vMX100 in AWS with public/private subnets


vMX100 in AWS with public/private subnets

Hi Folks,


We're testing out a vMX100 in AWS right now. We have a vanilla test VPC with a public/private subnet and a NAT gateway.


Current state is:

  • vMX100 is able to communicate with the Meraki Dashboard
  • vMX100 AutoVPN is functioning and we're able to communicate with other Meraki networks at remote branches.
  • Server in the Public subnet is reachable via the Meraki AutoVPN from remote branches.
  • Server in the Private subnet can communicate bi-directionally with a server in the Public subnet.
  • Server in the Private subnet is not reachable via the Meraki AutoVPN

I'm trying to figure out what I am missing in terms of routing/security groups to get the server in the Private subnet to communicate over the AutoVPN.


On the vMX100 and in AWS I do have:

  • vMX - Both the public/private subnets listed under Site-to-Site VPN > VPN Settings > Local Networks.
  • AWS - The remote AutoVPN subnets added to the route table for both the public and private subnets.
  • AWS - I've explicitly added to the security groups to allow traffic from the remote Meraki AutoVPN subnets.


I still can't communicate over the AutoVPN to the server in the private subnet, so I assume I am missing something pretty basic. Any tips for anyone that has implemented a vMX in AWS with a public/private subnet?



Kind of a big deal
Kind of a big deal

You've covered off all the main things.


What about the VPC firewall rules (as opposed to the EC2 security groups)?


I double checked the default security group for the VPC and as a test allowed all traffic inbound/outbound for the remove subnets over the AutoVPN. Unfortunately no change.


I'm going to tear down this VPC and set everything back up again to see if I just missed something along the way. If any other ideas pop up from anyone,  happy to try them out.



Just browsing

Hey Ansan, I am having exactly the same issue at the moment. Did you find a resolution in the end?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.