Meraki

hvalles

Good day, community,

I have two MX firewalls in HA that I want to connect to AWS, where our SAP server is hosted.

The requirement is to establish the connection using BGP. I have found that, starting from MX version 18, it is possible to use eBGP without switching to VPN concentrator mode, allowing the MX firewalls to remain in NAT mode.

Additionally, I discovered that for AWS to support BGP, it requires the AWS Transit Gateway service.

This service allows setting up an IPsec VPN with the MX firewalls, and within the IPsec tunnel, BGP can be used.

I would like to know if anyone has had a similar experience with this type of integration or connection.

Thanks in advance!

GreenMan

I suspect this is pretty new - I have a feeling AWS previously supported only GRE tunnels - which MX does not support. I'd be equally interested to hear abut real-world deployments using this.

Hasen

You can use AWS Transit Gateway (TGW). Starting from MX firmware version 18, eBGP is supported without switching to VPN concentrator mode, allowing the MX devices to remain in NAT mode.

First, you need to deploy a Transit Gateway in your AWS environment, as AWS requires TGW for BGP support over IPsec VPNs.

Then, establish IPsec VPN tunnels between your MX firewalls and the AWS TGW. AWS supports BGP over these VPN connections, enabling dynamic route exchange. After that, configure BGP on both the MX firewalls and the TGW to advertise and learn routes dynamically, ensuring efficient routing between your on-premises network and AWS.

When setting up this integration, make sure your AWS environment is properly configured for TGW.

hvalles

BGP meraki.jpg

I found this information about the version MX.

Meraki

Community

Firewall MX CONNECTION BGP AWS

Firewall MX CONNECTION BGP AWS

Cisco MX 84 Firewall configuration with AWS Direct Connect

Layer 2 connection in MX and other Firewall

BGP Peering with vMX in AWS

MX as an internal Firewall

Changing Meraki MX to a 3-party firewall