Meraki

GIdenJoe

I got a question from a client who wants to secure his cloud based servers in Azure.

Is it possible to have a on-prem HQ MX as an exit hub for the vMX to filter traffic at the vMX and have it exit out the local MX towards the internet or is this a complete pipe dream?

If no where should I steer the customer to secure his servers?

At this time we have an SD-WAN where a bunch of branches connect to an HQ MX and an Azure vMX to reach the servers.

Thanks in advance!

MartinLL

Hey!

From a Meraki perspective that should work just fine. But in Azure you will need to do a lot of weird routing operations with UDR. If the customer uses a hub and spoke topology you are basically forced into deploying a Virtual Network Gateway or Azure Firewall to route traffic towards your vMX from your Azure spoke networks.

I think the better solution would be to add the Azure Firewall in the Azure Hub VNET along with the vMX, then force all Azure bound traffic coming from the SD-WAN through the Azure firewall. This way you can secure your Azure workloads internally in the vPC and from your SD-WAN by pinning it through the Azure firewall.

MLL

View solution in original post

MartinLL

Hey!

From a Meraki perspective that should work just fine. But in Azure you will need to do a lot of weird routing operations with UDR. If the customer uses a hub and spoke topology you are basically forced into deploying a Virtual Network Gateway or Azure Firewall to route traffic towards your vMX from your Azure spoke networks.

I think the better solution would be to add the Azure Firewall in the Azure Hub VNET along with the vMX, then force all Azure bound traffic coming from the SD-WAN through the Azure firewall. This way you can secure your Azure workloads internally in the vPC and from your SD-WAN by pinning it through the Azure firewall.

MLL

Meraki

Community

vMX routing towards an exit hub for security

vMX routing towards an exit hub for security