I have deployed a vMX into MS Azure. Following the deployment guide, the vMX sits in its own Resource Group, in a dedicated VNET and Subnet.
The vMX is configured to be a VPN Hub.
Within the Dashboard, the vMX looks healthy.
I have a test branch acting as a spoke, which has an AutoVPN tunnel formed to the vMX.
Within Azure, I have a separate server Resource Group, VNET, Subnet with a VM. I want the spoke site to be able to connect to this VM.
In the vMX, I have defined this server subnet under the "VPN settings" "Local networks".
Now for the problem - the vMX VNET and server VNET are not peered, and I'm unable to peer them due to the following error:
"Failed to add virtual network peering 'vMX-to-Server' to subscription ... The client <my-email-address> with object id <abc-123> has permission to perform action .... write on RG-vMX; however the access is denied because of the deny assignment created by the managed application"
Essentially, the Azure RG I created acts as a container for the vMX and it's objects (including the VNET). This RG is very restrictive and doesn't allow me to setup peering to existing VNETs within Azure.
I have a support case open with Meraki, but I believe they're struggling to understand the problem.
MS Azure support have confirmed the permissions are due to the managed application (the vMX).
Does anyone have any pointers to assist with the VNET peering setup?
Thanks
Chris