Hi I notice the deployment of the vMX into Azure associates an Azure Public IP address with the vMX/Managed Application. Presumably it is this public IP address that is used for inbound and outbound vMX connectivity. This vMX is therefore on the perimiter of the Azure network directly exposed via a public ip address. I have a couple of questions: Is this considered best practice, or are they scenarios where one would want the vMX to sit behind an Azure Firewall (or third party firewall device)? I.e. so inbound azure traffic flows throught a firewall device before reaching the vMX. I ask this because some organizations may already have (or wish to have) an Azure Firewall at the perimeter of their Azure virtual network. Is it even possible to make the vMX sit behind a firewall? For example, the deployment creates a managed application that contains a public ip address associated with the vmx VM. This suggests to me that you don't have much choice other than having it diretly exposed via the public ip address attached to the vMX VM (as opposed to forwarding traffic from an Azure Firewall to a private ip address associated with the vMX say). Of course, if we were using the native Azure VPN Gateway (and not Cisco vMX say) then that would sit right at the perimeter. So it may be that it's the same principle with vMX, in which case that's fine. I really just need a view on this though to sanity check this. Many thanks for any help in advance. Paul
... View more