration, I receive the following error:

Failed to update the configuration for connection 'Tunnel'. 
Error: Policy-Based Traffic Selectors cannot be used while NAT rule associations are defined on 
RG/providers/Microsoft.Network/connections/Tunnel

Questions:

Is it possible to use custom traffic selectors and NAT rules together on Azure VPN Gateway?
If not, what is the recommended approach to achieve:
- Custom IPsec parameters (e.g., DH Group 14, PFS)
  - Static IP visibility for outbound traffic?

Any expert guidance or best practices would be greatly appreciated.

Thank you!Hello Community,

I am configuring an Azure VPN Gateway connection and need to meet the following requirements:

Enable custom IPsec policy with partner-required parameters (e.g., IKEv2, AES-256, SHA-256, DH Group 14, PFS enabled).
Attach an Egress NAT rule so that outbound traffic appears from a specific static IP address.

The issue arises only when I enable Use Custom Traffic Selector. After enabling this option and saving the configuration, I receive the following error:

Failed to update the configuration for connection 'Tunnel error: Policy-Based Traffic Selectors cannot be used while NAT rule associations are defined on 
RG-/providers/Microsoft.Network/connections/Tunnel

Questions:

Is it possible to use custom traffic selectors and NAT rules together on Azure VPN Gateway?
If not, what is the recommended approach to achieve:
- Custom IPsec parameters (e.g., DH Group 14, PFS)
  - Static IP visibility for outbound traffic?

Any expert guidance or best practices would be greatly appreciated.

Thank you! msedge_UvZJpmP4FL

Mushtaq Ahmad 0 Reputation points

2025-12-01T12:58:42.2633333+00:00
@Vallepu Venkateswarlu

Following up on the previous discussion about custom IPsec policies and NAT rules on Azure VPN Gateway, I now have another challenge:

The client requires all outbound traffic to appear from a specific IP address (provided by them) for whitelisting purposes. We explored the suggestion of using an Azure Load Balancer or a Public IP resource to achieve static IP visibility. However, we found that:

The IP provided by the client (e.g., 172.18.x.x) is a private IP address, which cannot be used as a public IP in Azure.

When creating a Public IP in Azure, we cannot manually assign a specific number. Azure only allocates IPs from its own pool.

The client insists on using their exact IP address, not an Azure-assigned one.

Questions:

Is there any way to configure Azure so that outbound traffic uses a client-provided IP address?

Does Azure support Bring Your Own IP (BYOIP) for this scenario, and what are the prerequisites?

If BYOIP is not feasible, what is the recommended approach to meet this requirement?

Context: The client needs this for strict security whitelisting. We already know NAT rules cannot coexist with custom traffic selectors, so we are exploring alternatives. The main blocker is that Azure does not allow us to manually input the client’s IP when creating a Public IP resource.

Any guidance or best practices would be greatly appreciated.

Thank you!Following up on the previous discussion about custom IPsec policies and NAT rules on Azure VPN Gateway, I now have another challenge:

The client requires all outbound traffic to appear from a specific IP address (provided by them) for whitelisting purposes. We explored the suggestion of using an Azure Load Balancer or a Public IP resource to achieve static IP visibility. However, we found that:

The IP provided by the client (e.g., 172.18.x.x) is a private IP address, which cannot be used as a public IP in Azure.

When creating a Public IP in Azure, we cannot manually assign a specific number. Azure only allocates IPs from its own pool.

The client insists on using their exact IP address, not an Azure-assigned one.

Questions:

Is there any way to configure Azure so that outbound traffic uses a client-provided IP address?

Does Azure support Bring Your Own IP (BYOIP) for this scenario, and what are the prerequisites?

If BYOIP is not feasible, what is the recommended approach to meet this requirement?

Context:
The client needs this for strict security whitelisting. We already know NAT rules cannot coexist with custom traffic selectors, so we are exploring alternatives. The main blocker is that Azure does not allow us to manually input the client’s IP when creating a Public IP resource.

Any guidance or best practices would be greatly appreciated.

Thank you!
Vallepu Venkateswarlu 1,235 Reputation points Microsoft External Staff Moderator

2025-12-01T16:47:04.1633333+00:00
Hi @Mushtaq Ahmad

Thanks for your response.

Can outbound traffic from Azure use a client-provided IP address (like 172.18.x.x)? The IP address your client provided (for example, 172.18.x.x) is a private RFC1918 IP, not a public routable IP and Outbound Internet traffic in Azure must use a public IP from Azure, unless you bring your own public IP range.

Does Azure support Bring Your Own IP (BYOIP) for this scenario? What are the prerequisites?

Azure does support BYOIP, but only for public IP prefixes that you own, which must meet the following requirements:

BYOIP Requirements

The IP range must be publicly routable, owned by you, and registered to your organization with a Regional Internet Registry (RIR) like ARIN/APNIC/RIPE.

You must be able to update Route Origin Authorizations (ROA) and IRR route objects to allow Microsoft to advertise those IPs.

The prefix must be /24 or larger.

After validation, Microsoft will advertise the prefix from Azure, and you can use it for Public IPs and outbound SNAT.

Since the client’s IP (172.18.x.x) is private, it cannot be used with BYOIP. BYOIP works only for public IP ranges, not private IPs.

Ref: Bring your own IP addresses (BYOIP) to Azure with Custom IP Prefix

If BYOIP is not feasible, what is the recommended approach to meet this requirement?

Option 1: Use an Azure Public IP,
You can create a Standard Public IP or NAT Gateway and share it for outbound connections
This is the most recommended and simplest solution.

Option 2:
Ask the client to provide a publicly routable IP range they own (then use Azure BYOIP)

If the client truly requires their own IP for compliance reasons, they must provide a publicly owned prefix.

After onboarding via BYOIP, you can use it as your outbound IP in Azure.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

1 answer

Your answer

Answer 1

Hi @ Mushtaq Ahmad,

It sounds like you're facing some challenges trying to set up your Azure VPN Gateway connection with custom IPsec policies and NAT rules. Let's break down your questions and address your concerns.

Custom Traffic Selectors and NAT Rules

Can you use custom traffic selectors and NAT rules together? Unfortunately, Azure VPN Gateway does not support using custom traffic selectors in conjunction with NAT rules. You are specifically encountering that error because the gateway can't handle both configurations at the same time.

Recommended Approaches

To meet your requirements for both custom IPsec parameters and static IP visibility for outbound traffic, you'll need to take a different approach since you can't combine the two directly. Here's how you can achieve each one:

Custom IPsec parameters (e.g., DH Group 14, PFS):
- You can configure the custom IPsec/IKE policy by leveraging PowerShell or the Azure CLI to set the parameters you need. Check out this documentation on configuring IPsec/IKE policies for specific commands and options.
Static IP visibility for outbound traffic:
- For outbound traffic to have a static IP, you might need to use a different method, like associating a Public IP address directly with your Azure resources or configuring Azure Load Balancer in front of your service. This way, your outbound traffic can have a stable, known IP address that you can control.

Ref:

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Share via

S2S Connection

1 answer

Custom Traffic Selectors and NAT Rules

Recommended Approaches

Ref:

Your answer