Hello,   We are currently operating a Cisco Meraki vMX in Azure, deployed in VPN Concentrator mode, acting as the HUB for all our on-premise Meraki SD-WAN spokes. We are evaluating a potential change to run the vMX in Routed/NAT mode so that Azure VNet outbound traffic could be forwarded directly through the vMX instead of Azure Firewall. Before proceeding, we need clarification on the following points: 1. If we switch the vMX from Concentrator Mode to Routed Mode, how will this affect SD-WAN traffic from the spoke sites? Will the spoke sites automatically shift to full-tunnel behavior through the vMX? Or will they continue using split-tunnel for their internet-bound traffic? 2. When the vMX performs NAT in Routed Mode, is NAT applied on the Azure-facing WAN interface or on the internal LAN interface? We need to confirm where source NAT occurs for Azure-hosted workloads. 3. After enabling Routed Mode, will on-prem spokes still be able to communicate with Azure VMs without NAT complications? Will NAT cause asymmetric routing or session breaks? Do we need additional routes or exceptions to maintain hub–spoke Azure ↔ on-prem connectivity? 4. Is Routed Mode for vMX fully supported and recommended in Microsoft Azure environments? We need to understand any platform limitations, unsupported features, or known caveats before planning a migration.   Any guidance or best practices from Meraki on production use of vMX Routed Mode in Azure would be greatly appreciated. ... View more