Get Started with Meraki VMX on Microsoft Azure

To get started with Meraki VMX on Microsoft Azure, you'll need to create a Meraki account and sign in to the dashboard.

First, go to the Meraki website and click on the "Create Account" button. This will prompt you to enter your email address and create a password.

Once you've created your account, navigate to the Meraki dashboard and sign in with your email address and password.

After signing in, you'll be taken to the Meraki dashboard, where you can view your network and devices.

To get started with Meraki VMX on Azure, you'll need to create a Meraki organization. This can be done by signing up for a Meraki account on the Cisco Meraki website.

The Meraki VMX is a cloud-managed security appliance that can be deployed on Azure. It's designed to provide secure connectivity and network segmentation for your organization.

First, you'll need to create a new Azure subscription if you don't already have one. This will give you access to the Azure portal and allow you to deploy the Meraki VMX.

Once you have your Azure subscription set up, you can create a new resource group to hold your Meraki VMX. This will help you organize your resources and make it easier to manage your deployment.

To deploy the Meraki VMX, you'll need to create a new virtual network and subnet in your Azure resource group. This will provide the necessary infrastructure for your Meraki VMX to operate.

After deploying the Meraki VMX, you'll need to configure it with your network settings. This includes setting up your network interfaces, VLANs, and other network configuration settings.

The Meraki VMX can be managed through the Meraki dashboard, which provides a user-friendly interface for configuring and monitoring your network.

To configure your Meraki vMX for Azure, you'll need to create a new Security Appliance network in the Meraki dashboard. This involves adding a vMX license, which can be obtained from your Meraki reseller or sales rep if you don't have access to one.

First, create a "Security appliance" network type and add the appropriate license. Once you've done this, you'll be able to deploy a new vMX to your network by clicking on the 'Add vMX' button. Make sure your firmware is running MX 15.37+ to ensure a smooth upgrade.

To configure BGP on your vWAN, you'll need to obtain the BGP peer settings from the Azure portal. This involves selecting the Virtual WAN, then the vWAN Hub, and finally obtaining the Virtual Hub Router ASN and Virtual Hub Router Address from the Overview section.

Here are the specific BGP settings you'll need to configure on your vMX:

To configure your Meraki Dashboard, start by creating a new Security Appliance network in your organization.

First, you'll need to add a vMX license to the Meraki Dashboard. If you don't have access to a vMX license, reach out to your Meraki reseller or sales rep.

Create a "Security appliance" network type to begin the process.

Before generating the token, make sure the firmware is running MX 15.37+; otherwise, the upgrade won't occur.

After adding the new vMX to your network, navigate to Security & SD-WAN > Monitor > Appliance status and select "Generate authentication token" to generate the token for the Azure "Meraki Authentication Token" data field.

Copy the newly generated token and save it, as it must be entered into the Azure instance within one hour of generating it.

To obtain the necessary API credentials for configuration, you'll need to first enable the API for your organization. This involves navigating to Organization > Settings > Dashboard API access and enabling the API.

The API key is associated with a Dashboard administrator account, so make sure you have the correct login credentials to access this section.

To view your Organization name, navigate to Organization > Settings, where you'll see the name displayed.

You'll also need to obtain your API key, which will be used for the script to configure your Meraki device.

To configure AnyConnect, you need to navigate to Security & SD-WAN > Client VPN > AnyConnect and set it to Enabled. Here, you'll find a plethora of options and information to configure.

The Hostname is crucial, as it's the FQDN of the vMX that you'll use to point your AnyConnect client to. Make sure to update your NSG to allow the traffic in to your vMX if you change the AnyConnect port from its default of 443.

You can also create and upload an AnyConnect XML profile to the vMX for automatic deployment to clients when they connect. Additionally, you can enforce client certificate authentication and define a default group policy to apply to all connected VPN clients.

Here are the key options to consider:

Remember to leave all other options default for now, and consider creating an AnyConnect Profile, especially when using the DYNDNS Meraki FQDN as an AnyConnect URL.

Networking is a critical aspect of Meraki vMX on Azure. To create a Route Table, you need to choose a subscription, select an existing or new resource group, and then add VPN routes pointing to the vMX as the next hop.

To associate the Route Table with the subnet, navigate to "Subnets" and then "Associate" the virtual network and production subnet(s) where your applications are deployed. Don't associate the vMX SD-WAN Subnet to the same route table, as this can cause packet loss.

To configure BGP on vWAN, you need to obtain the BGP peer settings for the vWAN, which includes the Virtual Hub Router ASN and Virtual Hub Router Address. You can then use these values to enable Auto VPN and configure BGP on the Meraki dashboard.

Here's a quick reference guide to BGP configuration:

To set up a Route Table, you'll need to choose a subscription from the drop-down menu.

The subscription you choose will determine which resources you'll be billed for.

You'll also need to select a resource group, either an existing one where your instances are present or a new one where they will be deployed.

Here are the key settings you'll need to make when creating a Route Table:

Don't forget to add the VPN routes pointing to the vMX as the next hop, including the client VPN subnet where applicable.

This will help ensure that your network traffic is routed correctly.

To associate the Route Table with the correct subnet, click on "Subnets" and then "Associate".

Choose the virtual network and then select the production subnet(s) where your applications are deployed and click "OK".

To configure BGP on Cisco, you'll need to obtain the BGP peer settings for the route server, which includes the peer IPs and ASN. This can be done by running a command using the Azure CLI, and the output should look like a list with the 'virtualRouterAsn' and 'virtualRouterIps' values that you'll need for the Meraki BGP config.

The Meraki BGP config requires you to enable Auto VPN by selecting Hub and then scrolling down to the BGP settings. You'll need to configure your local ASN, which is the Meraki Auto VPN Autonomous System, and then configure two EBGP peers with the values obtained from the Azure CLI.

To enable BGP on the Cisco Meraki vMX, you'll need to navigate to the site to site VPN page and select the dropdown to enable BGP. You'll also need to add the EBGP peer IPs as local networks on the top of the site to site VPN page, which tells the vMXs that the peer IPs are always reachable through its local Network Interface (NIC) instead of over another VPN tunnel.

Here are the required parameters for the BGP peer on the Cisco Meraki vMX:

In addition to configuring the BGP settings, you'll also need to add the EBGP peer IPs as local networks on the top of the site to site VPN page. This is a requirement for Meraki when Multihop is in play.

AnyConnect on Azure is a powerful tool for remote access VPN, and setting it up requires some specific configurations. You'll need to navigate to Security & SD-WAN > Client VPN > AnyConnect and set it to Enabled.

To enable AnyConnect, you'll need to set the Hostname to the FQDN of your vMX, which you'll use to point your AnyConnect client to. You'll also need to download the AC client software and profile editor from the AC download links provided.

The Anyconnect port should be set to 443 by default, but you can change it if needed. Just remember to update your NSG to allow the traffic in to your vMX.

A log-in banner can be added to present to clients when connecting to AnyConnect, and you can also enable Profile Update to create and upload an AnyConnect XML profile for automatic deployment to clients.

Server Certificate Generation Method is set to provision and renew by Meraki based on the FQDN of the vMX, but you can contact support to enable custom certification options.

Here are the key settings you'll need to configure for AnyConnect on Azure:

You can also configure Client Routing and Dynamic Client Routing to include or exclude specific traffic, and set up a Default Group Policy to apply to all connected VPN clients.

You'll need to copy the Meraki Auth Token, which can be found on the security appliance status page.

After a moment, you should be presented with this page where you can give your vMX a name, add a location, and more.

The token is located at the bottom left of the screen. Click the Generate authentication token link to access it.

Note that the token expires in an hour, so make sure to copy it before moving on to the next step.

Log into your Azure tenant and click Create Resource to proceed with the deployment.

To create a virtual WAN, you'll first need to deploy a vMX from the Azure marketplace. This involves specifying a name, virtual network, and IP address for the instance.

The name of the vMX instance should be unique and descriptive, such as "vmx-acme-vwan". You'll also need to select a virtual network, for example "vmx-network", and assign a private IP address, like "192.168.4.3".

Next, you'll create a virtual WAN by logging into the Azure portal and searching for "Virtual WAN" in the search bar. From there, you'll select "Virtual WANs" and click the "+" button to create a new WAN.

To configure the virtual WAN, you'll need to specify the subscription, resource group, and resource group location. You can choose to create a new resource group or use an existing one, and select a region from the dropdown list.

Here are the key fields to fill in on the Create WAN page:

Once you've completed these fields, click "Review + Create" and then "Create" to create the virtual WAN.

The most common problem when deploying a vMX is getting it provisioned and online in the Meraki dashboard in the first place.

Problems can be frustrating, but knowing the common issue can help you tackle it head-on.

If your vMX is unable to reach the dashboard on TCP port 7734, you'll need to refer to the document on correct ports/IPs that need to be opened for Meraki dashboard communication.

The most common problem when deploying a vMX is getting it provisioned and online in the Meraki dashboard in the first place.

If you're experiencing issues, it's essential to understand that the vMX needs to reach the Meraki dashboard on TCP port 7734.

Opening the correct ports and IPs is crucial for Meraki dashboard communication. The document on correct ports/IPs can help resolve issues if the vMX is unable to reach the dashboard.

In some cases, simply referring to this document can resolve the problem and get your vMX up and running.

If you're unable to delete a resource group after deployment, it's likely because the managed application was successfully deployed to the Meraki Dashboard.

You'll need to delete the managed application on the Meraki Dashboard to proceed with deleting the resource group on Azure.

Azure activity logs will show a failed deletion attempt with an error message stating that resources with specific identifiers couldn't be deleted.

Ensure that you've checked your audit logs for more details, and take note of the tracking ID provided.

The provisioning state of the resource group will be rolled back, and you'll need to revisit the deletion process.

The Meraki vMX is a powerful appliance that requires the right license to unlock its full potential. A Meraki vMX – Medium enterprise cloud-management license is required and available in 1, 3, or 5 year durations.

You can use the vMX Medium appliance in all major public cloud marketplaces, including Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Alibaba Cloud. Each of these cloud providers charges differently for their services, so be sure to check their pricing plans before getting started.

The vMX Medium appliance is a great option for organizations that need a flexible and scalable solution for their network needs. With its cloud-management license, you can easily manage your network from anywhere and scale up or down as needed.

Here are the public cloud providers that support the vMX Medium appliance:

Each of these providers charges differently for their services, so be sure to check their pricing plans before getting started: