Share via

How to Configure Azure VPN Gateway for IPsec Tunnel with Custom Policy and Whitelisted Private IP Requirement?

Mushtaq Ahmad 0 Reputation points
2025-12-01T13:27:39.72+00:00

Hello Community,

We are designing a solution to integrate with a third-party API that can only be accessed from a whitelisted private IP on their firewall. Additionally, all traffic must pass through an IPsec VPN tunnel using custom encryption parameters provided by the partner (e.g., IKEv2, AES-256, SHA-256, DH Group 14, PFS enabled).

Our intended design is:

  • Enable custom IPsec policy with the required parameters.
  • Attach an Egress NAT rule so that outbound traffic appears from a specific static IP (the whitelisted private IP).
  • Enable Use Custom Traffic Selector to match the partner’s requirements.

However, when we enable custom traffic selectors and try to save the configuration, we receive this error:

Failed to update the configuration for connection 'Tunnel'. 
Error: Policy-Based Traffic Selectors cannot be used while NAT rule associations are defined on 
RG/providers/Microsoft.Network/connections/Tunnel

Questions:

  1. Is it possible to use custom traffic selectors and NAT rules together on Azure VPN Gateway? (This is our designed solution, but we are not sure if it’s supported.)
  2. If not, what is the recommended approach to achieve:
    • Custom IPsec parameters (DH Group 14, PFS)
      • Static IP visibility for outbound traffic that matches the whitelisted private IP requirement?
      1. Does Azure support Bring Your Own IP (BYOIP) for this scenario, and what are the prerequisites?
      2. If BYOIP is not feasible, what alternative design would you recommend for this integration?

Context: The whitelisted private IP requirement is critical because the partner’s firewall only allows traffic from that IP. We need a solution that satisfies both the custom IPsec policy and the source IP requirement.

Any expert guidance or best practices would be greatly appreciated.

Thank you!Hello Community,

We are designing a solution to integrate with a third-party API that can only be accessed from a whitelisted private IP on their firewall. Additionally, all traffic must pass through an IPsec VPN tunnel using custom encryption parameters provided by the partner (e.g., IKEv2, AES-256, SHA-256, DH Group 14, PFS enabled).

Our intended design is:

  • Enable custom IPsec policy with the required parameters.
  • Attach an Egress NAT rule so that outbound traffic appears from a specific static IP (the whitelisted private IP).
  • Enable Use Custom Traffic Selector to match the partner’s requirements.

However, when we enable custom traffic selectors and try to save the configuration, we receive this error:

Failed to update the configuration for connection 'Tunnel'. 
Error: Policy-Based Traffic Selectors cannot be used while NAT rule associations are defined on 
RG/providers/Microsoft.Network/connections/Tunnel

Questions:

  1. Is it possible to use custom traffic selectors and NAT rules together on Azure VPN Gateway? (This is our designed solution, but we are not sure if it’s supported.)
  2. If not, what is the recommended approach to achieve:
    • Custom IPsec parameters (DH Group 14, PFS)
      • Static IP visibility for outbound traffic that matches the whitelisted private IP requirement?
      1. Does Azure support Bring Your Own IP (BYOIP) for this scenario, and what are the prerequisites?
      2. If BYOIP is not feasible, what alternative design would you recommend for this integration?

Context:
The whitelisted private IP requirement is critical because the partner’s firewall only allows traffic from that IP. We need a solution that satisfies both the custom IPsec policy and the source IP requirement.

Any expert guidance or best practices would be greatly appreciated.

Thank you!

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-01T13:28:00.1233333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. Using Custom Traffic Selectors and NAT Rules Together: It is not possible to use custom traffic selectors and NAT rules together on Azure VPN Gateway. The error message you received indicates that policy-based traffic selectors cannot be used when NAT rule associations are defined on the connection. This limitation means you will need to choose between using custom traffic selectors or NAT rules, but not both simultaneously.
    2. Recommended Approach:
      • Custom IPsec Parameters: You can configure custom IPsec parameters such as DH Group 14 and PFS by following the guidelines for creating a custom IPsec/IKE policy on your Azure VPN Gateway. Ensure that the parameters match those required by your third-party API partner.
      • Static IP Visibility: To achieve static IP visibility for outbound traffic that matches the whitelisted private IP requirement, you can consider the following options:
        • Bring Your Own IP (BYOIP): Azure does support BYOIP, which allows you to use your own public IP addresses in Azure. However, this is generally for public IPs rather than private IPs. You will need to check the prerequisites for BYOIP, which typically include having ownership of the IP address range and ensuring it is registered with a regional Internet registry.
        • Alternative Design: If BYOIP is not feasible, you might consider setting up a dedicated virtual network (VNet) with a VPN gateway that connects to your on-premises network. From there, you can route traffic through your on-premises firewall, which can then handle the NAT and ensure that the outbound traffic appears from the whitelisted private IP. This way, you can maintain the custom IPsec parameters while achieving the required source IP visibility.

    In summary, due to the limitations of Azure VPN Gateway, you will need to carefully design your solution by either utilizing BYOIP if applicable or routing traffic through an on-premises solution to meet the whitelisted IP requirement while maintaining the necessary IPsec configurations.

    0 comments
  2. Vallepu Venkateswarlu 1,235 Reputation points Microsoft External Staff Moderator
    2025-12-01T13:57:45.1833333+00:00

    Hey Mushtaq,

    Welcome to Microsoft Q&A Platform.

    Unfortunately, you cannot Custom Traffic Selectors and NAT Rules Together the Custom Traffic Selectors with NAT Rules: Unfortunately, you cannot use policy-based traffic selectors alongside NAT rules in Azure VPN Gateway, as indicated by the error message you’re receiving. The configuration requires either one or the other.

    Below is the recommended approach for your scenario.

    Custom IPsec Parameters: You can create a custom IPsec/IKE policy, which allows you to define specific encryption protocols and parameters such as IKEv2, AES-256, SHA-256, DH Group 14, and PFS (Perfect Forward Secrecy).

    Instead of using NAT rules, consider alternative methods to route outbound traffic through a static IP. This can be achieved using networking services like Azure Firewall or Application Gateway, which can manage outbound connections and ensure traffic originates from a fixed IP.

    Azure supports BYOIP, enabling you to bring your own IP address space into Azure. However, this requires ownership of the IP range and proper registration with Azure. This option is useful if your solution depends on using a specific, owned static IP.

    If BYOIP is not feasible, you can configure a NAT Gateway to manage outbound traffic. Pairing a NAT Gateway with your VPN Gateway allows you to maintain your encryption and security requirements while ensuring outbound traffic uses a consistent, whitelisted IP address.

    Kindly let us know if the above helps or you need further assistance on this issue.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.