I did not find sufficient information in the documentation, so I previously contacted support to confirm the specifications. At the time I was also confused. > -I have managed to set this up as split tunnel, by creating a static route to the subnets in Azure that I want my branch sites to reach. I had never tried this method. It feels like a tricky workaround. As a prerequisite, the instance must be restarted to reflect the vMX settings. Static Route is installed statically from Meraki Cloud to other MXs, so it is reflected without restarting. I am wondering if it will work after rebooting. For your information, I will share a case study that I know of. If "Subnet (e.g. 192.168.128.0/24)"" setting is configured when VPN mode is Enable, the route will be publicized to other MXs without rebooting. This is because Auto VPN Route is installed statically from Meraki Cloud to other MXs. Therefore, the communication may appear to be working without problems. In other words, the Split Tunnel appears to be working. But, after rebooting, the route to "Subnet (e.g. 192.168.128.0/24)" becomes equivalent to Null0 and communication is no longer possible. Regardless of the mode of vMX, I don't think it is expected to communicate from the Azure subnet to the Internet via vMX. It is not possible with One-Armed Concentrator, at least not because it is not source NATed. Since communication from the Public Cloud side to the Branch side is not possible in Limited NAT mode, it is assumed that communication to the Internet side is also not possible. It is similar to a typical NAT Router that does not allow WAN to LAN communication. (Unless you are setting up Static NAT, etc.) In the case of your requirements, though, it is WAN to WAN (Uplink to Uplink). Perhaps a dedicated Firewall product would be suitable. Previously, changing vMX to Limtied NAT mode required contacting support. (Previously, The vMX "Addressing & VLANs" configuration menu did not appear.)) However, since the vMX mode setting screen now appears, I think it was matched with the default mode of MX. Whether it is appropriate for the customer or not. That is my guess.
... View more