Once you have a virtual network and VMs running in your Azure environment, you will need to connect it to your on-premise environment. Here is a quick guide for setting that up.
First, you will need to enable a gateway subnet on your virtual network.
The gateway subnet will have to be a subnet that isnt already used, and will only be used for VPN connections, so you dont want to make it a large subnet as you will be wasting address space. Also, because of the fact that its a policy based VPN, it will not actually be using more than just the one IP address in the subnet for the gateway (as opposed to route based VPNs).
Next, we need to create the Virtual Network Gateway (VPN Connection)
The VPN must be policy based when using a Meraki (or any device not on the approved list here)
After we have the virtual network gateway set up, we will add the Local Network Gateway resource. This is the gateway for your local, or on-premise, network. Here is where we will set the public IP for the endpoint and the local subnets that will access Azure resources.
The IP address here will be your public IP address for your local VPN device. Add the local subnets that you will be allowing over the site to site VPN to your Azure vnet in the Address space section.
Now we add a connection using the VPN and local gateways and set the PSK that the VPN will use. Azure only allows alpha-numeric keys, so no special characters (security!).
Once the connection is created, it will show up in the list of resources, and the overview will contain the connection status, and show data in/out.
Once Azure is configured, we can set everything up on the Meraki side of things. This process would look the same regardless of the security appliance you are using, which is the beauty of Meraki.
From the Appliance status page, you will get your public IP address needed for the Local Gateway on the Azure side (unless you have a HA pair with a virtual interface, in which case you will use the VIP).
Then we will go to the Site-to-site VPN page to set up the tunnel.
This section will depend on what type of configuration you are currently running, it will default to Hub (Mesh) which you really shouldn’t change unless your topography calls for it.
Choose the networks to include in your site to site connections (which should match what was listed in the Local Network Gateway in Azure, or it will not work).
One big “gotcha” in Azure with the Meraki is the private subnet portion, it is not each subnet listed out, but rather the “supernet” or entire address space that you created. If that causes problems with traffic, you can use the VPN firewall to control access that way.
The IPsec policies are defined by Azure for policy based VPNs. Keep in mind that Meraki only uses IKEv1, so the link below has the settings for phase 1 and phase 2.
Meraki has a setting for Azure, but sometimes it does not work (I have submitted a wish to get their Azure settings to match what Azure actually lists for their phase 1 and 2 settings). So use the Custom option and set them to match the Azure document.
Once youre done, the VPN status will show up under Non-meraki peer in the VPN status section. The green light normally means that the connection is up, but checking the event logs for errors is a must, as the dashboard will show a green light for connections that are failing in phase 2 (another wish submitted for that as well).
You now have a site to site VPN configured between your Meraki and Azure environments!