Meraki

Community

Best way to connect to Azure Server

matt20dion
Comes here often
‎Jan 3 2019 1:24 PM
‎Jan 3 2019 1:24 PM

Best way to connect to Azure Server

I see 4 options to be able to communicate from On Prem to Azure. 

 

  1. VPN Tunnel from On Prem to Azure
    1. Convoluted and not actually supported by Azure
  2. Startup Script on Azure VM that logs into Client VPN, with new user credentials
    1. Works well, but depends on startup script to automatically connect to VPN
  3. Setup a vMX100 in Azure and use it as a Spoke VPN with On Prem MX.
    1. Cost implications of running the vMX.
  4. Port forward outside ports on both sides to allow communication
    1. Don't like this method at all, but could be an option. 

 

What would be the best option to have network connectivity from On Prem to Azure servers?

 

Thanks 

Labels:
0 Kudos
8 Replies 8
MacuserJim
A model citizen
‎Jan 3 2019 1:29 PM
‎Jan 3 2019 1:29 PM

I would lean toward the vMX in Azure. I think that will be the easiest to set up and maintain. The troubleshooting will be a lot easier should you have any communication issues and being able to easily see uptime and VPN connectivity will make your life a lot easier.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 3 2019 3:37 PM
‎Jan 3 2019 3:37 PM

We tend to use Strongswan on Ubuntu in Azure for this (when there are only a small number of MX's and they have static IP addresses).  It is rock solid reliable.

http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html

wey2go
Getting noticed
‎Jan 4 2019 9:32 PM
‎Jan 4 2019 9:32 PM

We want Meraki MX to have IKE V2.

 

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

 

Meraki still listed as "Not compatible".

0 Kudos
In response to wey2go
Mateen
Getting noticed
‎Mar 10 2020 1:25 PM
‎Mar 10 2020 1:25 PM

ikev2 can be activated on MX via support and it works fine.

0 Kudos
In response to Mateen
JimmyPhelan
Getting noticed
‎Mar 12 2020 5:12 AM
‎Mar 12 2020 5:12 AM

I would be careful with the "works fine" as i have seen stability on the tunnel being an issue, and you need to put Beta firmware on your MX, which can be a major issue for end users with Compliance requirements.

 

What services are on the server that you want to access? That is a key consideration of this.

 

1. The vMX is the most reliable method, but remember it is only a VPN concentrator, not a firewall

2. IKEv1 VPN Gateway in Azure, costs ~€120 per month.

3. Beta Mode, Support Request for IKEv2, and same VPN Gateway

4. Give the server a public IP in Azure, and lock down the NSG rules to your external ip?

0 Kudos
Mateen
Getting noticed
‎Mar 12 2020 5:29 AM
‎Mar 12 2020 5:29 AM

agreed. vMX is ideal.
0 Kudos
JimmyPhelan
Getting noticed
‎Mar 12 2020 1:09 PM
‎Mar 12 2020 1:09 PM

I dont want to hijack this thread, but another option that I would like to try and bottom out is a BGP Route from Azure VPN Gateway.

 

Here in Ireland getting a circuit AS is not trivial, we typically have PPPoE WAN or similar. 

 

However we recently took on some people from South Africa who were asking why we dont use BGP more, and I recalled that we looked at have redundant failover connectivity from an Azure VPN Gateway to an MX using BGP. We never proceeded, as the vMX was cheaper

 

I have been told that enabling BGB on Meraki is as simple as asking.

 

Has anyone ever performed this?

0 Kudos
E_to_tha_D
New here
‎Jun 14 2022 5:31 PM
‎Jun 14 2022 5:31 PM

Hi matt20dion

 

Any luck on this issue?

 

I have the same problem using the same instructions as well as others I found. I have reviewed my setup like 4 times with no luck..

 

The documentation seems to be missing something or be incorrect as the other walkthroughs I found said I needed to use a policy based gateway and the Meraki instructions said routed.

 

Issue I found though is that policy based only allowed me to use a basic gen1 vpn which is not compatible with IKEv2.

 

Stuck on this one.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.