Skip to content

How MCR Performs NAT

Network address translation (NAT) conserves IPv4 address space by translating the unregistered private IP addresses used for an organization’s private inner network into a single registered public IP address. This single public IP address is then used to connect to external networks, like the internet.

This topic describes how NAT on the MCR is designed to specifically support public peering types to Cloud Service Providers.

Many-to-one NAT using different ports

NAT is performed by the MCR at the boundary where two networks are connected. Before forwarding packets from the inner network to the outer network, MCR translates the private, non-unique IP addresses to a single, globally unique public IP address. This many-to-one translation allows the MCR to advertise only one IP address to the outside world, while hiding multiple private source IP addresses behind the IP address of the MCR interface. To create a unique session, MCR assigns a different TCP or UDP source port number to the public IP address.

To map multiple IP addresses to a single IP address, MCR NAT uses a combination of source NAT (SNAT) and port address translation (PAT).


NAT on the MCR is similar to Cisco’s NAT overload or Checkpoint’s Hide NAT functionality.

MCR keeps track of each IP address translation and port assignment in a NAT table that can handle thousands of concurrent translations. When a port is no longer in use, MCR releases it and returns it to the pool of available ports.

This image shows an MCR at the edge of the data center, privately connecting to the Azure Platform as a Service (PaaS) with a Virtual Cross Connect (VXC) into Azure public peering, known as Microsoft Peering. Because Microsoft will only accept public IPv4 addresses through Microsoft Peering, the MCR translates the private IP addresses to public addresses using NAT. The MCR provides the added benefit of using Megaport’s autonomous system number (ASN) and publicly registered IP space for this connection.


MCR NAT example

In this example, MCR is logically sitting between a customer’s data center ( and Azure (West US Packets destined for are sent from the data center to the MCR.

  1. The data center sends a packet with a source IP of and a destination IP of toward the MCR.
    NAT example

  2. MCR receives the packet on its inside interface. Upon egress, MCR performs a SNAT to translate the source IP address ( to the local IP address of its outside interface ( To create a unique session, MCR also performs a port address translation (PAT) and assigns the session a unique TCP or UDP source port. The destination IP and port are left intact.
    NAT example

  3. When Azure receives the packet, it has a source IP of Azure forwards the packet to the destination and replies back to the source at

  4. Assume that Azure receives another packet from MCR with a source IP of and a destination IP of MCR performs a SNAT to the same IP address of The only difference is the TCP/UDP source port that has been automatically assigned by MCR.

Verifying the NAT assignment

MCR automatically configures the VLAN IDs used for private and public peering after you configure the peering type. When provisioning VXCs from the MCR to a service provider, MCR configures the private peering with VLAN 100 and the public peering with VLAN 200, by default.

This image shows MCR with a VXC connecting to Azure. During the initial VXC configuration, both Private and Public Microsoft peering types were selected. For this configuration, MCR automatically configured VLAN 100 to support private peering and VLAN 200 to support the public Microsoft peering.
NAT verification

The NAT IP Address field appears to the right of the Interface IP Addresses. The NAT Source IP address is the IP address of the MCR’s outside interface, to which any packets will be translated.


When multiple Azure VXCs on an MCR populate the same VLAN 100 tag (private peering) and the same VLAN 200 tag (public peering), MCR manages the 802.1Q tunnel, also known as a Q-in-Q tunnel, for each Azure VXC that terminates on the MCR. Each Azure VLAN will still be a separate logical interface. For more information, see Configuring Q-in-Q.

This table summarizes the supported MCR NAT configurations and use cases, indicated by a . It also includes configurations that aren’t a good fit, indicated by an X.

NAT Overload Connectivity to Cloud Service Providers public services
Hide NAT Connectivity to SaaS and PaaS services
Source NAT X Connectivity to Megaport Marketplace partners
Destination NAT X Preserve the IP address space for outbound traffic
Static NAT Pool X Allow for inbound access from the internet X
Dynamic NAT Pool X Routing between overlapping networks X


A single MCR is limited to 131,072 NAT translations and is configured with a TCP established timeout of 24 hours.

Last update: 2024-04-15