Meraki

Community

Block all internet but allow some cloud services

Solved
Adrian4
Head in the Cloud
yesterday
yesterday

Block all internet but allow some cloud services

Hello,

We have multiple sites using Meraki MX security appliances, we also use Umbrella secure DNS with Virtual Appliance servers.


I have been asked to totally cut off domain controllers from open internet access, however certain cloud security services still need to function, such as qualys, senson etc

As far as I can tell these services don't rely on hard IP addresses, but domains and API endpoints.

If I...
allow DNS traffic at layer 3 only to our VA servers
block all other outbound at layer 3

then block all domains except the allowed ones in umbrella

- i think I would still need to allow HTTPS at layer 3 in order for the services to work, but I cant see a way to limit it to only allowed domains. I thought maybe block everything at layer 7 and just allow the services domains but you cant create allow rules at layer 7 😞


Not really sure how to go about this - I assume other people must have done something similar? How can you do it with meraki equipment?

thanks

 

0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Force Domain Controllers to use ONLY the Umbrella for DNS and block all outbound traffic from Domain Controllers except HTTPS and any internal networks.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Force Domain Controllers to use ONLY the Umbrella for DNS and block all outbound traffic from Domain Controllers except HTTPS and any internal networks.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
yesterday
yesterday

but if I allow all https - thats basically the whole internet?

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

You must block any other DNS servers, allowing only Umbrella VAs, and then let Umbrella decide which domains are allowed or blocked.

Even if you allow any port 443, Umbrella will control that; you just need to create a policy in Umbrella allowing what you want.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
6 hours ago
6 hours ago

cheers, seems like this is the best we can do. Only works if DNS is used, any direct to IP traffic on 443 will get through 😕

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Another option is to place a Firepower or a Palo Alto between DC VLAN and WAN.

These support true domain-based allow rules via SSL inspection and URL filtering.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
6 hours ago
6 hours ago

yea, that was a consideration we faced when we decided to go full Meraki, we made the decision that that didn't really need overly complex options. Guess we are eating that decision now 😛

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.