Here to help




I have inherited an AWS environment that's in transition from an on-premise to cloud base infrastructure.


Looking to see if there is any reference architecture to see how the vMX should be deployed. Has everyone just placed it within their public subnet?


Also curious whether having the vMX negates the need for a NAT gateway / NAT instance.




11 Replies 11
Kind of a big deal
Kind of a big deal

The vMX only does AutoVPN - so you can not use it as a NAT gateway.


I would place it into the public segment so it can have its own NATed IP address.


This is the deployment guide for setting it up in Amazon AWS.


Meraki Employee
Meraki Employee

Yes @mmeck the vMX is basically a virtual MX100 in AWS (or Azure) to act as the AutoVPN concentrator for any of your various physical MX appliances in your Dashboard Org, such as in lots of branch locations, and these would be the two key reference guides for vMX deployment in AWS:  




Sorry if I misunderstood the question or if you already read through those and weren't sure about your deployment options, let us know.


And what @PhilipDAth said, we answered around the same time... I just talk too much so my answer came 2 minutes after his, LOL

@MerakiDave was busy doing this job.  I was looking for a distraction not to do mine.

Thanks @PhilipDAth and @MerakiDave 


So, essentially something like this:


Kind of a big deal
Kind of a big deal

Looks good to me.

Yes, that's a correct diagram.  All you need is a vMX license and you'll have an "Add vMX" button in Dashboard and then you go to the Appliance Status page and generate a token to copy over to AWS, and then proceed to set up the vMX as a one-armed VPN Concentrator as per the support guide.  The install guide also shows the steps to set up your VPN in AWS and configure the vMX to communicate with your Meraki Dashboard.  


Setup the vMX without issue, just migrated DB to MySQL database (Aurora) and setup in same Security Group but under private subnet (almost same setup as diagram I now see here).


However, on the vMX side I added the CIDR for the subnets in VPN but can't ping from the vMX to the DB. I setup the inbound/outbound rules for the DB Private subnet (on AWS side) and made sure application port (3307 instead of 3306) was setup as well. 


Any insight from someone who's done this would be awesome. 

What about the security group that the AWS is in?

Just have the Inbound/Outbound rules for the Port. Does the Source need to be changed to the exact IP of the vMX or the CIDR?


Again, appreciate any help/insight!

The security group rules need to allow both devices to talk to each other.  Also you can have VPC security rules as well.


Also MySQL can be restricted to only allowing accounts to be accessible from specific IP's.  I imagine Aurora is similar.



It could be so many things.

Get notified when there are additional replies to this discussion.