From what I can gather from your drawing and part of the extensive explanation you gave your offices and branches don't use direct internet access but are fully tunneled to the DC one armed concentrator HA pair and then exit to the internet there? The first issue I see with that design is that the branch office only has an internet circuit to reach that datacenter, so if that datacenter has internet outage then that branch has no connectivity. In case of the main office, it would be able to use the autoVPN tunnel between it and the DC via that private link, however traffic would stop there as the internet failed at the DC. Then for one of your questions: You cannot use an Azure vMX to break out to the internet from remote locations. Azure cloud only allows internet access for actual resources hosted there. Then for design improvements. - Normally you have a 2 DC setup where you can have a single or HA-pair of MX concentrators and in case of active/active DC's you'll need an L2 circuit in between so hosts can move from 1 DC to the other while keeping their own IP address. You can also have some branches select 1 DC while the others choose the other DC. You could also use VXLAN between the DC's and an L3 circuit. - If you remain on 1 DC then you will need to have 2 upstream ISP connections. Since the concentrator mode MX only has 1 local IP and one WAN connection the upstream infrastructure needs to provide ISP redundancy, preferably with a BGP dual homed IP range so the tunnel quickly recovers when the primary ISP circuit fails. If you use 2 circuits with different IP's it will also work but the tunnels will need some time to recover since internet outage detection can take a few minutes and the VPN registries need to adapt. However your HQ should be less affected since it primarily uses the private link as primary autoVPN tunnel so that only needs to wait for the internet down detection but you will feel it.
... View more
