Home > Security Appliances > Installation Guides > vMX100 Setup Guide for Microsoft Azure

vMX100 Setup Guide for Microsoft Azure

Overview

This document is a walkthrough for setting up a virtual MX (vMX100) appliance in the Microsoft Azure Marketplace. After completing the steps outlined in this document, you will have a virtual MX appliance running in Azure that serves as an AutoVPN termination point for your physical MX devices.

 

Currently, the vMX100 on Azure supports a one-armed VPN concentrator configuration with split-tunnel VPN architecture. For more info on how to deploy a one-armed concentrator, please refer to this document.

Key Concepts

Before deploying a virtual MX, it is important to understand several key concepts:

Concentrator Mode 

All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes. For more detailed information on concentrator modes, click here.

One-Armed Concentrator 

In this mode the MX is configured with a single Ethernet connection to the upstream network. All traffic will be sent and received on this interface. This is the only supported configuration for MX appliances serving as VPN termination points into Azure.

NAT Mode Concentrator 

In this mode the MX is configured with a single Ethernet connection to the upstream network and one Ethernet connection to the downstream network. VPN traffic is received and sent on the WAN interfaces connecting the MX to the upstream network and the decrypted, unencapsulated traffic is sent and received on the LAN interface that connects the MX to the downstream network. 

Note: This is not supported for virtual MX VPN concentrators operating within Azure.

VPN Topology

There are several options available for the structure of the VPN deployment.

Split Tunnel 

In this configuration, branches will only send traffic across the VPN if it is destined for a specific subnet that is being advertised by another MX in the same Dashboard organization. The remaining traffic will be checked against other available routes, such as static LAN routes and third-party VPN routes, and if not matched will be NATed and sent out the branch MX unencrypted.

Full Tunnel  

In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub.

Note: This is not supported for virtual MX VPN concentrators operating within Azure.

Azure Terminology

This document will make reference to several key Azure-specific terms and concepts.

Azure Virtual Network

A virtual network is where a block of associated IP addresses, DNS settings, security policies and route tables can be configured and managed.

Resource group 

A resource group is a container within Microsoft Azure's infrastructure where resources, such as virtual machines are stored.

Azure Managed Applications

Managed Applications within Azure serve as the network used to manage and support the Cisco Meraki virtual MX.

Additional Information 

During the setup of your vMX100 instance, or over the course of working within Azure, you may encounter additional terminology which is not defined in this document. To find out more about these terms, and for additional details on the terms listed above, please see the Microsoft Azure glossary.

Meraki Dashboard Configuration 

Begin by creating a new Security Appliance network in your organization. This guide will walk you through creating a new network in the Meraki Dashboard.

The Meraki Dashboard will require a vMX100 license.

Once you create the network you will be able to deploy a new vMX100 to your network by clicking on 'Add vMX':

 

 

After you add the new vMX100 to your network, click on “Generate authentication token” to generate the token for Azure custom-data field.


Cloud.png

 

Copy the newly generated token and paste it on the 'Meraki Authentication Token' field of the Azure template.


Basics.png

 

Next, follow the steps outlined in this guide to configure the vMX100 as a one-armed concentrator.

On the Site-to-Site VPN page, add each subnet in your resource group that should be accessible to remote Auto VPN peers to the list of 'Local Network(s).' For more information on configuring Auto VPN, please refer to the Site to Site VPN settings documentation.

Azure Setup 

Please make sure you already have a resource group, a virtual network and a virtual subnet before you start the deployment. To find more information about this, please click here.

 

This section walks you through configuring the necessary requirements within Microsoft Azure, and adding a vMX100 instance to your resource group. For more details on setting up a resource group and other components, please refer to Azure's Documentation here.

Accessing the Offer

To gain access to the VM Offer, please access this link. A screenshot of the Marketplace list of Cisco Meraki vMX100 in Azure is included below:

 

NotStaged.png

 

From the Marketplace listing, click on 'Create.'

 

After creating, you will be prompted to configure basic settings:

 

BAsics.png

 

VM Name: Choose a name for your Cisco Meraki vMX100 VM, it can be any name.

Meraki Authentication Token: Paste the token previously generated on the Meraki dashboard.

Subscription: Choose the subscription that you want to be billed for from the drop-down menu.

Resource group: Create a new resource group with any name.

Location: Select the region where the vMX100 will be deployed in.

 

After completing all the basic settings configuration, hit 'OK.'

Choose an existing Virtual Network from the list:

 

Screen Shot 2017-11-15 at 10.11.34 AM.png

 

Then choose the subnet in which the vMX will be deployed. To find more information about subnets in Azure, click here.

 


Screen Shot 2017-11-15 at 10.12.19 AM.png

 

Choose the VM size which will be D2_V2 Standard:

 

Screen Shot 2017-11-15 at 10.13.04 AM.png

 

Review the deployment details before hitting 'OK.'

 

OK.png

 

 

Validation.png

 

Review the terms of use and privacy policy before hitting 'Create.'


Buy.png

 

Please note that the virtual MX is not yet available for purchase through Azure CSP or trial subscriptions at this point. Please refer to Microsoft's documentation for additional details.

 

After you click on 'Purchase,' the deployment will begin:


Screen Shot 2017-11-15 at 10.17.00 AM.png

 

Once this has been completed, it may be several minutes before the deployment completes and the instance launches. 

 

Screen Shot 2017-11-15 at 10.24.29 AM.png

 

Once the vMX100 is online, a route table needs to be created. To create a route table, click on "New" and then "Route Table".

 

Screen Shot 2017-11-15 at 10.34.08 AM.png


Screen Shot 2017-11-15 at 10.26.01 AM.png

 

Once the Route Table has been created, add the VPN routes pointing to the vMX100 as the next hop:


Screen Shot 2017-11-15 at 10.28.36 AM.png

 


Screen Shot 2017-11-15 at 10.29.08 AM.png

 

Please ignore the IP forwarding warning, it has already been enabled in the backend.

 

Finally, associate the Route Table with the Subnet where the vMX was deployed. Click on "Subnets" and then "Associate".

 

Screen Shot 2017-11-15 at 10.29.38 AM.png

 

Choose the Virtual Network where the vMX was deployed:


Screen Shot 2017-11-15 at 10.29.56 AM.png

 

Then, choose the subnet used to deploy the vMX100 and click on 'OK.'

Screen Shot 2017-11-15 at 10.30.50 AM.png

 

Once the subnet has been associated, enable Site to Site VPN on Dashboard.

Troubleshooting 

The virtual MX security appliance is fully managed through the Cisco Meraki Dashboard. This requires the vMX100 to establish bi-directional communication to the Meraki Cloud. If, after following the steps above, the vMX100 is inaccessible, please ensure the following:  

  1. The following characters are not being used in the template: ' ~ ! @ # $ % ^ & * ( ) = + _ [ ] { } \\\\ | ; : ' \\\" , < > / ?.\" '.
  2. Azure naming convention does not support spaces, make sure spaces in resource names are eliminated.
  3. The token is entered into the Meraki Authentication Token field within an hour of being generated.
  4. The DNS server is reachable from the subnet that the vMX100 is in.
  5. A Route Table has been created and associated to the correct subnet(s).

 

Please note that Meraki Support does not have visibility to troubleshoot Azure specific firewall rules and deployments.

 

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 6083

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community