Good Morning, my google skills are failing me and I cant find an answer to this.
I am looking to establish a site-to-site VPN from an MX to an Azure VPN gateway. We often do this without using a routing protocol but have hit a customer where automatic routes would come in handy
Does the MX series support using BGP in this scenario? I can see some documentation around BGP but cant see anything in the MX to turn this on
Thanks in advance
When the MX runs in VPN-Concentrator-mode you can activate BGP to participate in dynamic routing. I am not really sure if this will integrate with external VPN-peers (don't think so), but if you place a vMX into Azure you should be able to do all your routing dynamically.
This isn't possible with non-Meraki VPN. Did you consider using vMX in Azure instead? This would allow all the SD-WAN features, in addition to BGP
Thank you all for the responses. I have considered xMX but am a bit put off by the additional cost and complexity of configuring a HA vmx setup compared to the native solution of an Azure VPN.
Happy to be persuaded otherwise tho if there is a valid argument there!
There are so many advantages to using VMX (and therefore AutoVPN) over non-Meraki VPN, that it's hard to know where to start. The most important is likely to be in the resilience offered; your MXs connect to both VMXs concurrently and you get far better failover capability - particularly if your branches also have dual WAN uplinks. Given the importance of modern Azure deployments, it really costs in, for most customers.
Thank you for this. I do understand the benefits and would like to try the VMx route although the failover capability within Azure does seem limited compared to an Azure VPN. I see that the approach is using Azure functions to change user defined routes for failover rather than something more dynamic
Cost is certainly the biggest factor. We are talking 2 x licenses for vMX plus the running cost of two virtual machines, disks etc, compared with deploying a gateway. It would be much preferable if a dynamic routing protocol was supported from the MX on a site-to-site VPN
Thanks for all the advice
If it is any consequence, I would say about 90% of my customers only deploy a single VMX into Azure. It's a lot simpler, and the number of failure cases you are protecting against in a public cloud provider is a lot less than an on-premise setup.
I have yes thanks that does look ideal! - Unfortunately, it adds another £280.00 a month on top of the stuff I mentioned before to make a Zone redundant HA solution based on vMX compared to a VPN gateway which has this built in.
vMX would be my preference but it doesn't look viable in this scenario. Appreciate all the advice