Meraki

Community

Azure vMX Configuration Considerations

Solved
dkins
Comes here often
‎Jun 25 2023 5:21 AM
‎Jun 25 2023 5:21 AM

Azure vMX Configuration Considerations

Hi, we have a client with 50 sites with an mx67 at each site in routed mode. There are two vMX-M appliances located in their Azure hub, configured in VPN concentrator Mode, sitting behind firewall NVAs in the Azure hub.

 

The vMX-M appliances are the Hub and the 50 sites are configured as spokes. All servers are located in Azure so considered as the Data Center in the design. AutoVPN is configured and sites do not full tunnel to allow for local break-out at the 50 sites.

 

Now, if we introduce Secure Connect, I understand all site traffic now routes via Secure Connect.

 

What happens at the current Hub in the design above?

 

  1. Will we have to change anything on the vMX-M appliances?
  2. Do the vMX have to change to Routed mode?
  3. Will the vMX appliances now be seen as a spoke?
  4. What sort of latency will be introduced on top of the current latency seen in the AutoVPN config?
  5. Does the Essentials licensing allow for traffic steering at the remote sites? For example, to exclude certain traffic from being routed via Secure Connect? (Meraki licensing is Advanced Security)

 

Thanks in-advance.

 

 

 

0 Kudos
1 Accepted Solution
In response to dkins
Gary_Geihsler1
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Jun 27 2023 1:49 PM
‎Jun 27 2023 1:49 PM

Correction to myself, we do not need the vMX in routed mode. There are some routing considerations on the upstream gateway in order to use the vMX in passthrough mode. 

View solution in original post

0 Kudos
9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 25 2023 12:40 PM
‎Jun 25 2023 12:40 PM

>I understand all site traffic now routes via Secure Connect.

 

If you are talking about Meraki AnyConnect support using the SecureConnect client, you can you use split tunnel mode, so only traffic for Azure network (and branches if you like) will go over the VPN.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

(you can search for "split" in the above page).

 

>Will we have to change anything on the vMX-M appliances?

You'll need to configure AnyConnect, and make sure TCP and UDP 443 are forwarded to the VMX.

 

>Do the vMX have to change to Routed mode?

No.

 

>Will the vMX appliances now be seen as a spoke?

Not really.

 

>What sort of latency will be introduced on top of the current latency seen in the AutoVPN config?

Pretty much nothing.

 

>Does the Essentials licensing
I would normally use AnyConnect APEX licences.  A sample ordering code is L-AC-APX-3Y-S1.  This is for a 3 year licence.  I usually use 3Y or 5Y to match the Meraki licences, so everything comes up for renewal at the same time.

0 Kudos
In response to PhilipDAth
dkins
Comes here often
‎Jun 25 2023 10:49 PM
‎Jun 25 2023 10:49 PM

Thanks for your response. Sorry, no, I'm not referring to AnyConnect.

 

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 26 2023 3:11 AM
‎Jun 26 2023 3:11 AM

I am not 100% sure of these answers in this scenario.

 

  1. Will we have to change anything on the vMX-M appliances?  No.  They are already hubs and will automatically form AutoVPN connections to the virtual Cisco+ SecureConnect Hubs.
  2. Do the vMX have to change to Routed mode?  No.
  3. Will the vMX appliances now be seen as a spoke?  No.  It will remain as a hub, and traffic for subnets behind it will go directly to it.  Cisco+ SecureConnect shows up as additional AutoVPN hubs.
  4. What sort of latency will be introduced on top of the current latency seen in the AutoVPN config?  Don't know.
  5. Does the Essentials licensing allow for traffic steering at the remote sites? For example, to exclude certain traffic from being routed via Secure Connect? (Meraki licensing is Advanced Security)  Don't know.
0 Kudos
In response to PhilipDAth
dkins
Comes here often
‎Jun 26 2023 3:27 AM
‎Jun 26 2023 3:27 AM

ok, thanks for your input...I'll run a trial and see how it pans out.

0 Kudos
Gary_Geihsler1
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Jun 26 2023 6:23 AM
‎Jun 26 2023 6:23 AM

  1. Will we have to change anything on the vMX-M appliances? Currently all Meraki sites connected to Secure Connect will be configured as spokes with Secure Connect seen as a hub. Hub to hub connectivity to Secure Connect will come in the future. 
  2. Do the vMX have to change to Routed mode? Yes
  3. Will the vMX appliances now be seen as a spoke? Yes
  4. What sort of latency will be introduced on top of the current latency seen in the AutoVPN config? If you are asking about site to site connectivity there will be some latency added. We are introducing another hop and a policy evaluation. The latency added will depend on multiple factors, there is no stated number.
  5. Does the Essentials licensing allow for traffic steering at the remote sites? For example, to exclude certain traffic from being routed via Secure Connect? (Meraki licensing is Advanced Security) Secure Connect is not dependent on a specific MX license. VPN exclusion rules can be done for IP/CIDR for any MX license and application based VPN exclusion rules require the SD-WAN Plus license.
0 Kudos
In response to Gary_Geihsler1
Bucket
Getting noticed
‎Jun 26 2023 6:34 AM
‎Jun 26 2023 6:34 AM

Hi Gary. 

This documentation states you can set the umbrella “mx” as an exit hub. Is this not possible when doing secure connect? I thought it was essentially the same. 

https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide

 

why does the VMX need to be in routed mode?

In response to Gary_Geihsler1
dkins
Comes here often
‎Jun 27 2023 12:44 PM
‎Jun 27 2023 12:44 PM

Hi Gary,

 

I'm also curious to understand why the vMX needs to be in Routed Mode..

0 Kudos
In response to dkins
Gary_Geihsler1
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Jun 27 2023 1:49 PM
‎Jun 27 2023 1:49 PM

Correction to myself, we do not need the vMX in routed mode. There are some routing considerations on the upstream gateway in order to use the vMX in passthrough mode. 

0 Kudos
In response to Gary_Geihsler1
brianpmcp
Here to help
‎Dec 12 2023 2:20 AM
‎Dec 12 2023 2:20 AM

Hi Gary,

 

Could the VMX in passthrough mode still use BGP to propogate Azure routes?

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.