Hey PhilipDAth,

 That is exactly what i did. So basically in my setup of MX -> VMX -> VPC. My VMX was able to reach both MX and VPC. However, my MX wasn't able to reach the VPC. So according to Meraki support, they are able to see my ping going out. Just that the VPC attached via peering to the VMX does not have a route back.

 

AWS tech confirmed that the VPC is not supposed to pass routes which it doesn't know about. Thus setting of default route wouldn't work. They are recommending the usage of transit VPC.

Did you ever get this figured out?  I have a client with 3 VPCs, all in the same AWS account, and I'm wondering if I install a single vMX in one of the VPCs, if I can connect other subnets in the other 2 VPCs back through the SDWAN of the single vMX via VPC Peering.

 

Has anybody done this?

The whole point of a vPC is that it provides a virtualised network environment.  Their is no communication at all between vPCs.  Because their is no communication between them, a vMX is one can not possible talk to the others.

 

If you are instead referring to networks that belong to a single vPC, then yes, you can do that.

There is actually communication allowed between VPCs.  See https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html.  I'm just wondering whether I can use this type of peering to send traffic from all VPCs destined to the branch network across the Auto-VPN/SDWAN to flow through the one vMX.  It sounds as if that is not the case though, which means this client will have to have a vMX for each VPC.  Bummer!

We have not tried this yet, but we did try to connect a branch MX back through a vMX to a peered VPC and that did not work.  So, our case looked like this:

 

MX ><AUTOVPN><vMX/VPC-A><VPC PEERING><VPC-B

 

I can ping VPC-B from the vMX and vice versa, but when I ping from the MX to VPC-B, I get no return traffic.  With doing a packet capture, I can see the ping hit the vMX and be sent to VPC-B, but I never get return traffic to the vMX that would be passed to the MX.  Essentially, the VPC peering does not allow routing across the peering connection.

 

We are getting ready to try exactly what you are proposing.  Let me know how it goes for you!

Has anyone tried this?

 

 

 

office MX(s)> <AUTOVPN> <vMX in VPC-A> <IPsec Tunnel> <AWS Managed VPN in VPC-B

 

I can't really find much on this approach, but in theory it should work...Even with tunnels from the vMX to multiple VPCs right?

We just recently tried this and it does NOT work.  The reason is that the vMX (and any MX for that matter) will not route from a Meraki Auto-VPN connection to a 3rd party site to site connection.  So you can stand it up, but you can't route traffic from the branch MX to the AWS VPC connected by the AWS VPN.  We have modified our architecture so that we have a site-to-site VPN from every branch MX to the other AWS VPCs that we need to access.  Not the best, but the only option.

So this is what i have gathered by far. 

 

VPC peering does not pass external routes. As such peering other VPC to the vMX is not going to help.

Amazon is proposing a couple of things 

- Transit VPC

- AWS direct connect

- Cisco CSR router.

 

I believe the above-mentioned solution is the only way out unless somehow xMX supports NAT-ing. 

 

"The reason is that the vMX (and any MX for that matter) will not route from a Meraki Auto-VPN connection to a 3rd party site to site connection."

Meraki support has confirmed this, but it's a shame this isn't documented anywhere.

Regardless, our only options seem to be:

Add Meraki vMXs to each VPC that we need to connect to...using Auto-VPN to connect all hardware and virtual MXs.

OR

Link hardware MXs to each other via Auto-VPN and then also create an individual VPN connection between every office and every VPC.

I am looking to setup something similar.  

 

LAN -> physical MX -> vMX -> out my vpc.

Does the vMX need two interfaces or will the public subnet interface land the VPN and then decrypt and out the same interface out to the iGW?

The vMX can only have one interface.

 

The decrypted traffic goes to the default gateway - which is usually the VPC.

 

I have the exact same problem! Ohh... the irony, considering I was the PM who launched MX 8 years ago...lol!

Haha hi @THE_Daghan! Nice to see you here 🙂

Thanks CarolineS. I couldn't stay away. 🙂

Thanks for that @helgaali .

 

I've talked to many customers about this, but haven't actually had the opportunity to do one of these yet.

Hi Helgaali,

 

Can you share what VPC configuration you have done or what routing table entries you created. We are trying the same approach in our lab and using your example, we cannot ping storage from behind the MX.

 

Thanks.

Hi helgaali

 

(referring your diagram) 

 

how did you setup routes back to MX from  VPC-A  linked through Transit GW?

 

I can ping client behind the transit GW in VPC-A from vMX but cannot ping this client from MX

 

thanks

David

I have figured it out ... it actually work pretty well!!!

Any chance you can provide guidance on your VPC/TGW routing? I have a vMX vpc with the appliance set up. Cant figure our which mode to use and how to configure routing to enable bidirectional flow. 

This option - and you have to do it PRIOR to deploying the VMX.

 

 

I've created a VPC with it's own egress path. I have my vMX in Passthrough mode. I have defined local subnets in vMX (AWS Subnets with VPC routes pointed to the TGW) and I have a summarized route in my VPC route table pointed at the vMX ENI. I also added a route for the summarized field MX range to my TGW pointed at the vMX VPC. Experiencing some pretty weird stuff where I can ping my AWS subnets from field office MXs but can't ping Field Segments in VPN from AWS Hosts. Thoughts? Hard to find full guide with VPC/TGW routing included.

Hi helgaali,

 

I'm working on a similar design. Can you please share the configurations within your VPCs i.e Route Tables, Internet Gateway and Security Groups. Also, do you define the two VPCs as local to the VMX in the Meraki Dashboard.

 

Thanks!

I can help if you can better explain your topology. I have my vMX with its own Elastic IP assigned to the EC2 and an IGW for outbound. What does the route table look like in the VPC/subnet where your vMX is?

 

So working with AWS when I had the VPC peering in place the routes were good tcpdump showed the traffic hitting the VM and the VM sending the traffic back. What was noticed is the next hop was not identifying the VMX as the next hop causing the packets to drop. The fix for me was to place transit gateway in place and then configure the routes in the TG/ each VPC / and the vMX. As on this moment I have traffic processing through the vMX to my VM.