Hello everyone!
I'd like to comment on a problem that we need to resolve in our organization.
Currently, the internet is resolved locally in each of our Spokes.
The requirement we have is that we need to resolve some URLs centrally through one of our central sites (HUB).
The problem is that the site to be resolved does not have a fixed IP address, since we resolve it through Cloudflare Workers and the address rotates.
Can you think of how I could resolve this point?
Thanks!
Solved! Go to solution.
There are no simple easy solutions.
If you get an SDWAN Plus licence, you could use a full tunnel back to your main site, and then use the Local Internet Breakout option to override the full tunnel for major traffic types.
You could consider deploying a proxy at your main site (I like using HAProxy for this), and create an internal DNS entry for the domain pointing to the HAProxy.
Another option would be to consider going SASE with Cisco SecureConnect Plus. This will send your Internet traffic via Cisco Umbrella (for all sites), and you have have the Umbrella IP address ranges white listed.
https://documentation.meraki.com/CiscoPlusSecureConnect
Hey @JpAlvesCroce22
Do you know if the URL at least uses the same subnet for its IP address? Assuming it uses something like 50.0.0.0/28 you could set that subnet as a local network on the hub and then traffic destined to that IP range will always flow through the hub instead of out of the WAN. This is also assuming the hub is in VPN Concentrator mode.
It is possible to obtain the Cloudflare Worker segment, the problem is that these same Workers resolve many URLs, which we do not want to be consumed in a centralized way.
It would have to be a solution like the internet breakout in reverse, since we do not have Full-tunnel in our Auto-VPNs
Would it be possible to route through FQDN?
There are no simple easy solutions.
If you get an SDWAN Plus licence, you could use a full tunnel back to your main site, and then use the Local Internet Breakout option to override the full tunnel for major traffic types.
You could consider deploying a proxy at your main site (I like using HAProxy for this), and create an internal DNS entry for the domain pointing to the HAProxy.
Another option would be to consider going SASE with Cisco SecureConnect Plus. This will send your Internet traffic via Cisco Umbrella (for all sites), and you have have the Umbrella IP address ranges white listed.
https://documentation.meraki.com/CiscoPlusSecureConnect
Hey @PhilipDAth
Thanks for the reply.
It is clear that I am not going to get a simple solution.
From what I have been looking at, the SD-Wan Plus license is not a requirement, only for exclusions based on applications.
Likewise, taking this path would imply making a design change to the Networking architecture and we have to evaluate that with more time.
The other alternatives would have to be seen together with our cybersecurity team, since we are using Umbrella (Roaming-Client).
Ultimately, I understand that there is no current capacity in the Mx devices that can solve this problem.
Thanks!