I'm trying to configure AnyConnect on a VMX in Azure. I am very familiar with the process of configuring AnyConnect, and have done so many times on VMX in AWS.
The problem I am having in Azure is how to tell Azure to allow tcp/443 into the VMX. A packet capture tells me no traffic I generate makes it to the VMX. The resource group that gets created when you deploy the VMX is locked by Meraki (so I can not change anything). It doesn't have a network security group, and it does not allow me to add a network security group (to which you would normally add an inbox rule to allow tcp/443).
Support tells me that this is a supported configuration.
For anyone coming across this in the future, the issue is that the vMX managed app bundles everything in and doesn't let you change anything, including not allowing you to change the vNIC to use a subnet + NSG you specify. You have to create the subnet/vnet/nsg before you deploy the app, then during deployment instead of using the wizard to create those elements, you tie the app to the subnet and vNet you already created and associated to an NSG allowing TCP+UDP 443 inbound (remember AnyConnect prefers and will work better with UDP:443 for DTLS, TLS:443 for TLS is a higher-overhead fallback).
i have tried this on my vmx and it works for for any connect. The only thing is when i associate the NSG to the sub-net it kill everything and then i am not able to get to my server in azure. Take this NSG off and im good to go again. I also have NSG on my server also. The MX has a Standard static Wan ip and is in Zone, but Zone failover isnt used. vMX has the vNet and subnet created first before making the resource for the vMX. Thank you.
You cannot add after deploying if you use all the automatically generated vNets and Subnets etc through the wizard, it locks it all down. Check my blog post where I outline it, basically create your elements all first then choose them during the wizard instead of creating new during the wizard.