Meraki

Community

Advertising a internet route from a vMX100 in AWS

RyanJunk
Conversationalist
‎Jan 8 2021 10:23 PM
‎Jan 8 2021 10:23 PM

Advertising a internet route from a vMX100 in AWS

Hi,

 

I would like to be use a vMX in AWS as a AutoVPN Hub to provide (amongst other things) access to the internet for clients at Spoke sites that appears from a single, statically assigned public facing IP address using elastic IP in AWS.

 

I can configure the vMX fine and have it up and working in Dashboard but I can’t get my head round how to advertise an internet router back to clients on Spoke sites.

0 Kudos
6 Replies 6
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jan 9 2021 12:46 AM
‎Jan 9 2021 12:46 AM

Hi @RyanJunk ,

 

Have you configured your Local subnets on the vMX?  These automatically get advertised in the auto-vpn. So would you not advertise your Internet routers here to make them reachable from other sites?

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
RyanJunk
Conversationalist
‎Jan 9 2021 2:00 AM
‎Jan 9 2021 2:00 AM

Hi Darren,

 

thanks for the quick response, I’ve added both AWS VPC subnets to the vMX but still no joy. 

Not sure if I need to add 0.0.0.0/0 as a local network to the vMX but that throw’s up a heap of warnings in dashboard.

0 Kudos
In response to RyanJunk
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jan 9 2021 2:16 AM
‎Jan 9 2021 2:16 AM

Hey Ryan

 

On your edge MX that you’re connecting back to the vMX, do you see the AWS routes being advertised back and are they showing Green?

 

Look at your Route Table on the Network.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
RyanJunk
Conversationalist
‎Jan 9 2021 2:42 AM
‎Jan 9 2021 2:42 AM

Darren,

 

The routes to both AWS subnets are there but one is red and the other is pending 🤦‍♂️

0 Kudos
In response to RyanJunk
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jan 9 2021 2:58 AM
‎Jan 9 2021 2:58 AM

Which clearly isn’t a good sign.

 

From the AWS MX can you reach anything on the internal network?  Are there devices behind it that you should be able to reach?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 9 2021 9:45 PM
‎Jan 9 2021 9:45 PM

>I would like to use a vMX in AWS as a AutoVPN Hub to provide (amongst other things) access to the internet for clients at Spoke sites that appears from a single, statically assigned public facing IP address using elastic IP in AWS.

 

AWS does not allow this.  The AWS gateway will only NAT traffic for AWS subnets - not for remote subnets.

 

HOWEVER, you can actually make this work, by putting the VMX behind another virtual device that does NAT (like a virtual router or firewall).  Your remote subnets will then come into the VMX, and then pass through the next virtual NAT device which will NAT your remote subnets to the IP address of the NAT gateway - which is from a subnet in AWS - and now that IP address can pass through the Amazon NAT gateway and get to the Internet.

You will need a medium AWS skill level to do this kind of deployment.

 

A simpler solution would be to deploy an old school proxy server and have the clients use that.

 

Personally, I would explore a better model - moving to a zero-trust approach - where security is not dependent on what IP address things on the Internet are accessed from.  Instead, use things like MFA.  But I appreciate this may not be trivial.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.