And what @PhilipDAth said, we answered around the same time... I just talk too much so my answer came 2 minutes after his, LOL

@MerakiDave was busy doing this job.  I was looking for a distraction not to do mine.

Thanks @PhilipDAth and @MerakiDave 

So, essentially something like this:

Looks good to me.

Yes, that's a correct diagram.  All you need is a vMX license and you'll have an "Add vMX" button in Dashboard and then you go to the Appliance Status page and generate a token to copy over to AWS, and then proceed to set up the vMX as a one-armed VPN Concentrator as per the support guide.  The install guide also shows the steps to set up your VPN in AWS and configure the vMX to communicate with your Meraki Dashboard.  

Setup the vMX without issue, just migrated DB to MySQL database (Aurora) and setup in same Security Group but under private subnet (almost same setup as diagram I now see here).

However, on the vMX side I added the CIDR for the subnets in VPN but can't ping from the vMX to the DB. I setup the inbound/outbound rules for the DB Private subnet (on AWS side) and made sure application port (3307 instead of 3306) was setup as well. 

Any insight from someone who's done this would be awesome. 

What about the security group that the AWS is in?

Just have the Inbound/Outbound rules for the Port. Does the Source need to be changed to the exact IP of the vMX or the CIDR?

Again, appreciate any help/insight!

The security group rules need to allow both devices to talk to each other.  Also you can have VPC security rules as well.

Also MySQL can be restricted to only allowing accounts to be accessible from specific IP's.  I imagine Aurora is similar.

https://dba.stackexchange.com/questions/80701/how-to-allow-remote-connections-to-mysql-from-specific... 

It could be so many things.