Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible to install a Meraki MX security appliance in an AWS environment

rhamersley
Getting noticed
‎Sep 11 2023 10:53 AM
‎Sep 11 2023 10:53 AM

Is it possible to install a Meraki MX security appliance in an AWS environment

Is it possible to install a Meraki MX security appliance in an AWS environment behind our VMX-M device for additional security instead of using the AWS costly security.   It would be nice to spin up a virtual instance with Meraki MX security appliance settings.

Labels:
0 Kudos
Subscribe
14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 11 2023 11:08 AM
‎Sep 11 2023 11:08 AM

Do you want to install a physical appliance within the AWS environment?
 
Can you provide a little more detail on what the idea would be?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
rhamersley
Getting noticed
‎Sep 12 2023 6:39 AM
‎Sep 12 2023 6:39 AM

Just curious if there is a virtual version other than the vMX-M we currently have.   As you know the vMX-M does not have any content filtering features on that device.

0 Kudos
Subscribe
In response to rhamersley
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 12 2023 1:54 PM
‎Sep 12 2023 1:54 PM

I don't know - but NAT mode is available for VMX.

 

If you were keen to do an experiment, you could request another VMX on trial, and do a test deployment, and see what happens.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 11 2023 3:20 PM
‎Sep 11 2023 3:20 PM

The "V" in "VMX" means virtual - it is an MX.  You typically use the VMX as a VPN concentrator.

 

Amazon doesn't charge for security groups, used for firewalling, so I am not sure where the cost aspect comes from?

0 Kudos
Subscribe
In response to PhilipDAth
rhamersley
Getting noticed
‎Sep 12 2023 6:40 AM
‎Sep 12 2023 6:40 AM

I will need to look further into with our AWS personnel.   To confirm with you Philip if you are familiar with the AWS environment, so it is possible to perform content filtering using AWS security groups at no extra cost?   

0 Kudos
Subscribe
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Sep 11 2023 8:56 PM
‎Sep 11 2023 8:56 PM

From what I understand AWS doesn't allow customers equipment in their data centres. VMX is your only option if you want a Meraki security appliance within your AWS VPC

btr.net.nz
0 Kudos
Subscribe
In response to BlakeRichardson
rhamersley
Getting noticed
‎Sep 12 2023 6:41 AM
‎Sep 12 2023 6:41 AM

Blake - We are just looking to content filtering aspect for all our AWS servers.   

0 Kudos
Subscribe
In response to rhamersley
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 12 2023 6:56 AM
‎Sep 12 2023 6:56 AM

If you can use a Fortigate to filter, why couldn't you use a vMX?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
rhamersley
Getting noticed
‎Sep 12 2023 7:10 AM
‎Sep 12 2023 7:10 AM

the vMX-M Meraki virtual device does not have any Content Filtering options in the dashboard.   Attached a screen shot.

 

rhamersley_0-1694527791323.png

 

0 Kudos
Subscribe
In response to rhamersley
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 12 2023 7:17 AM
‎Sep 12 2023 7:17 AM

Do you have the Advanced Security license?

 

https://documentation.meraki.com/General_Administration/Licensing/Meraki_MX_Security_and_SD-WAN_Lice...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 12 2023 7:22 AM
‎Sep 12 2023 7:22 AM

@PhilipDAth 

 

Correct me if I'm wrong, but in the past vMX runs as a VPN concentrator only. It does not provide firewall, content filtering, IPS or other security functions.

Isn't it?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
rhamersley
Getting noticed
‎Sep 12 2023 7:30 AM
‎Sep 12 2023 7:30 AM

The vMX-M gives you firewall settings for Layer 3 and Layer 7.   The vMX-M does not provide any Threat protection or Content filtering.    We are looking to see if there is any Meraki products that will provide that service for our AWS environment.

 

  

0 Kudos
Subscribe
In response to rhamersley
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 12 2023 7:33 AM
‎Sep 12 2023 7:33 AM

Wouldn't it be better to talk to your Meraki sales representative?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 12 2023 1:51 PM
‎Sep 12 2023 1:51 PM

This was historically the case.  About 6 months ago the VMX gained support for NAT mode, and Meraki changed it so this is now the default deployment option (bad!!!).

https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ .

 

This was done primarily to offer full tunnel client VPN support for VMX.  In NAT mode, a user can VPN in and access the Internet (the VMX will NAT their traffic).

HOWEVER, all AutoVPN spoke traffic is also NATed when accessing cloud servers.  The bonus of this is you no longer need to configure any routing in the public cloud - as all traffic (client VPN and AutoVPN) is NATed to the VMX private IP address and appears to come from that IP.

 

This is a major pain.  Servers CAN NOT access spokes - because the spokes sit behind NAT.  For example, you can't have a server in the cloud send a print job to a printer on-premise over AutoVPN using a VMX in NAT mode (actually I lie - you can make it work, but you have to configure NAT port forwards, just like if you have a physical MX attached to the Internet and wanted to give access to something from the Internet to an internal server - but this is a nasty solution for this use case).

 

As a consequence of this, I never use NAT mode for VMX.  Also note you can't change this setting post-deployment.  If you want to change it you have to delete the VMX and re-deploy it.

 

 

Looping full circle, now you can have a VMX in NAT mode like a "typical" on-premise VMX.

Does the VMX support IPS or contenting filtering while running in NAT mode (like its on-premise counterpart)?  I don't know.  I have never used NAT mode on VMX, so have never tested this out.  But I think there is a reasonable chance this will work.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.