Hi,
My only experience with vMX in Azure was a single vMX without defining AvZones (so basic public IP for the vMX). vMX is a also a FW and customer accepted to connect it directly to the internet.
Now I need to deploy an HA Pair in Azure and in this case my customer wants to sit it behind a vPalo_Alto cluster. They also want to deploy each vMX in a different AvZone in the Az Region.
I'm aware that by specifying AvZone in vMX deployment automatically makes them to use AZ Standard Public IPs instead of basic ones. From a previous Philip Dath's post I also know standard would make HA from primary vMX to the secondary one to need more convergence time in case primary one fails.
My doubt is:
Provided I deploy the vMX instances (they could share a single Meraki SDWAN subnet or run two SDWAN subnets) the vMXs would try to register into Meraki cloud directly (using Az internet access). Both vMX would send all their traffic towards reserved AZ IP for sdwan subnet DGw. How could I get they both to send their underlay traffic thru the PA cluster? Meraki AZ vMX deployment guide says RT are not needed for sdwan subnets, they could lead to packet loss.
Or do you recommend sitting the fw behind the vMXs? At the end of the day the vMX FW function already protect themshelves. PA FW will serve as Client VPN access and would protect all Az resources but the vMXs.
Thanks for your help.
