Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

Building a reputation

Connecting Multiple Sites to Azure VPN (Hub or Spoke configuration?)

We currently moved a client to Azure and setup a Site-to-Site VPN.  I chose the Hub configuration.  Now our client is expanding to another geographical location and we will need to connect that site to the Azure VPN.  


What VPN configuration should be chosen - Hub or Spoke, and should the original site be changed to Spoke?  


From what I am gathering, the Hub or Spoke configuration is only for Meraki devices... Also, I am assuming in order to have a Spoke, a hub must exist.If this is the case, I should choose Hub as the site-to-site configuration?  


If I do not want my Meraki MX's to "talk" via the VPN Mesh, I would then configure the outbound Firewall Rules for the VPN to deny all traffic to the other Meraki VPN networks while allowing traffic to the non-meraki Azure VPN device?

8 Replies 8
Kind of a big deal
Kind of a big deal

I'm trying to read your question correctly:

Do you mean you now have 1 site that has a non-Meraki VPN to Azure and you want to add a second site that also talks to Azure but not to each other?

If it is true, allow me to explain below:

The hub and spoke settings indeed apply to AutoVPN only (that means Meraki to Meraki in the same org).
You always need at least one hub in your network and I believe if you set the new site to spoke you'll need to select at least one hub.  So indeed they will connect via AutoVPN.  Or if you configure them both as hub then it will yield the same result.

So you have two ways to block communications between the two sites:

1) You configure both sites in their own org.  Do know this will also split your licensing, so you'll need separate orders if you do a renewal or something.

2) You can keep them in a hub/spoke config but you'll need to add some rules to the site-to-site VPN outbound firewall ruleset.  Just put denies between both networks ( maybe use a supernet if the network design is solid ) and make sure you have an allow any below it so you can reach all the rest.  Or only allow the Azure subnets as destination.  These rules will apply to both networks.

Kind of a big deal
Kind of a big deal

Each site will need to build its own non-Meraki VPN to Azure.  One site can not share another site's VPN connection.


The other option is to deploy a small VMX (VMX-S). 

Kind of a big deal

The information provided by everyone else is all relevant and worth understanding. A couple of points to add...


  1. The third party site-to-site configuration is organisation-wide, so when you add the new MX it will try and build a VPN to Azure (unless you stop it with tags). So you’ll just need to configure the Azure end for the new site.
  2. Why do you want to stop traffic directly between the sites over VPN? Using the VPN firewall rules, will stop this traffic, but it will stop all communications between the sites - it won’t force it through the Azure site or anything ‘clever’ like that.
Here to help

I hope it’s okay to piggy back off this question, but I have a similar situation. 

We have two separate meraki ORGs with a VPN connection to azure. However, we are trying to to get traffic to travel end to end through azure. Is this possible? 

I have site to site connections up and running successfully, but can’t seem to make the jump to the opposing ORG. I’m thinking I need a 1:1 NAT, I’m missing a subnet, or it’s just not doable. 

The VPNs to Azure need to include the subnets in the remote org in their encryption domain.


You could consider getting a pair of VMXs (one for each org), as this would make the routing so much easier.  You could also consider Azure WAN services with this approach. 

Edit: It seems to be working successfully. I was missing a subnet in one side. Thank you again. 

Thanks Phil, I’ll double check my subnets. The whole purpose of this is to give on org access to a printer in the other, that’s it. Which I wish was a joke LOL. It doesn’t yet merit someone with my minimal experience pulling the rug out…yet. 


One thing I failed to mention is Org 2 is not on prem. All those users are going through client vpn. I did saw you touch in that topic in another thread regarding Client VPN routing through non meraki vpn. Though the answers on that question seemed to vary. 

Here to help

Oh Gosh!  I never came back to this post since 2021.  I have set up the VPNs - since then the organization now has 3 sites across the US - ATL, DC, LA.  Since I wanted each site to be a stand-alone site I configured each as a HUB (mesh)... I also did not want the other sites to connected to each other via Azure, I simply used different IP Subnets for each location (for example: 10.10.x.x, 10.11.x.x, 10.12.x.x).  


Since they automatically configure Remote VPN Participants, I added Outbound Firewall Rules for the Site-to-Site VPN configurations for each location to deny all traffic to remote subnets... 


Deny 10.10.x.x any 10.11.x.x, 10.12.x.x any 

Deny 10.11.x.x any 10.10.x.x, 10.12.x.x any 

Deny 10.12.x.x any 10.10.x.x, 10.11.x.x any 

Get notified when there are additional replies to this discussion.