On Ramp for public Cloud?

Solved
N0body
Conversationalist

On Ramp for public Cloud?

hi Guys

 

Whats the best way to connect to IaaS resources on Azure or AWS?

Is there an OnRamp functionality where I dont have to deploy vMX's on the Azure/AWS side?

Could you point me to some documentation?

 

Many thanks!

1 Accepted Solution
GreenMan
Meraki Employee
Meraki Employee

I'd go for this instead: 

https://documentation.meraki.com/MX/Deployment_Guides/vMX_and_Azure_Route_Server

A lot will depend on how important the service is to you - a single IPsec tunnel to a single IPSec terminator is pretty simple on a drawing - less easy to set up as it's cross-vendor.   And if any point of it fails, you might be wishing you'd invested a bit more time in a resilient solution up-front...?

View solution in original post

7 Replies 7
GreenMan
Meraki Employee
Meraki Employee

What's the objection to deploying vMX?   It really is the best way to do this, if you're an MX SD-WAN user.

N0body
Conversationalist

no objection 🙂  , I am looking for the Cisco recommended way of doing it.

Using a pair vMX's would mean 2 additional appliances i'd need to pay for/manage. Using an OnRamp type functionality (if it exists) might connect me via a VPN Gateway. i was interested to see if there was an OnRamp and how it would work.

GreenMan
Meraki Employee
Meraki Employee

Nope - vMX is what you need!

Gary_Geihsler1
Meraki Employee
Meraki Employee

Depending on the public cloud platform you could use an IPsec tunnel. We can use the native IPsec capabilities of Azure and GCP, probably others I have not tested OCI for instance. AWS is the outlier, we can not do IPsec to the AWS native site to site infrastructure. In AWS you would need either a virtual router/firewall of your choice and use IPsec or use a vMX(preferred) to make the connection to Cisco+ Secure Connect. 

GreenMan
Meraki Employee
Meraki Employee

No question that @Gary_Geihsler1 's solution would work, but you did ask for 'the best way' and I suspect he'd agree with me that vMX (with simpler setup, failover & loadbalancing, policy and performance based routing etc) is much better than a non-Meraki VPN tunnel to ANOther IPSec terminator running in your cloud platform.

N0body
Conversationalist

Yep , im looking for the best way!

If i have 2 x vMX deployed on Azure , i'd need to set up failover using Azure functions

https://documentation.meraki.com/MX/Other_Topics/Deploying_Highly_Available_vMX_in_Azure 

 

creating an ipsec tunnel between secure connect and an Azure VPN gateway looks like the less complicated option. On the Azure side , routes would point to the VPN gateway and i wouldnt have to mess around with functions.

Policy/performance based routing outbound from Azure isnt too important to me.

 

thanks for your input so far , this is all very useful!

GreenMan
Meraki Employee
Meraki Employee

I'd go for this instead: 

https://documentation.meraki.com/MX/Deployment_Guides/vMX_and_Azure_Route_Server

A lot will depend on how important the service is to you - a single IPsec tunnel to a single IPSec terminator is pretty simple on a drawing - less easy to set up as it's cross-vendor.   And if any point of it fails, you might be wishing you'd invested a bit more time in a resilient solution up-front...?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.