A customer using a Meraki VmX has now introduced an Azure Premium Firewall (APF) between the VmX and the internet which is creating issues as they say they can find no way to open the port through it to the VmX; so my question is to see if its possible to use the VmX as the Internet edge device and position the APF behind it (which our customer hasn't figured out how to do either)? Looking to see if anyone has noticed any hurdles using the APF in combination with a VmX and how they were resolved.
The Meraki vMX will work in one-armed concentrator mode only! No NAT mode available. The vMX can only play the role of VPN concentrator on Azure.
You cannot use the Meraki vMX as a gateway into Azure.
Full-tunnel site-to-site VPN mode is not possible. Your branch or remote offices need to make split-tunneling VPN: Internet traffic go to the branch/remote office local Internet access, and only Azure remote networks are routed through the VPN. This is the default on Meraki auto-VPN.
Client VPN is supported on the vMX, but you must use split-tunneling to access to the Internet with a connected client.
Referencing this Meraki vMX setup guide for Azure https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure
..it says that:
"All new vMXens deployed post October, 31, 2022 will be deployed in Routed/NAT Mode Concentrator by default, existing vMX deployments will not be effected. If you wish to use the vMX in passthrough mode, please change the deployment settings to Passthrough or VPN Concentrator mode from the Security& SD-WAN > Configure > Addressing & VLANs page. "
So this suggests that we can use the vMX as a gateway to Azure. Is this incorrect?
As far as I know vMX is for SD-WAN purposes.
Recommended use cases Extend secure SD-WAN connectivity from branch sites to resources in public and private cloud environments
The article I referenced references a further article "Concentrator Modes": https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs
This says:
This is the default selection. Choose this option if you want to use the MX appliance as a layer 7 firewall to isolate and protect LAN traffic from the Internet (WAN)"
So that makes me think that the vMX is deployed in "Routed/NAT Mode Concentrator by default" and routed mode makes use of the appliance as a layer 7 firewall
As far as I know vMX is for SD-WAN purposes.
Recommended use cases Extend secure SD-WAN connectivity from branch sites to resources in public and private cloud environments
Check it out:
https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ#Common_Use_Cases
https://community.meraki.com/t5/Security-SD-WAN/vMX100-what-s-the-benefit/m-p/113717
This link may help you to understand
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure
I expect (never tried this myself) the VMX should work in its standard VPN concentrator mode for AutoVPN. I expect you'll find the reliability reduced a little. There will be some cases when AutoVPN will go down, and it won't be able to rebuild it in a timely manner, as spokes won't be able to communicate with the VMX to tell it a rebuild is needed.
You won't be able to use the TLS inspection feature of Azure premium firewall.
I would get them to create a rule to allow all outbound UDP traffic to any destination IP address from the VMX (to get AutoVPN working). It will also need to allow outbound traffic to the Meraki cloud.
It won't be able to be used as a client VPN concentrator.