>1. Can we connect internet and MPLS lines on a single or dual MX?
Yes, but extra consideration needs to be given to this configuration. One special thing to note is that the MX always requires access to the Internet via a WAN port.
Sample configurations:
https://documentation.meraki.com/MX/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN
https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
>2. If we have two internet lines, can we use FQDN based traffic steering to route certain traffic via the primary link and other traffic via the secondary?
On an enterprise licence, no. You can only do it IP address.
I *think*, not sure, that an Enterprise licence might be able to do category based flows. Most customers buy Advanced Security licences (one up from Enterprise), so I don't have much exposure to the the reduced Enterprise feature set.
An SD-WAN Plus licence let you route via "major" application.
>3. If we use ZScaler as our SSE, can we specify whether Zscaler traffic should flow over the primary or secondary internet line only?
I guess so. It will use whatever you have configured as the primary circuit. With Zscaler you have to use tag based failover to have a backup circit configured. Typically this configuration requires 100% of all traffic to go to Zscaler - so the above exemptions don't apply.
https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover
Is there any reason you are not considering Cisco Umbrella? Like Zscaller, but has really nice native integration, in many different ways.
>4. Does routed mode on Meraki imply that it is internet facing, or can it be behind a firewall or router and still be in routed mode?
It can sit behind another device. Note that in routed mode that all traffic (at least by default) is NATed was it passes through its WAN interface to the WAN interface IP address.
