cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

Getting noticed

Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

We currently moved a client to Azure and setup a Site-to-Site VPN.  I chose the Hub configuration.  Now our client is expanding to another geographical location and we will need to connect that site to the Azure VPN.  

 

What VPN configuration should be chosen - Hub or Spoke, and should the original site be changed to Spoke?  

 

From what I am gathering, the Hub or Spoke configuration is only for Meraki devices... Also, I am assuming in order to have a Spoke, a hub must exist.If this is the case, I should choose Hub as the site-to-site configuration?  

 

If I do not want my Meraki MX's to "talk" via the VPN Mesh, I would then configure the outbound Firewall Rules for the VPN to deny all traffic to the other Meraki VPN networks while allowing traffic to the non-meraki Azure VPN device?

4 REPLIES 4
Kind of a big deal
Kind of a big deal

Re: Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

Head in the Cloud

Re: Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

I'm trying to read your question correctly:

Do you mean you now have 1 site that has a non-Meraki VPN to Azure and you want to add a second site that also talks to Azure but not to each other?

If it is true, allow me to explain below:

The hub and spoke settings indeed apply to AutoVPN only (that means Meraki to Meraki in the same org).
You always need at least one hub in your network and I believe if you set the new site to spoke you'll need to select at least one hub.  So indeed they will connect via AutoVPN.  Or if you configure them both as hub then it will yield the same result.

So you have two ways to block communications between the two sites:

1) You configure both sites in their own org.  Do know this will also split your licensing, so you'll need separate orders if you do a renewal or something.

2) You can keep them in a hub/spoke config but you'll need to add some rules to the site-to-site VPN outbound firewall ruleset.  Just put denies between both networks ( maybe use a supernet if the network design is solid ) and make sure you have an allow any below it so you can reach all the rest.  Or only allow the Azure subnets as destination.  These rules will apply to both networks.

Kind of a big deal

Re: Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

Each site will need to build its own non-Meraki VPN to Azure.  One site can not share another site's VPN connection.

 

The other option is to deploy a small VMX (VMX-S).

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

Head in the Cloud

Re: Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

The information provided by everyone else is all relevant and worth understanding. A couple of points to add...

 

  1. The third party site-to-site configuration is organisation-wide, so when you add the new MX it will try and build a VPN to Azure (unless you stop it with tags). So you’ll just need to configure the Azure end for the new site.
  2. Why do you want to stop traffic directly between the sites over VPN? Using the VPN firewall rules, will stop this traffic, but it will stop all communications between the sites - it won’t force it through the Azure site or anything ‘clever’ like that.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.