Meraki Community

I'm trying to read your question correctly:

Do you mean you now have 1 site that has a non-Meraki VPN to Azure and you want to add a second site that also talks to Azure but not to each other?

If it is true, allow me to explain below:

The hub and spoke settings indeed apply to AutoVPN only (that means Meraki to Meraki in the same org).
You always need at least one hub in your network and I believe if you set the new site to spoke you'll need to select at least one hub.  So indeed they will connect via AutoVPN.  Or if you configure them both as hub then it will yield the same result.

So you have two ways to block communications between the two sites:

1) You configure both sites in their own org.  Do know this will also split your licensing, so you'll need separate orders if you do a renewal or something.

2) You can keep them in a hub/spoke config but you'll need to add some rules to the site-to-site VPN outbound firewall ruleset.  Just put denies between both networks ( maybe use a supernet if the network design is solid ) and make sure you have an allow any below it so you can reach all the rest.  Or only allow the Azure subnets as destination.  These rules will apply to both networks.

Each site will need to build its own non-Meraki VPN to Azure.  One site can not share another site's VPN connection.

The other option is to deploy a small VMX (VMX-S).

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

The information provided by everyone else is all relevant and worth understanding. A couple of points to add...

1. The third party site-to-site configuration is organisation-wide, so when you add the new MX it will try and build a VPN to Azure (unless you stop it with tags). So you’ll just need to configure the Azure end for the new site.
2. Why do you want to stop traffic directly between the sites over VPN? Using the VPN firewall rules, will stop this traffic, but it will stop all communications between the sites - it won’t force it through the Azure site or anything ‘clever’ like that.

I hope it’s okay to piggy back off this question, but I have a similar situation. 

We have two separate meraki ORGs with a VPN connection to azure. However, we are trying to to get traffic to travel end to end through azure. Is this possible? 

I have site to site connections up and running successfully, but can’t seem to make the jump to the opposing ORG. I’m thinking I need a 1:1 NAT, I’m missing a subnet, or it’s just not doable. 

Oh Gosh!  I never came back to this post since 2021.  I have set up the VPNs - since then the organization now has 3 sites across the US - ATL, DC, LA.  Since I wanted each site to be a stand-alone site I configured each as a HUB (mesh)... I also did not want the other sites to connected to each other via Azure, I simply used different IP Subnets for each location (for example: 10.10.x.x, 10.11.x.x, 10.12.x.x).  

Since they automatically configure Remote VPN Participants, I added Outbound Firewall Rules for the Site-to-Site VPN configurations for each location to deny all traffic to remote subnets... 

example:

Deny 10.10.x.x any 10.11.x.x, 10.12.x.x any 

Deny 10.11.x.x any 10.10.x.x, 10.12.x.x any 

Deny 10.12.x.x any 10.10.x.x, 10.11.x.x any