Meraki

Community

how to peer vMX to AWS transit gateway (TG)

Leosambrana
Meraki Employee
Meraki Employee
‎Oct 24 2024 7:47 AM
‎Oct 24 2024 7:47 AM

how to peer vMX to AWS transit gateway (TG)

Written by @Fran_Tello 

 

 

  1. Keep the existing TGW-based architecture and introduce an intermediate C8Kv router that peers via eBGP with your vMX and with eBGP over GRE with the TGW
  2. Use the TGW-vMX quickstart which uses Lambda functions to maintain routing information in your TGWs based on the availability of your vMXs: https://aws-quickstart.github.io/quickstart-cisco-meraki-sd-wan-vmx/
  3. Transition the customer to CloudWAN tunnel-less connect, which does not require GRE encapsulation in BGP. Think of Cloud WAN as a natively multi-region TGW construct, similar to vWAN Hubs in Azure.
    1. We have this documentation article on how to set this up: https://documentation.meraki.com/MX/Deployment_Guides/Deploying_Meraki_vMX_in_a_Transit_VPC_with_AWS...
    2. I also made a yet unpublished migration guide to move from TGW to Cloud WAN: https://cisco.box.com/s/96hn1fquaep6pf36bstkckqn2ytxzju0
  4. Untested: It may be possible to use the MX19 BGP in IPsec capability to peer a vMX to a TGW, as TGWs also support IPsec encapsulation, but we have not tested this use case.
    1. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn....
    2. https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 24 2024 12:42 PM
‎Oct 24 2024 12:42 PM

That is very interesting.  I think I'll give that a try.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 24 2024 12:43 PM
‎Oct 24 2024 12:43 PM

I think I am more interested in option (4), simply because it is lower cost.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 29 2024 5:07 PM
‎Nov 29 2024 5:07 PM

I've spent quite a bit of time trying to get BGP over IPSec working to both Amazon AWS VPN Gateway and a transit gateway.  Both fail.  IKEv2 comes up nicely.  I can ping the tunnel at the AWS end from the MX, so I know all the crypto and tunnel is working.

 

I opened a support case with Meraki, 12506739.  But this new feature is beyond what they can diagnose.  I don't suppose we could get developerment to look at getting this feature to work with Amazon AWS?

 

I would guess there would be 100,000 Meraki customers with Amazon AWS  to every 1 customer using Catalyst SD-WAN.

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 16 2024 5:37 PM
‎Dec 16 2024 5:37 PM

I've tried again with 19.1.6 to AWS.  BGP portion still fails to come up.  Meraki thinks it is sending a BGP hello but doesn't get a response.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.