Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can a VMX be placed between an Azure Premium Firewall?

ShawSAQuestions
New here
‎Dec 8 2022 8:47 AM
‎Dec 8 2022 8:47 AM

Can a VMX be placed between an Azure Premium Firewall?

A customer using a Meraki VmX has now introduced an Azure Premium Firewall (APF) between the VmX and the internet which is creating issues as they say they can find no way to open the port through it to the VmX; so my question is to see if its possible to use the VmX as the Internet edge device and position the APF behind it (which our customer hasn't figured out how to do either)? Looking to see if anyone has noticed any hurdles using the APF in combination with a VmX and how they were resolved.

Labels:
0 Kudos
Subscribe
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 8 2022 9:09 AM
‎Dec 8 2022 9:09 AM

The Meraki vMX will work in one-armed concentrator mode only! No NAT mode available. The vMX can only play the role of VPN concentrator on Azure.
You cannot use the Meraki vMX as a gateway into Azure.
Full-tunnel site-to-site VPN mode is not possible. Your branch or remote offices need to make split-tunneling VPN: Internet traffic go to the branch/remote office local Internet access, and only Azure remote networks are routed through the VPN. This is the default on Meraki auto-VPN.
Client VPN is supported on the vMX, but you must use split-tunneling to access to the Internet with a connected client.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Andrew_Laeddis
Conversationalist
‎Dec 9 2022 8:27 AM
‎Dec 9 2022 8:27 AM

Referencing this Meraki vMX setup guide for Azure https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

..it says that:

 

"All new vMXens deployed post October, 31, 2022 will be deployed in Routed/NAT Mode Concentrator by default, existing vMX deployments will not be effectedIf you wish to use the vMX in passthrough mode, please change the deployment settings to Passthrough or VPN Concentrator mode from the Security& SD-WAN > Configure > Addressing & VLANs page. "

 

So this suggests that we can use the vMX as a gateway to Azure. Is this incorrect?

 

0 Kudos
Subscribe
In response to Andrew_Laeddis
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 9 2022 8:31 AM
‎Dec 9 2022 8:31 AM

As far as I know vMX is for SD-WAN purposes.

 

Recommended use cases Extend secure SD-WAN connectivity from branch sites to resources in public and private cloud environments

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Andrew_Laeddis
Conversationalist
‎Dec 9 2022 8:42 AM
‎Dec 9 2022 8:42 AM

The article I referenced references a further article "Concentrator Modes": https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs

 

This says:

Routed Mode

This is the default selection. Choose this option if you want to use the MX appliance as a layer 7 firewall to isolate and protect LAN traffic from the Internet (WAN)"

 

 

So that makes me think that the vMX is deployed in "Routed/NAT Mode Concentrator by default" and routed mode makes use of the appliance as a layer 7 firewall

 

0 Kudos
Subscribe
In response to Andrew_Laeddis
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 9 2022 8:42 AM
‎Dec 9 2022 8:42 AM

As far as I know vMX is for SD-WAN purposes.

 

Recommended use cases Extend secure SD-WAN connectivity from branch sites to resources in public and private cloud environments

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to Andrew_Laeddis
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 9 2022 8:56 AM
‎Dec 9 2022 8:56 AM

Check it out:

 

https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ#Common_Use_Cases

 

 

https://community.meraki.com/t5/Security-SD-WAN/vMX100-what-s-the-benefit/m-p/113717

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Inderdeep
Kind of a big deal
Kind of a big deal
‎Dec 8 2022 11:15 AM
‎Dec 8 2022 11:15 AM

This link may help you to understand 
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 8 2022 11:41 AM
‎Dec 8 2022 11:41 AM

I expect (never tried this myself) the VMX should work in its standard VPN concentrator mode for AutoVPN.  I expect you'll find the reliability reduced a little.  There will be some cases when AutoVPN will go down, and it won't be able to rebuild it in a timely manner, as spokes won't be able to communicate with the VMX to tell it a rebuild is needed.

You won't be able to use the TLS inspection feature of Azure premium firewall.

 

I would get them to create a rule to allow all outbound UDP traffic to any destination IP address from the VMX (to get AutoVPN working).  It will also need to allow outbound traffic to the Meraki cloud.

 

It won't be able to be used as a client VPN concentrator.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.