Thank you Inderdeep. In document it says : As such, the MX cannot block VPN traffic initiated by non-Meraki peers. So as example: If I put deny all rule , will site to site VPN still work or it will hit deny all ?

@jay_b  By default, everything inbound is going to be blocked by default unless it's allowed by port forwarding or a 1:1 NAT rule for example, and of course any return traffic is allowed back inbound like any stateful firewall.

So you are going to block outbound traffic with Firewall rules..

Check layer 3 firewall rules, 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal... 

Hello @Inderdeep 

Thanks for your response. Sorry If I am not explaining clearly. Let me explain it again.

As example : I have new fresh firewall.

1) I implemented 5 site-to-site VPN tunnels to AWS/Azure/GC.

2) Added  allow TCP any any 80

3) allow TCP any any 443

4) deny any any

Now my question is Do I have to add rule to allow individual tunnel's ip address ? like

allow any any tunnel1 IP address

allow any any tunnel2 IP address

L3 firewall  doesnt work on vpn traffic

L3 Vpn firewall works on outgoing vpn traffic only.(traffic inside the tunnel)

@ww Thanks for quick response. That makes sense. So there won't be any affect on VPN. Awesome. Thanks