3rd Party VPN Hub

Netwow
Building a reputation

3rd Party VPN Hub

While I understand that a VMX is the preferred method as a hub in the public cloud, it is not a feasible option for a deployment I am working on .We have over 100 sites that all have an MX. We want to use a 3rd party (Azure) as the VPN hub. Only 1 branch need connectivity to all of the other sites but that traffic needs to traverse Azure (3rd party hub) . Due to the limitation of VPN enablement on a spoke having to be connected to at least 1 hub, I am going to choose 1 of the spoke locations to be a hub and then block the traffic from other sites to the meraki hub. 

 

Now, for the site that actually needs to connect to the spokes (call it hub2 192.168.1.0/24), How can I advertise it's subnet in the 3rd party VPN so that it traverses Azure first before it reaches it's destination (spoke 192.168.2.0/24). I don't think I could add the 192.168.1.0/24 as a remote subnet as it would conflict with the on prem hub2 network which has a connection to Azure. 

 

I know it is not ideal but there has to be a way to have a non-meraki 3rd party vpn peer who's role is the hub. 

6 Replies 6
cmr
Kind of a big deal
Kind of a big deal

If one branch needs connectivity to all of the other sites, why not make that the hub?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Netwow
Building a reputation

In Azure we have a FW that needs to inspect the traffic. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Use the MX firewall?

Netwow
Building a reputation

We have needs (NAT) that MX Firewall cannot provide. 

PhilipDAth
Kind of a big deal
Kind of a big deal

I think you are going to need to put that one special site into a separate Meraki org.  Then you can turn it into a hub, but nothing else will talk to it.  You can build your non-Meraki VPN to Azure, have to do the firewall magic, and then talk to all your other sites.

Netwow
Building a reputation

I was thinking. If I DNAT the hub2 t the VWAN what , if any would be the implications of advertising that DNAT subnet in the 3rd party remote subnets. 

Netwow_0-1636116793525.png

 

Get notified when there are additional replies to this discussion.