VMX - Azure, firewall?

New here

VMX - Azure, firewall?

We have deployed vMX in Azure in VPN concentrator mode. We have two subnets on vmx virtual network. vMX has its own static public IP. The Windows VMs are connected behind vmx virtual network. When we checked the "What is my IP" on the Windows VM, it does not show the public IP of vMX. It shows completely different public IPs and it changes over time. I assume the internet traffic from the Windows VM is going through some Azure gateway.


Also, that means, windows WM is not going through vMX firewall ( I learned that vmx in concentrator mode does not act as firewall).


My question is, why is internet traffic on windows vm not going through vmx public IP?

Also, if I want a firewall on vmx virtual network, what are my options, and how to configure it?

3 Replies 3
Kind of a big deal
Kind of a big deal

Before You Begin

You must have the following before you begin:

  • An Azure virtual network (vNET, also known as a VPC) where you will deploy the vMX.  This vNET and its corresponding resource group can be the same one as the resources you plan to access across the Meraki VPN or a different one.  Refer to this Azure document for creating these resources. 

  • You MUST have an "SD-WAN" subnet inside the vNET where the vMX will be deployed which is separate from the subnet(s) where the resources you plan to access through the VPN are hosted.  Ex. If your apps and resources are located in the "production" subnet, you will deploy a second subnet in the same vNET called "SD-WAN" in which the vMX will be deployed.  DO NOT deploy the vMX inside the production subnet alongside the other resources as this can result in a routing loop and packet loss within the Azure environment.


Deploy a virtual appliance into a different subnet than the resources that route through the virtual appliance are deployed in. Deploying the virtual appliance to the same subnet, then applying a route table to the subnet that routes traffic through the virtual appliance, can result in routing loops, where traffic never leaves the subnet.


I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

thank you for your reply. Do you suggest using peering between vNET (vMX) and vNET (Azure firewall)?

Kind of a big deal
Kind of a big deal

> I assume the internet traffic from the Windows VM is going through some Azure gateway.



Get notified when there are additional replies to this discussion.