Meraki

Community

Azure vMX VNETs for Internet and LAN Port - Segmentation

Solved
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 30 2025 8:44 AM
‎Apr 30 2025 8:44 AM

Azure vMX VNETs for Internet and LAN Port - Segmentation

So we have started to Deploy vMXs in Azure in Routed mode with an Internet and LAN Port. 

One drawback I've identified is that you must use the same VNET for both ports. The Wizard doesn't allow different ones. I wanted to put the MX internet on a completely separate un-peered VNET for security reasons. 

I think my primary option is to develop rules via NSGs to block LAN subnets from the WAN subnet and vice versa.

Has anyone else noticed this? Am I missing something obvious? Seems like it would be a simple fix for Meraki to update the templates to allow this.

Do other public clouds have the same issue? We aren't going to be changing but curious.


If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Labels:
0 Kudos
1 Accepted Solution
ShaunB93
Here to help
‎Jun 2 2025 5:22 AM
‎Jun 2 2025 5:22 AM

This is an Azure constraint:
"You can connect network interfaces in the same VM to different subnets within a virtual network. However, the network interfaces must all be connected to the same virtual network"


Add network interfaces to or remove from Azure VMs | Microsoft Learn

View solution in original post

3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 30 2025 9:20 AM
‎Apr 30 2025 9:20 AM

As you mentioned, using NSGs to create rules that block traffic between the LAN and WAN subnets is a viable approach.
Another option would be to implement UDRs to further control the flow of traffic between the subnets, ensuring that only allowed traffic passes through them.

 

Other public clouds, like AWS and Google Cloud, also have similar constraints when it comes to VNET/VPC configurations.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ShaunB93
Here to help
‎Jun 2 2025 5:22 AM
‎Jun 2 2025 5:22 AM

This is an Azure constraint:
"You can connect network interfaces in the same VM to different subnets within a virtual network. However, the network interfaces must all be connected to the same virtual network"


Add network interfaces to or remove from Azure VMs | Microsoft Learn

In response to ShaunB93
Mloraditch
Kind of a big deal
Kind of a big deal
‎Jun 2 2025 7:01 AM
‎Jun 2 2025 7:01 AM

TIL! Thanks. 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.