it's used only as a HUB for SD-WAN. All the traffic then is sent to the Gateway VPN (same vnet)

I'm not clear on what you are trying to achieve.

You have a number of AutoVPN branches and that is it the traffic you are wanting to protect?

In the spoke sites, (split tunnel configured) users going in Internet will need to get to Umbrella and i need protection. So the vMX (where the Umbrella configuration should be configured) need to provide that security.

So ,getting back to the beginning:

1) What license is required for the vMX to integrate with Umbrella, considering I need advanced features like threat analysis and content control? I assume the Advanced Security license is needed.

2) Should I use Umbrella DNS Security Advantage for this?

3) Is the Umbrella license based on a "per user" or "per VLAN" ?

Hope is clear now.M

What you are describing is "Cloud Onramp".  The configuration is done on the spokes, not the VMX.

https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide

You need Umbrella SIG Essentials or SIG Advantage.

https://umbrella.cisco.com/products/umbrella-enterprise-security-packages

It is licenced per user.

On the Meraki side - it works with all MX licence types.

ok but you telling me i cannot rich Umbrella via a local brekout form a Spoke? MUST I pass through SD_WAN?

With Cloud OnRamp, it goes via Umbrella to SD-WAN.

If you want to reduce your requirements to just DNS filtering then then you can Umbrella DNS Essentials, and use DNS integration.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_...

Hi Philip,

first of all thanks for your time to answer to my questions. The only thing im have to understand is if i can use a local internet connection from my spoke networks to go to umbrella or not. Cause you are telling me that i need to use SD_WAN (passing though the HUB) and i dont want to go through it to get to the Umbrella network.

Can you kidnly clarify that to me?

Thanks.