Home > Security Appliances > Installation Guides > vMX100 Setup Guide for Amazon AWS

vMX100 Setup Guide for Amazon AWS

Overview

This document is a walkthrough for setting up a virtual MX (vMX100) appliance in Amazon's AWS Cloud. After completing these steps outlined in this document, you will have a virtual MX appliance running in AWS that serves as an AutoVPN termination point to your physical MX devices.

 

Currently, vMX100 on AWS supports a one-armed concentrator configuration with split-tunnel VPN architecture. For more info on how to deploy a one-armed concentrator, please refer to this document.

Key Concepts

Before deploying a virtual MX, it is important to understand several key concepts.

Concentrator Mode 

All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes. For more detailed information on concentrator modes, click here.

One-Armed Concentrator 

In this mode the MX is configured with a single Ethernet connection to the upstream network. All traffic will be sent and received on this interface. This is the only supported configuration for MX appliances serving as VPN termination points into AWS.

NAT Mode Concentrator 

In this mode the MX is configured with a single Ethernet connection to the upstream network and one Ethernet connection to the downstream network. VPN traffic is received and sent on the WAN interfaces connecting the MX to the upstream network and the decrypted, unencapsulated traffic is sent and received on the LAN interface that connects the MX to the downstream network. 

 

This is not supported for virtual MX VPN concentrators operating within AWS.

VPN Topology 

There are several options available for the structure of the VPN deployment.

Split Tunnel 

In this configuration, branches will only send traffic across the VPN if it is destined for a specific subnet that is being advertised by another MX in the same Dashboard organization. The remaining traffic will be checked against other available routes, such as static LAN routes and third-party VPN routes, and if not matched will be NATed and sent out the branch MX unencrypted.

Full Tunnel  

In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub.

 

This is not supported for virtual MX VPN concentrators operating within AWS.

AWS Terminology 

This document will make reference to several key AWS-specific terms and concepts.

AWS

Amazon Web Services is a hosting platform that allows organizations to host infrastructures and services in the cloud.

VPC

A Virtual Private Cloud is a virtual and private network within Amazon's AWS infrastructure. A VPC has a block of associated IP addresses, which can be subdivided into multiple smaller subnets.

EC2

Elastic Compute Cloud is Amazon's virtual and cloud-based computing infrastructure. EC2 allows you to run virtual machines within your VPC. A virtual machine running on the EC2 platform is commonly referred to as an EC2 instance.

Additional Information

During the setup of your vMX100 instance, or over the course of working within AWS, you may encounter additional terminology which is not defined in this document. To find out more about these terms, and for additional details on the terms listed above, please see the AWS glossary.

Meraki Dashboard Configuration

Begin by creating a new Security Appliance network in your organization. This guide will walk you through creating a new network in the Meraki Dashboard.

 

The Meraki Dashboard will require a vMX100 license. If you do not have access to an vMX100 license, please reach out to your Meraki Sales Rep.

 

Once you create the network you will be able to add automatically a new vMX100 to your network by clicking on “Add vMX”:

 

After you add the new vMX100 to your network, click on “Generate AWS user-data” to generate the token for AWS user-data field.

 

 

Copy the new generated token and paste it on the User Data field of your EC2 instance.

 

Next, follow the steps outlined in this guide to configure the vMX100 as a one-armed concentrator.

On the Site-to-Site VPN page, add each subnet in your VPC that should be accessible to remote Auto VPN peers to the list of "Local Network(s)." For more information on configuring Auto VPN, please refer to the Site to Site VPN settings documentation.

AWS Setup

This section walks you through configuring the necessary requirements within AWS, and adding a vMX100 instance to your Virtual Private Cloud (VPC). For more details on setting up a VPC and other components, please refer to Amazon's AWS Documentation here.

Accessing the AMI

To gain access to the AMI, navigate to this link. A screen shot of the marketplace listing of vMX100 is included below:

 

  

 

From the marketplace listing, hit continue.

Configuring the EC2 Image

After continuing, you will be prompted to configure the EC2 instance settings.

 

Begin by selecting 1-click launch.

 

 

Leave the version as 1.0.0. It is the only selection available.

 

  

 

Select the region to launch the EC2 instance in. This should match the availability zone your VPC resides in. 

 

 

Next, select the m4.large EC2 instance to deploy the vMX100 image on. The resources specifications of the instance type are listed upon selection.

 

 

Running EC2 instances has an AWS infrastructure charge. Please be mindful of this when launching your instances. The charge can be found in the cost estimator table to the right of the instance type selection.

 

 

As an example, this is the anticipated monthly AWS infrastructure charge for running the m4.large image. This estimate does not account for storage or data fees.

 

After selecting the instance type, select the VPC and subnet the instance will be a part of:

 

 

Next, select the security group for the EC2 instance. The default rule can be a good starting point for bringing the vMX100 online initially.

 

 

The default security group provides fully open access to the EC2 instance. While this can be useful for connecting the vMX100 initially, it is recommended that security restrictions be put in place to restrict remote access after connecting the vMX100 to your Dashboard account.

 

Please see the Help -> Firewall Info page for information on connections that need to be allowed to provide Dashboard connectivity.

 

Finally, select the key pair to be used with the vMX100. This is a required step for EC2 instance setup, however, you will not be able to SSH into the vMX100.

 

 

If you do not already have a key pair created, follow the instructions provided by AWS on creating one:

 

 

After completing all of the launch configurations, click launch with 1-click.

 

 

Once this has been completed, it may be several minutes before the software subscription completes and the instance launches. 

Provisioning the vMX100 for Connectivity to the Meraki Dashboard

Now that we have registered the software subscription for the vMX100 and created an EC2 instance, the vMX100 instance will need to be provisioned to communicate with the Meraki Dashboard.

 

The vMX100 will need to be given specific parameters before booting. In order to being using these parameters, we must stop the instance, which starts automatically after creation. Begin by navigating to the EC2 instance console.

 

 

Select the vMX100 from the list of EC2 instances.

EC2 images are not given a name by default. If your EC2 instance has just been launched, an easy way to find it from the list is the status checks field. For new instances it will be initializing.

 

 

With the instance selected, go to Actions > Instance State and select stop.

 

  

 

Select yes, stop from the following confirmation menu.

 

 

Wait until the instance state is stopped

 

 

After the instance is stopped, select the instance again and navigate to Actions >  Instance Settings and select view/change user data.

 

 

In the user data text field, enter the token that was generated on dashboard. The input type must be set as plain text. Then, hit save.

 

 

Once the user data has been updated, you'll need to disable Source IP and Destination IP checking on the network interface attached to the Meraki vMX100 instance. 
To do this, navigate to Actions > Networking and select Change Source/Dest. Checking. A dialog box will pop up - confirm the details and click on Yes, Disable.

 

 

 

After the Source/Dest. Checking has been disabled, select the instance, navigate to Actions > Instance State and select start. Hit Yes, start in the following confirmation menu.

 

Additional VPC Configuration

The virutal MX appliance will allow for site-to-site VPN connectivity using AutoVPN between AWS and other remote MXs. In order to have proper bi-directional communication between remote subnets that are terminating into AWS via the vMX100 and hosts within AWS, the VPC routing table must be updated for the remote AutoVPN-connected subnets.

 

To do this, navigate to the "VPC" dashboard in AWS, and follow the steps below

  1. Click on "Route Tables" on the left-hand side
  2. Find the route table associated with the VPC or subnet the vMX100 is hosted in (you can quickly filter the list by typing in your VPC ID or name in the search box)


     
  3. Click on the route table in the list to select it, then click on the "Routes" tab in the details pane below the list of routing tables
  4. Click the "Edit" button
  5. Click the "Add another route" button at the bottom of the route table
  6. In the "Destination" column, add the routes available via AutoVPN
  7. In the "Target" column, select the vMX100 instance or interface ID
  8. Repeat steps 5-7 for each network available via AutoVPN. You may want to use a summary address. Below is an example of two networks available via AutoVPN.


 

Troubleshooting

The virtual MX security appliance is fully managed through the Cisco Meraki Dashboard. This requires the vMX100 to establish bi-directional communication to the Meraki Cloud. If, after following the steps above, the vMX100 is inaccessible, please review the following:  

 

  1. The token is entered into the user data field.
  2. The DNS server is reachable from the subnet that the vMX100 is in.
  3. The vMX's security group allows outbound communication to the Meraki cloud.
    • If restrictive settings are in use, refer to the Help > Firewall Info page and this article for the connections that must be allowed for Dashboard communication 
  4. The VPC ACLs allows outbound communication to the Meraki cloud. 
    • If restrictive settings are in use, refer to the Help > Firewall Info page and this article for the connections that must be allowed for Dashboard communication

Please note that Meraki Support does not have visibility to troubleshoot AWS specific firewall rules and deployments.

 

You must to post a comment.
Last modified
14:29, 14 Aug 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 5401

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case