Meraki

Community

Meraki vMX: Switching from VPN Concentrator to Routed Mode

Rajasekar-Cis
New here
yesterday
yesterday

Meraki vMX: Switching from VPN Concentrator to Routed Mode

Hello,

 

We are currently operating a Cisco Meraki vMX in Azure, deployed in VPN Concentrator mode, acting as the HUB for all our on-premise Meraki SD-WAN spokes.
We are evaluating a potential change to run the vMX in Routed/NAT mode so that Azure VNet outbound traffic could be forwarded directly through the vMX instead of Azure Firewall.

Before proceeding, we need clarification on the following points:

1. If we switch the vMX from Concentrator Mode to Routed Mode, how will this affect SD-WAN traffic from the spoke sites?

  • Will the spoke sites automatically shift to full-tunnel behavior through the vMX?

  • Or will they continue using split-tunnel for their internet-bound traffic?

2. When the vMX performs NAT in Routed Mode, is NAT applied on the Azure-facing WAN interface or on the internal LAN interface?

We need to confirm where source NAT occurs for Azure-hosted workloads.

3. After enabling Routed Mode, will on-prem spokes still be able to communicate with Azure VMs without NAT complications?

  • Will NAT cause asymmetric routing or session breaks?

  • Do we need additional routes or exceptions to maintain hub–spoke Azure ↔ on-prem connectivity?

4. Is Routed Mode for vMX fully supported and recommended in Microsoft Azure environments?

We need to understand any platform limitations, unsupported features, or known caveats before planning a migration.

 

Any guidance or best practices from Meraki on production use of vMX Routed Mode in Azure would be greatly appreciated.

0 Kudos
2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Virtua...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
7 hours ago
7 hours ago

Hey there,

 

1) The way spokes route will not change at all when you change your vMX.  It is also not recommended to try to move all your branch traffic over an Azure connection to the internet.  Usually you have DIA (direct internet access) at the branches or you use a SASE solution where you send nearly all your internet bound traffic for inspection.  However the routing for the Azure resources can be done directly.

2) NAT will be applied on the traffic at the WAN interface and will be NAT'ed again leaving the Azure cloud.

3) NAT does not occur when sending traffic through the VPN tunnels unless you explicitely configure it.  This is usually in cases of overlapping subnets.

4) Since a recent version it is fully supported.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.