Meraki

Community

New S2S VPN between my Meraki Firewall and Azure

charlesfors
New here
‎Jun 12 2023 3:07 PM
‎Jun 12 2023 3:07 PM

New S2S VPN between my Meraki Firewall and Azure

Hello:

We are planning to do the setup of a new S2S VPN between our end (firewall MX84) and Azure

First I would like to explain to you the configuration that we want to implement on our end

1-Our firewall has two lines connected to the internet.

2-Currently, the principal line (Verizon) is UP and it is using a "Site to Site" VPN between our end and Azure cloud that allows the connection between our private network and Azure

3-Now we want to activate the Comcast line as a failover line, so in case the Verizon line goes down, Comcast line goes UP automatically and keep the "Site to Site" VPN connection working without interruption

My question is:
1-Do I have to configure BGP protocol (in our firewall and Azure end) to achieve the failover?

 

Thank you, Charles

0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 12 2023 3:12 PM
‎Jun 12 2023 3:12 PM

 

Maybe it will help you.

 

Screenshot_20230612-191107.png

 

https://community.meraki.com/t5/Security-SD-WAN/Meraki-MX-250-HA-pair-and-Azure-VPN-Gateways-IPSEC-f...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 12 2023 3:18 PM
‎Jun 12 2023 3:18 PM

Is the vMX on Azure one option?

 

I think it's more simple.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 2:38 AM
‎Jun 13 2023 2:38 AM

Using Azure, you might as well say the answer is no, because what you have to do to make it work is beyond most people.

 

If you value failover, buy a VMX-S.

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

GreenMan
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Jun 13 2023 4:53 AM
‎Jun 13 2023 4:53 AM

What @PhilipDAth said...    you likely will not get this working how you would desire using non-Meraki VPN.   If you purchase VMX (particularly if you purchase two, for resilience) it will be miles simpler, more resilient and provide you policy and performance routing too.

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure 

https://documentation.meraki.com/MX/Deployment_Guides/vMX_and_Azure_Route_Server

https://documentation.meraki.com/MX/Networks_and_Routing/Border_Gateway_Protocol_(BGP)

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping

 

 

jimmyt234
Head in the Cloud
‎Jun 14 2023 8:55 AM
‎Jun 14 2023 8:55 AM

Configure your Azure connection to the Dynamic DNS hostname of the MX, this will auto-failover, albeit rather slowly.

 

The real, elegant solution is to deploy a vMX in Azure. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.