Questions on vMX setup in Azure

Duke_Nukem
Getting noticed

Questions on vMX setup in Azure

Hello,

 

Trying to figure out the best way to deploy our vMX in Azure.  We have 20 sites, all Meraki MX’s.  Each currently in Routed mode, and Hub (mesh). And each site has their subnet (192.168.1-20.0/24, with a few other subnets) in the VPN.  Pretty simple, works great.  Want to extend our network into Azure (192.168.50.0/23), setup some VMs for AD server, SQL, etc. 

 

So, we setup the vMX in Routed Mode and things weren’t working, thinking it would just be another Hub, connected to all the other Hubs.  Talked with support and they said hardly anyone uses that mode, and you’d have to setup all other 20 MX’s to be Spokes, and do full tunnels to the Azure site.  i.e. send everything to Azure, since the vMX doesn’t let you advertise the Azure subnets in Routed Mode(WTF?).  I’m no Azure expert(very new actually), but wouldn’t that run up costs for data ingress/egress?  And wouldn’t that create a single point of failure for all other sites (If Azure is down you’re down too!)?

 

Switched it to Passthrough, and got things configured and working.  But, in this mode the vMX is not a Firewall/NAT device.  It’s a layer 2 bridge.  And there’s this warning in the documentation:

Placing a WAN appliance in Passthrough mode at the perimeter of your network with a publicly routable IP address is not recommended and can present security risks. As a best practice, Passthrough mode WAN appliances should always be deployed behind an edge firewall.

 

So, what are people doing for their firewall in Azure?  As mentioned, new to Azure, and want to make sure we’re secure in setting thing up.

 

Thanks,

 

Mike

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I only use VMX in VPN concentrator mode in Azure because of the limitations.

 

I rely on network security groups to limit traffic to the VMX.

Thanks, Phillip.  Does the vMX in Passthrough require a NSG for security? Or if it's public IP address is using the Standard SKU, it should be good (pic below)?

 

Thanks,

 

Mike

Azure public IP.JPG

That is a problem.  You need a "Basic IP SKU" to have full functionality and for the best reliability.

 

If you use a NSG, make sure you define a static port to be used for AutoVPN.  I also normally disable the local status page via the Meraki Dashboard.

Duke_Nukem
Getting noticed

If you don't use an NSG with the Basic IP SKU, then everything is open. And that is a security risk. Thus Microsoft telling people to move to the Standard IP SKU by 9/30/25, which blocks everything.  

With the Standard SKU, and an NSG allowing 443, we can hit AnyConnect in mesh/Passthrough mode, but the NSG blocks all site-to-site tunnel access, and we can’t reach a VM in Azure from another site.  Do we need to allow port 500 and 4500 in our NSG?

 

Not sure what other functionality/reliability there is by changing the IP SKU.

If you use a NSG then I would configure a manual NAT for AutoVPN and add then add whatever UDP port you choose to the NSG.  This allows AutoVPN to recover from a lot more failure cases.

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

 

PhilipDAth_0-1716150024205.png

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.