Teach me for writing question last thing on a Friday...

In the context of the current vMX capabilities in Azure, I’m considering using a vMX appliance and have a requirement for Client VPN (Secure Client).  Have the option of terminating some site-to-site vpns (third party IPSEC) onto the vMX or on something else (vWAN / Azure VPN Gateway).

First Question:  Client VPN and S2S routing with vMX in Azure

My understanding is that if both Client VPN and S2S VPNs are terminated on the same vMX, then routing Client VPN traffic towards the S2S tunnels would require eBGP on the external peer, which can make S2S termination on the vMX more complex.

• In a vWAN + Route Server integration scenario, where eBGP is enabled and S2S VPNs are terminated in vWAN, is it correct to assume that Client VPN routing would function as expected?

Second Question: vMX passthrough vs NAT mode with split tunnelling

For a vMX deployed in Azure as part of an SD‑WAN design that requires split‑tunnel spoke routing only, the documentation suggests that passthrough / concentrator mode is supported, but NAT mode is not, as NAT mode would require spokes to default‑route traffic via the vMX.

• Is this still the case when BGP is enabled within AutoVPN and/or external participant routing?

Same overall scenario where there is a need for some client VPN connectivity on the vMX and passthrough will obviously mean no security services and split tunnelling only, so just trying to understand of there are any differences in the documentation vs actual experiences for anyone else.