Older Meraki vMX deployments in Azure had locks on the managed application, managed resource group, and other resources that made it impossible to touch. If you still have one of these older resources, you likely need to delete the managed application from Azure and redeploy the Azure vMX to get the newer deployment that no longer includes resource locks.   If you have a newer deployment, you can use the following procedure to change the public IP address from Basic SKU to Standard SKU: Note the public IP address in Azure for reference. Power down the Azure vMX virtual machine, making sure to select the option to preserve the IP address. Using that checkbox will convert the public IP address from dynamic to static. Disassociate the public IP address from the VMX NIC. Go to the Azure public IP address and click the banner to convert the SKU. Reassociate the public IP address back to the VMX NIC. Power on the VMX.   At this point, you will observe that client VPN, AnyConnect VPN, and site-to-site VPNs will no longer connect. To fix this, create a network security group with the following rules, and add the NSG to either the VMX VM itself, or to the SD-WAN subnet where the appliance was deployed: Allow Any (ICMP) - optional, to allow for troubleshooting Allow Any (TCP/443) - required for AnyConnect VPN Allow Any (UDP/32768-61000) - required for AutoVPN/site-to-site VPN   There may be other rules required if you are using the native Meraki Client VPN (IPsec) or non-Meraki peer site-to-site VPNs. As a last resort, you can allow Any traffic inbound for Any protocol. ... View more