Configure AnyConnect on a VMX in Azure

Kind of a big deal
Kind of a big deal

Configure AnyConnect on a VMX in Azure

I'm trying to configure AnyConnect on a VMX in Azure.  I am very familiar with the process of configuring AnyConnect, and have done so many times on VMX in AWS.


The problem I am having in Azure is how to tell Azure to allow tcp/443 into the VMX.  A packet capture tells me no traffic I generate makes it to the VMX.  The resource group that gets created when you deploy the VMX is locked by Meraki (so I can not change anything).  It doesn't have a network security group, and it does not allow me to add a network security group (to which you would normally add an inbox rule to allow tcp/443).


Support tells me that this is a supported configuration.


Has anyone managed to create this configuration?

New here

Did you ever find a solution? I am experiencing a similar issue.


For anyone coming across this in the future, the issue is that the vMX managed app bundles everything in and doesn't let you change anything, including not allowing you to change the vNIC to use a subnet + NSG you specify.  You have to create the subnet/vnet/nsg before you deploy the app, then during deployment instead of using the wizard to create those elements, you tie the app to the subnet and vNet you already created and associated to an NSG allowing TCP+UDP 443 inbound (remember AnyConnect prefers and will work better with UDP:443 for DTLS, TLS:443 for TLS is a higher-overhead fallback).


I outlined the process in detail here



i have tried this on my vmx and it works for for any connect. The only thing is when i associate the NSG to the sub-net it kill everything and then i am not able to get to my server in azure. Take this NSG off and im good to go again. I also have NSG on my server also. The MX has a Standard static Wan ip and is in Zone, but Zone failover isnt used. vMX has the vNet and subnet created first before making the resource for the vMX. Thank you.

You will need to add rules to the NSG to allow the east/west traffic you need, when the NSG flow logs to see where its getting blocked. 

Comes here often

I have exactly the same problem. I have two vMX for failover and both have no NSG after deploy. Is it not possible to configure it afterwards?


You cannot add after deploying if you use all the automatically generated vNets and Subnets etc through the wizard, it locks it all down. Check my blog post where I outline it, basically create your elements all first then choose them during the wizard instead of creating new during the wizard.

then add whatever rules you need to allow east/west traffic and anything else needed. 

Specifically, this happens when you choose to use availability zones during deployment.  You have to choose a zone of "none" to be able to use a NSG.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.