vMX in Azure - should it/could it be behind an Azure Firewall?

SOLVED
Paul2zl
Conversationalist

vMX in Azure - should it/could it be behind an Azure Firewall?

Hi

 

I notice the deployment of the vMX into Azure associates an Azure Public IP address with the vMX/Managed Application.

 

Presumably it is this public IP address that is used for inbound and outbound vMX connectivity. This vMX is therefore on the perimiter of the Azure network directly exposed via a public ip address.

 

I have a couple of questions:

  1. Is this considered best practice, or are they scenarios where one would want the vMX to sit behind an Azure Firewall (or third party firewall device)? I.e. so inbound azure traffic flows throught a firewall device before reaching the vMX. I ask this because some organizations may already have (or wish to have) an Azure Firewall at the perimeter of their Azure virtual network.
  2. Is it even possible to make the vMX sit behind a firewall? For example, the deployment creates a managed application that contains a public ip address associated with the vmx VM. This suggests to me that you don't have much choice other than having it diretly exposed via the public ip address attached to the vMX VM (as opposed to forwarding traffic from an Azure Firewall to a private ip address associated with the vMX say).

 

Of course, if we were using the native Azure VPN Gateway (and not Cisco vMX say) then that would sit right at the perimeter. So it may be that it's the same principle with vMX, in which case that's fine. I really just need a view on this though to sanity check this.

 

Many thanks for any help in advance.

 

Paul

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

The vMX is just a virtual MX - which is itself a firewall

 

Yes, you can have the vMX sit behind another firewall if you like.

View solution in original post

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

The vMX is just a virtual MX - which is itself a firewall

 

Yes, you can have the vMX sit behind another firewall if you like.

Within the Managed Application resource group there is a public ip address that is assigned to the vMX vm. I presume that has to remain there as the resource group is locked?

 

Thanks.

PhilipDAth
Kind of a big deal
Kind of a big deal

Check out this video on deploying a VMX behind a virtual router in Azure.  You would just substitute in a virtual firewall instead.

https://www.youtube.com/watch?v=MljINqgmDkM 

Hi, 

 

Does the vMX in azure have firewall functionality enabled, as it can only operate in Single Armed Concentrator mode (L2)?

 

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs

 

In the Physical form of MX when in concentrator mode you need another MX sitting infront in Routed mode to provide Firewall Services.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

When it has a single interface it can't act as a traditional firewall allowing traffic to flow between two ports BUT it is still a firewall in the sense that it is protected from threats, and you can directly connect it to the Internet (although that really isn't the case with Azure since Azure is NATing from the public IP it assigns to the private IP that it gives the VMX).

Get notified when there are additional replies to this discussion.