That makes total sense; however I'm not sure how to set only the DNS server manually for the VMX (from the Meraki side, anyways). I have the VNET using the internal DNS servers, but looking at the 'uplink' page for the VMX in Meraki makes me enter all info for the public IP associated with it to be able to change the DNS server. I do have the public IP it got from Azure but not the required subnet mask or gateway to be able to submit the info:   ... View more

This is a great response, I think this is where I'm confused about the VMX devices. If I deploy the VMX's with Azure public DNS servers for the vnet they're deployed in, they are happy but the clients using the Meraki VPN tunnel cannot reach my internal DNS servers (sitting on-prem behind MX95's).   If I change the Azure vnet to look at my internal DNS servers (then reboot the Azure clients), then everything works perfectly -- but once the VMX's are rebooted, they start using those internal DNS servers and then they are unhappy. I think I have a fundamental misunderstanding of how this is supposed to work, but I don't really know how to proceed. ... View more