Hello,
Trying to figure out the best way to deploy our vMX in Azure. We have 20 sites, all Meraki MX’s. Each currently in Routed mode, and Hub (mesh). And each site has their subnet (192.168.1-20.0/24, with a few other subnets) in the VPN. Pretty simple, works great. Want to extend our network into Azure (192.168.50.0/23), setup some VMs for AD server, SQL, etc.
So, we setup the vMX in Routed Mode and things weren’t working, thinking it would just be another Hub, connected to all the other Hubs. Talked with support and they said hardly anyone uses that mode, and you’d have to setup all other 20 MX’s to be Spokes, and do full tunnels to the Azure site. i.e. send everything to Azure, since the vMX doesn’t let you advertise the Azure subnets in Routed Mode(WTF?). I’m no Azure expert(very new actually), but wouldn’t that run up costs for data ingress/egress? And wouldn’t that create a single point of failure for all other sites (If Azure is down you’re down too!)?
Switched it to Passthrough, and got things configured and working. But, in this mode the vMX is not a Firewall/NAT device. It’s a layer 2 bridge. And there’s this warning in the documentation:
Placing a WAN appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode WAN appliances should always be deployed behind an edge firewall.
So, what are people doing for their firewall in Azure? As mentioned, new to Azure, and want to make sure we’re secure in setting thing up.
Thanks,
Mike
