Hello,
I have a site to site vpn from the local office mx going to AWS VPC. I was looking into setting up AWS direct connect so I can do BGP however, would adding a vMX accomplish the same goal or is that completely separate? I guess I am looking for the difference between the two. Thanks!
If you use vMX in your AWS instance, the VPN between the two is Meraki <-> Meraki AutoVPN, so it's much easier to configure. It will also build overlay tunnels across both WAN uplinks from the branch MXs (spokes) - if the branch MXs have two. The MXs now closely monitor the performance of both these end-to-end paths (packet loss, latency and jitter). As well as load balancing, you can then also make use of SD-WAN policy and performance rules to manage traffic across those two available paths - this includes the ability to fail over specific applications between the paths, if the monitored performance doesn't meet the criteria you configure for them.
The non-Meraki VPN to any other IPSec device virtualised at your cloud provider provides a secure tunnel connecting the two and not that much else.
Got it thanks so it sounds like the vmx100 makes more sense than going the direct connect route?
Well... what benefits were you hoping to get from using BGP?
Also: I missed the reference to Direct Connect. I must admit; I’m not massively familiar with it, but I understand it’s a dedicated link between your site and an AWS DC. AWS pushes the pros here: https://aws.amazon.com/directconnect/ but it will probably have all the usual pros and cons associated with something ‘dedicated’ - It will probably be more expensive (you’ll need to run the numbers for your scenario though) but maybe more dependable - and how will it scale, if you need to connect more locations to your AWS instance?
This would be just one location. So if I understand correctly, I go wirth the vmx100 and that is a cloud mx that sits in my VPC and then I can do more meraki to meraki configurations? I assume this will sit at the edge of the vpc and route all incoming and outgoing traffic?
Almost... You have to tell AWS what traffic to send to the vMX: all the IP subnets that you want to be able to access your AWS resources, at the sites on the other end of the AutoVPN tunnels. You don't want all your AWS traffic going out through the vMX - it will be a one-armed VPN Concentrator, not a firewall to protect your AWS instance. Of course, those subnets might still mean all the traffic...