Using vMX at the Azure Cloud

JPScolar
Here to help

Using vMX at the Azure Cloud

Hello, 

 

I want to migrate a Cisco DMVPN  network to a Meraki MX SD-WAN network.  DMVPN main hubs are at a Service Provider Data Center, which in turn, provides an Express Route connection to an Azure private cloud where all services are located. 

 

I would like to build an vMX VNET at the Azure Cloud and use BGP to route to other VNETs (workload). This way I will remove the Service provider dependency.

 

Any advise, comments, suggestions on the diffificulties of implemnting this type of network. Any thing in particular I need to pay attention to?   

Thank you for your help. 

Juan-Carlos Perez
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Some tips:

  • Before deploying the VMX create a dedicated subnet to put it into.  Or, worst case, absolutely do not put it into a subnet that servers are located in which users will need access to.  If you break this rule you can experience low levels of intermittent packet loss.
  • When deploying, the instructions say to select an availability zone - don't do this.  Select none.  If you select an available zone you get "Standard IP SKU" which blocks all inbound access.  This reduces the reliability and functionality of the VMX (for example you can't enable AnyConnect, and increases the time for some AutoVPN failure cases to recover)
  • Configure a manual NAT traversal using a specific port, say udp/10000.  Make sure you allow this port in using the Azure network security group.  Doing this allows the system to recover from AutoVPN failures much quicker.
  • The default configuration deploys the VMX in NAT mode now (bad change Meraki ...).  Once deployed you can't change this without deleting the VMX and re-deploying.  So before deploying change the VMX mode back to VPN concentrator mode.
PhilipDAth
Kind of a big deal
Kind of a big deal

Also read over these instructions about using BGP in Azure.

https://documentation.meraki.com/MX/Deployment_Guides/vMX_and_Azure_Route_Server 

JPScolar
Here to help

PhilipDAth. Thank you for your comments. So, basically the vMX Sjould remain as VPN Concentrator, right?  How about the Firewalling?   I would need a FW inf front of the vMX.  Or if this is only Auto-VPN tunnels, could I get by without a firewall? 

Juan-Carlos Perez
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels