Hello,

We are currently operating a Cisco Meraki vMX in Azure, deployed in VPN Concentrator mode, acting as the HUB for all our on-premise Meraki SD-WAN spokes.
We are evaluating a potential change to run the vMX in Routed/NAT mode so that Azure VNet outbound traffic could be forwarded directly through the vMX instead of Azure Firewall.

Before proceeding, we need clarification on the following points:

1. If we switch the vMX from Concentrator Mode to Routed Mode, how will this affect SD-WAN traffic from the spoke sites?

• Will the spoke sites automatically shift to full-tunnel behavior through the vMX?

• Or will they continue using split-tunnel for their internet-bound traffic?

2. When the vMX performs NAT in Routed Mode, is NAT applied on the Azure-facing WAN interface or on the internal LAN interface?

We need to confirm where source NAT occurs for Azure-hosted workloads.

3. After enabling Routed Mode, will on-prem spokes still be able to communicate with Azure VMs without NAT complications?

• Will NAT cause asymmetric routing or session breaks?

• Do we need additional routes or exceptions to maintain hub–spoke Azure ↔ on-prem connectivity?

4. Is Routed Mode for vMX fully supported and recommended in Microsoft Azure environments?

We need to understand any platform limitations, unsupported features, or known caveats before planning a migration.

Any guidance or best practices from Meraki on production use of vMX Routed Mode in Azure would be greatly appreciated.