Advertising a internet route from a vMX100 in AWS

RyanJunk
Conversationalist

Advertising a internet route from a vMX100 in AWS

Hi,

 

I would like to be use a vMX in AWS as a AutoVPN Hub to provide (amongst other things) access to the internet for clients at Spoke sites that appears from a single, statically assigned public facing IP address using elastic IP in AWS.

 

I can configure the vMX fine and have it up and working in Dashboard but I can’t get my head round how to advertise an internet router back to clients on Spoke sites.

6 REPLIES 6
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @RyanJunk ,

 

Have you configured your Local subnets on the vMX?  These automatically get advertised in the auto-vpn. So would you not advertise your Internet routers here to make them reachable from other sites?

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
RyanJunk
Conversationalist

Hi Darren,

 

thanks for the quick response, I’ve added both AWS VPC subnets to the vMX but still no joy. 

Not sure if I need to add 0.0.0.0/0 as a local network to the vMX but that throw’s up a heap of warnings in dashboard.

DarrenOC
Kind of a big deal
Kind of a big deal

Hey Ryan

 

On your edge MX that you’re connecting back to the vMX, do you see the AWS routes being advertised back and are they showing Green?

 

Look at your Route Table on the Network.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
RyanJunk
Conversationalist

Darren,

 

The routes to both AWS subnets are there but one is red and the other is pending 🤦‍♂️

DarrenOC
Kind of a big deal
Kind of a big deal

Which clearly isn’t a good sign.

 

From the AWS MX can you reach anything on the internal network?  Are there devices behind it that you should be able to reach?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
PhilipDAth
Kind of a big deal
Kind of a big deal

>I would like to use a vMX in AWS as a AutoVPN Hub to provide (amongst other things) access to the internet for clients at Spoke sites that appears from a single, statically assigned public facing IP address using elastic IP in AWS.

 

AWS does not allow this.  The AWS gateway will only NAT traffic for AWS subnets - not for remote subnets.

 

HOWEVER, you can actually make this work, by putting the VMX behind another virtual device that does NAT (like a virtual router or firewall).  Your remote subnets will then come into the VMX, and then pass through the next virtual NAT device which will NAT your remote subnets to the IP address of the NAT gateway - which is from a subnet in AWS - and now that IP address can pass through the Amazon NAT gateway and get to the Internet.

You will need a medium AWS skill level to do this kind of deployment.

 

A simpler solution would be to deploy an old school proxy server and have the clients use that.

 

Personally, I would explore a better model - moving to a zero-trust approach - where security is not dependent on what IP address things on the Internet are accessed from.  Instead, use things like MFA.  But I appreciate this may not be trivial.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels