Help configuring vMX100 in Azure

murdz112
Comes here often

Help configuring vMX100 in Azure

Hi Team,

 

I have used the vMX100 Setup Guide for Microsoft Azure found below on the Meraki website:

 

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Microsoft_Azure

 

Been bashing my head against a wall trying to get connectivity from my DC in the Sydney branch office to the DC in Azure.

 

My network configuration is as follows:

 

Sydney Branch Office Network

MX100

192.168.0.0/24 - Office LAN

192.168.0.8 - SydneyDC

 

vMX100 VNET

vMX100

10.10.0.0/16 - Supernet

10.10.0.0/24 - vMX100 Subnet

10.10.0.4 - vMX LAN IP

 

Infrastructure VNET

10.100.0.0/16 - Supernet
10.100.0.0/24 - Infrastructure Subnet
10.100.0.4 - AzureDC IP
 
I have the below networks set as "Local Networks" in the VPN settings of the vMX in Azure:
10.100.0.0/16
10.10.0.0/24
 
On the MX100 in Sydney, I can see it has 10.100.0.0/16 in the route table as well as 10.10.0.0/24.
 
I can ping the vMX100 IP 10.10.0.4 from the MX100 appliance without any issues. So the site-to-site VPN is working fine.
 
I have created a route table in Azure with the following settings:
 
Route: 192.168.0.0/24
Next Hop IP: 10.10.0.4
Subnet: 10.100.0.0/24
 
The route table is associated with the resource group in which the AzureDC resides. Below are some screenshots of my config in Azure. Meraki support are no help at all. Have tried a myriad of combinations and other 3rd party documentation online to no avail.

Is anyone able to assist in getting connectivity to the AzureDC host from my sydney branch office?
 
Screen Shot 2020-02-20 at 11.27.27 pm.pngScreen Shot 2020-02-20 at 11.26.33 pm.pngScreen Shot 2020-02-20 at 11.26.15 pm.pngScreen Shot 2020-02-20 at 11.29.03 pm.pngScreen Shot 2020-02-20 at 11.29.16 pm.pngScreen Shot 2020-02-20 at 11.29.30 pm.pngScreen Shot 2020-02-20 at 11.30.08 pm.pngScreen Shot 2020-02-20 at 11.30.22 pm.pngScreen Shot 2020-02-20 at 11.30.33 pm.pngScreen Shot 2020-02-20 at 11.31.00 pm.pngScreen Shot 2020-02-20 at 11.31.13 pm.png
 
 
 

 

 

 

 

12 REPLIES 12
Dennis_S
Here to help

It sounds like you have it right, I'll continue to look at it.   Check for any ACL that may be in place. I found one in my own environment sitting a switch that created issues.

 

-Dennis

PhilipDAth
Kind of a big deal
Kind of a big deal

It looks like when you have deployed the VMX it was put into it's own VNET.

 

When you are deploying it and you get to the VNET configuration you need to click "Advanced" and select the existing VNET (where your servers are).

From the Meraki article. I took it that the vMX and server had to be on different vNETS infact I tried creating them on the same and the managed app won't allow this.

 

Azure Setup 

Before You Begin

You must have the following before you begin:

  • An Azure virtual network and virtual subnet on a resource groups separate from the resource group you will be creating to host the vMX. To find more information about this, please click here.

Note: Your virtual network must be in a separate resource group from the one hosting your vMX. If you assign the vMX to a resource group that already contains a virtual network/virtual subnet, you will not be able to deploy the vMX.

PhilipDAth
Kind of a big deal
Kind of a big deal

I just remember that when assign the VNET when deploying the VMX in Azure it had to go into an existing VNET.  If you used a VNET in the same resource group as the VMX (which is the default) it wont work.

But following the Meraki documentation it explicitly states you can't have the vMX on the same VNET as your Servers VNET. 

 

I have tried putting them in the same VNET and azure errors out (I think the managed app locks down the VNET it deploys so you can't make any changes to it)

PhilipDAth
Kind of a big deal
Kind of a big deal

You can only configure it at deployment time.  You can not change it afterwards.  You have to delete the managed app (VMX) and redeploy.  During the deployment you should be able to select the existing resource group and VNET in the networking section (under advanced in the Azure portal).

Hi Philip,

 

So you suggest deleting the vMX managed app. 

 

When redeploying what resource group should I put it into? 

PhilipDAth
Kind of a big deal
Kind of a big deal

The actual app, VMX100, has to go into its own resource group.  When it runs through the Azure setup it comes to a bit about the networking.  In that section you need to go into Advanced (in the Azure portal), and select an existing resource group and an existing vnet.

 

You can pretend to do this with a trial run through first before deleting the current VMX.

Hi Philip,

 

See below screenshots. Tried wiping azure config all away.

 

Created new Resource Group with a VNET inside then provisioning vMX100 to be apart of that resource group.

 

No dice gives an error. Your thoughts?Screen Shot 2020-02-21 at 2.58.17 pm.pngScreen Shot 2020-02-21 at 2.58.45 pm.pngScreen Shot 2020-02-21 at 2.59.29 pm.png

PhilipDAth
Kind of a big deal
Kind of a big deal

You'll need to blow away everything relating to the existing VMX to be able to deploy it again using the same resource group name.

 

I think it is the next screen, "Deployment Details", where you need to select an existing resource group and then an existing VNET.

Hi Philip,

 

Everything was blown away. I set it up as you said. It didn't work.

 

You can not create the resource group without adding a vNET. When launching the managed app you can not associate the app to an existing resource group with a VNET defined. This is explained quite clearly in the Meraki instructions. Which will post again as it contravenes what you're trying to tell me.

 

Azure Setup 

Before You Begin

You must have the following before you begin:

  • An Azure virtual network and virtual subnet on a resource groups separate from the resource group you will be creating to host the vMX. To find more information about this, please click here.

Note: Your virtual network must be in a separate resource group from the one hosting your vMX. If you assign the vMX to a resource group that already contains a virtual network/virtual subnet, you will not be able to deploy the vMX.

 

 

Is anyone who is running a vMX successfully in Azure able to chime in?

From what I can see is that you have 2 seperate vNETs. 1 for Meraki, 1 for Infrastructure.

 

In this situation, you have to setup vNET peering between the two vNETS for communication. Unfortunately this will increase costs as there is a cost for network traffic over peering.

 

Now to do it the way you want it, you need to setup the following configuration.

 

  1. Delete your Meraki resource group that contains the managed app. This will also delete the other LOCKED resource group containing the Meraki VM infrastructure. 
  2. In your Infrastructure resource group, open your existing vNET configured as 10.100.0.0/16. Create a new subnet for the Meraki VM. I typically have the range away from any other infrastructure such as 10.100.254.0/24. Do not assign anything in the vNET.
  3. Open your infrastructure resource group. Note the location of your resource group.
  4. Click the plus sign and search for Meraki. Click create.
  5. a.Give the vMX a name
    b.Add the Meraki Auth Token from your dashboard.
    c. Select your subscription.
    d. Click Create new for the Resource Group. Call it what ever you want. This is where the Meraki managed app will live.
    e. Choose the same location as your Infrastructure resource group. Most likely Australia East. Very important.
  6. Now when you move to the deployment details step, it will try to create a vNET for you (vmx-vnet). Don't do this.
  7. Click on Virtual Network, select your Infrastructure vNET name.
  8. Click on Subnets, select the Meraki subnet you created in step 2.
  9. Click Ok and create the VM.
  10. Once the VM is up, you will need a route table in your Infrastructure vNET. Add your onprem networks and forward them to the IP of your vMX. Associate it to your your Infrastructure subnet, NOT the Meraki subnet.

 

What we have done here is create a Meraki vMX to use the same vNET as your internal infrastructure. Meraki only have the requirement to create infrastructure in its own Resource Group. If resource groups are in the same region, they can share vNETs. If you create seperate vNET's, the only way they can communicate is via vNET peering. This is a Azure networking basics.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels