Azure vmx not connecting to AWS vmx.

chesterweirdo
Comes here often

Azure vmx not connecting to AWS vmx.

We have a Vmx in aws in private subnet behind NAT gateway. It’s reporting that the NAT type is unfriendly. 

we have spun up a vmx in azure and we are trying to get the auto vpn to connect. 

the nat type on the azure box says friendly so that looks okay. 

what does not make sense is our remote sites that have direct Ip setup are connecting to the aws vmx. 

if it was an issue with NAt would they not connect?

 

I can not find any docs on how to setup the vmx in a private subnet behind a nat gateway. 

can anyone help. 

5 REPLIES 5
PhilipDAth
Kind of a big deal

Don't put the VMX in AWS behind a NAT gateway.  Assign it an elastic IP directly.

But that would mean it would have to be in the public subnet. How would it then be able to see anything in the private?

Normal VPC routing.  The NAT gateway is only required for the private subnet to be able to talk to the Internet.

Why would remote sites be able to auto vpn in its current setup? They all are direct ip devices at the remote site. 

My guess is both your Azure and AWS configurations are blocking inbound connections, so AutoVPN can only be established by making an outbound connection.  So it neither can accept in inbound connection, then they wont be able to connect to each other, only to s[okes.

 

For Azure, I would make sure you are using manual NAT traversal (aka port forwarding in the below document), and make sure your inbound rules will allow the traffic.

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_... 

 

If you aren't doing this, it will probably be enough to make it work, but it won't be rock-solid reliable.

 

To make it rock-solid reliable you need to do exactly the same thing in AWS.  You need to assign it an elastic IP and set a similar port forward (can be a different port, makes no difference).

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels