Meraki

Community

vMX and firewalling in Azure

Solved
Henrik_DK
Conversationalist
‎May 15 2024 5:40 AM
‎May 15 2024 5:40 AM

vMX and firewalling in Azure

As far as I understand we will NOT be able to use our vMX as a firewall between Azure and the Internet - its only good for VPN - can you confirm? 🙂

Labels:
0 Kudos
1 Accepted Solution
In response to Henrik_DK
MartinLL
A model citizen
‎May 15 2024 9:19 AM
‎May 15 2024 9:19 AM

No you can not. Traffic will be routed to the subnet gateway and forwarded according to azure routing. The vMX can do NAT, but only for its private interface ip, not public.

My recomendation, brake internett access out localy. If that is not possible look into adding Umbrella SIG or Secure Connect Plus.

MLL

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 15 2024 5:52 AM
‎May 15 2024 5:52 AM

In fact, it has Firewall functionalities because it is a firewall. However, you won't have the full functionality of a physical device due to licensing limitations.

What exactly do you need? The idea of vMX is to be more like a hub to make it easier to access your resources within Azure or AWS, but it would be nice if you gave an overview of what you need.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Henrik_DK
Conversationalist
‎May 15 2024 5:56 AM
‎May 15 2024 5:56 AM

Thanks - we were recommended a vMX-setup that should offer the same firewall-capabilities as the MX - configurable in- and out-going firewalling, which it does not do if I am not mistaken? 🙂

0 Kudos
In response to Henrik_DK
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 15 2024 6:01 AM
‎May 15 2024 6:01 AM

Again, what is the purpose of vMX? I see it more as a transit gateway to access your resources within Azure, AWS, etc.

Do you want to expose your applications to the internet and use vMX to do some type of filtering? Or is it to limit what your machines within Azure can access?

It can handle like a firewall, but it would be good to understand its purpose first.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Henrik_DK
Conversationalist
‎May 15 2024 6:04 AM
‎May 15 2024 6:04 AM

My goal was to clarify wether or not it could do the same firewalling as a MX or not - which I think it cannot? 🙂

0 Kudos
In response to Henrik_DK
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 15 2024 6:10 AM
‎May 15 2024 6:10 AM

Not 100%, some features are not supported.

 

vMX Comparison Datasheet - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Henrik_DK
Conversationalist
‎May 15 2024 6:30 AM
‎May 15 2024 6:30 AM

As far as our test shows we cannot get traffic through the vMX directly to the internet - is it something you have experience with?

0 Kudos
In response to Henrik_DK
MartinLL
A model citizen
‎May 15 2024 9:19 AM
‎May 15 2024 9:19 AM

No you can not. Traffic will be routed to the subnet gateway and forwarded according to azure routing. The vMX can do NAT, but only for its private interface ip, not public.

My recomendation, brake internett access out localy. If that is not possible look into adding Umbrella SIG or Secure Connect Plus.

MLL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2024 12:28 PM
‎May 15 2024 12:28 PM

Correct.  You won't be able to use your VMX like a traditional firewall in Azure.  Use network security groups for that.

 

Check out this document and jump down tot he "Unsupported Features" section.
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Comparison_Datasheet 

cookiejc
Here to help
‎Aug 21 2025 5:35 AM
‎Aug 21 2025 5:35 AM

Hi, appreciate this thread is a bit old. Can I just clarify the answer on this one which suggests the vmx can only really be used as a VPN concentrator in Azure and not act as a firewall in an Azure hub and spoke architecture. 

 

The linked comparison sheet here: vMX Comparison Datasheet - Cisco Meraki Documentation - mentions that L3-7 Firewall capabilities are supported.

 

If we deployed one of these in an Azure hub network. Could it not both provide connectivity to sites as well as firewalling between spoke virtual networks and outbound internet from the azure environment?

 

Thanks in advance

0 Kudos
In response to cookiejc
MartinLL
A model citizen
‎Aug 21 2025 8:09 AM
‎Aug 21 2025 8:09 AM

Hi,

When this post was created that was indeed the case. But now you can deploy it in routed mode and use L4-L7 features with the advanced security license as long as you run 19.1 ->

 

If you deploy in routed mode internet access should work since the vMX will do NAT.

You can also use it as a firewall on a stick for VNETS in this setup. You just need to add a route table to the spoke subnets pinning all traffic to the vMX LAN interface in the HUB VNET.

 

Check out this FAQ for more info. I think it will give you most of the answers you seek 🙂

vMX NAT Mode Use Cases and FAQ - Cisco Meraki Documentation

MLL
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.