vMX + AWS

mmeck
Here to help

vMX + AWS

Hi,

 

I have inherited an AWS environment that's in transition from an on-premise to cloud base infrastructure.

 

Looking to see if there is any reference architecture to see how the vMX should be deployed. Has everyone just placed it within their public subnet?

 

Also curious whether having the vMX negates the need for a NAT gateway / NAT instance.

 

Thanks.

M

11 Replies 11
PhilipDAth
Kind of a big deal
Kind of a big deal

The vMX only does AutoVPN - so you can not use it as a NAT gateway.

 

I would place it into the public segment so it can have its own NATed IP address.

 

This is the deployment guide for setting it up in Amazon AWS.

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS

MerakiDave
Meraki Employee
Meraki Employee

Yes @mmeck the vMX is basically a virtual MX100 in AWS (or Azure) to act as the AutoVPN concentrator for any of your various physical MX appliances in your Dashboard Org, such as in lots of branch locations, and these would be the two key reference guides for vMX deployment in AWS:  

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS

and

https://documentation.meraki.com/MX/Site-to-site_VPN/One-Armed_VPN_Concentrator_Deployment_Guide

Sorry if I misunderstood the question or if you already read through those and weren't sure about your deployment options, let us know.

 

MerakiDave
Meraki Employee
Meraki Employee

And what @PhilipDAth said, we answered around the same time... I just talk too much so my answer came 2 minutes after his, LOL

PhilipDAth
Kind of a big deal
Kind of a big deal

@MerakiDave was busy doing this job.  I was looking for a distraction not to do mine.

mmeck
Here to help

Thanks @PhilipDAth and @MerakiDave 

 

So, essentially something like this:

meraki-aws.png

PhilipDAth
Kind of a big deal
Kind of a big deal

Looks good to me.

MerakiDave
Meraki Employee
Meraki Employee

Yes, that's a correct diagram.  All you need is a vMX license and you'll have an "Add vMX" button in Dashboard and then you go to the Appliance Status page and generate a token to copy over to AWS, and then proceed to set up the vMX as a one-armed VPN Concentrator as per the support guide.  The install guide also shows the steps to set up your VPN in AWS and configure the vMX to communicate with your Meraki Dashboard.  

Stephan_W
Conversationalist

Setup the vMX without issue, just migrated DB to MySQL database (Aurora) and setup in same Security Group but under private subnet (almost same setup as diagram I now see here).

 

However, on the vMX side I added the CIDR for the subnets in VPN but can't ping from the vMX to the DB. I setup the inbound/outbound rules for the DB Private subnet (on AWS side) and made sure application port (3307 instead of 3306) was setup as well. 

 

Any insight from someone who's done this would be awesome. 

PhilipDAth
Kind of a big deal
Kind of a big deal

What about the security group that the AWS is in?

Stephan_W
Conversationalist

Just have the Inbound/Outbound rules for the Port. Does the Source need to be changed to the exact IP of the vMX or the CIDR?

 

Again, appreciate any help/insight!

PhilipDAth
Kind of a big deal
Kind of a big deal

The security group rules need to allow both devices to talk to each other.  Also you can have VPC security rules as well.

 

Also MySQL can be restricted to only allowing accounts to be accessible from specific IP's.  I imagine Aurora is similar.

https://dba.stackexchange.com/questions/80701/how-to-allow-remote-connections-to-mysql-from-specific... 

 

It could be so many things.

Get notified when there are additional replies to this discussion.