Can a VMX be placed between an Azure Premium Firewall?

ShawSAQuestions
New here

Can a VMX be placed between an Azure Premium Firewall?

A customer using a Meraki VmX has now introduced an Azure Premium Firewall (APF) between the VmX and the internet which is creating issues as they say they can find no way to open the port through it to the VmX; so my question is to see if its possible to use the VmX as the Internet edge device and position the APF behind it (which our customer hasn't figured out how to do either)? Looking to see if anyone has noticed any hurdles using the APF in combination with a VmX and how they were resolved.

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

The Meraki vMX will work in one-armed concentrator mode only! No NAT mode available. The vMX can only play the role of VPN concentrator on Azure.
You cannot use the Meraki vMX as a gateway into Azure.
Full-tunnel site-to-site VPN mode is not possible. Your branch or remote offices need to make split-tunneling VPN: Internet traffic go to the branch/remote office local Internet access, and only Azure remote networks are routed through the VPN. This is the default on Meraki auto-VPN.
Client VPN is supported on the vMX, but you must use split-tunneling to access to the Internet with a connected client.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Referencing this Meraki vMX setup guide for Azure https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

..it says that:

 

"All new vMXens deployed post October, 31, 2022 will be deployed in Routed/NAT Mode Concentrator by default, existing vMX deployments will not be effectedIf you wish to use the vMX in passthrough mode, please change the deployment settings to Passthrough or VPN Concentrator mode from the Security& SD-WAN > Configure > Addressing & VLANs page. "

 

So this suggests that we can use the vMX as a gateway to Azure. Is this incorrect?

 

As far as I know vMX is for SD-WAN purposes.

 

Recommended use cases Extend secure SD-WAN connectivity from branch sites to resources in public and private cloud environments

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

The article I referenced references a further article "Concentrator Modes": https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs

 

This says:

Routed Mode

This is the default selection. Choose this option if you want to use the MX appliance as a layer 7 firewall to isolate and protect LAN traffic from the Internet (WAN)"

 

 

So that makes me think that the vMX is deployed in "Routed/NAT Mode Concentrator by default" and routed mode makes use of the appliance as a layer 7 firewall

 

As far as I know vMX is for SD-WAN purposes.

 

Recommended use cases Extend secure SD-WAN connectivity from branch sites to resources in public and private cloud environments

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Check it out:

 

https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ#Common_Use_Cases

 

 

https://community.meraki.com/t5/Security-SD-WAN/vMX100-what-s-the-benefit/m-p/113717

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Inderdeep
Kind of a big deal
Kind of a big deal

This link may help you to understand 
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

I expect (never tried this myself) the VMX should work in its standard VPN concentrator mode for AutoVPN.  I expect you'll find the reliability reduced a little.  There will be some cases when AutoVPN will go down, and it won't be able to rebuild it in a timely manner, as spokes won't be able to communicate with the VMX to tell it a rebuild is needed.

You won't be able to use the TLS inspection feature of Azure premium firewall.

 

I would get them to create a rule to allow all outbound UDP traffic to any destination IP address from the VMX (to get AutoVPN working).  It will also need to allow outbound traffic to the Meraki cloud.

 

It won't be able to be used as a client VPN concentrator.

Get notified when there are additional replies to this discussion.