We are planning to deploy Meraki SD-WAN solution and each branches will have two links, one is a MPLS link and one is a Internet link.
The requirement is to have direct Internet access for Office365 traffic only at branches, and the rest of the traffic should be sent back to hub sites via VPN tunnels.
Meraki has an pre-defined application called office365 in the traffic shaping page for VPN traffic only, but it looks like it is not available for the traffic that is not sent the tunnels. Just wondering how to achieve this?
Many thanks in advance.
This would be painful but not impossible. You would need to load all the Office 365 subnets in, and configure the flow preferences to send just these subnets out the local Internet.
The default route in VPN page gets ticked because we want to route the rest of the traffic back to hub sites.
In this case, I think internet traffic option in Flow preferences setting would not work?
Yes, you have to get the list of all the IP subnets used by Microsoft for the service. Allow those, allow access to your MPLS subnets, and block everything else.
Thanks for your reply, Philip. Much appreciated.
I have a quick look on the below page:
It looks like IP ranges and URLs are dynamic. Might API would be helpful here for IP addresses. But how to handle the URLs?
Take this one for example:
There is no IP address. If the two URLs are whitelisted in URL filtering, how to configure the layer 3 firewall rules to allow the traffic? permit tcp any any 443/80?
We are using proxy for all the traffic except office 365 and proxy traffic will be tunneled back to the hub site. In this case, how to define URL filtering to whitelist office 365 traffic? it looks like Meraki would inspect proxy traffic with URL filtering policy as well. If blacklisting everything except office 365, it will impact all the website browsing?
I did say it would be painful. You'll need to load in all the IP address ranges, and then periodically check if they have changed.