Azure Meraki

Connecting Azure to Meraki

Once you have a virtual network and VMs running in your Azure environment, you will need to connect it to your on-premise environment.  Here is a quick guide for setting that up.

First, you will need to enable a gateway subnet on your virtual network.

picture1

The gateway subnet will have to be a subnet that isnt already used, and will only be used for VPN connections, so you dont want to make it a large subnet as you will be wasting address space.  Also, because of the fact that its a policy based VPN, it will not actually be using more than just the one IP address in the subnet for the gateway (as opposed to route based VPNs).

Next, we need to create the Virtual Network Gateway (VPN Connection)

 

picture3

The VPN must be policy based when using a Meraki (or any device not on the approved list here)

picture4

After we have the virtual network gateway set up, we will add the Local Network Gateway resource.  This is the gateway for your local, or on-premise, network.  Here is where we will set the public IP for the endpoint and the local subnets that will access Azure resources.

picture5

The IP address here will be your public IP address for your local VPN device.  Add the local subnets that you will be allowing over the site to site VPN to your Azure vnet in the Address space section.

picture6

Now we add a connection using the VPN and local gateways and set the PSK that the VPN will use.  Azure only allows alpha-numeric keys, so no special characters (security!).

connections_-_microsoft_azure

picture7

Once the connection is created, it will show up in the list of resources, and the overview will contain the connection status, and show data in/out.

picture8

Once Azure is configured, we can set everything up on the Meraki side of things.  This process would look the same regardless of the security appliance you are using, which is the beauty of Meraki.

From the Appliance status page, you will get your public IP address needed for the Local Gateway on the Azure side (unless you have a HA pair with a virtual interface, in which case you will use the VIP).

Then we will go to the Site-to-site VPN page to set up the tunnel.

picture11

This section will depend on what type of configuration you are currently running, it will default to Hub (Mesh) which you really shouldn’t change unless your topography calls for it.

picture13

Choose the networks to include in your site to site connections (which should match what was listed in the Local Network Gateway in Azure, or it will not work).

picture14

One big “gotcha” in Azure with the Meraki is the private subnet portion, it is not each subnet listed out, but rather the “supernet” or entire address space that you created.  If that causes problems with traffic, you can use the VPN firewall to control access that way.

picture16

The IPsec policies are defined by Azure for policy based VPNs.  Keep in mind that Meraki only uses IKEv1, so the link below has the settings for phase 1 and phase 2.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

picture17

Meraki has a setting for Azure, but sometimes it does not work (I have submitted a wish to get their Azure settings to match what Azure actually lists for their phase 1 and 2 settings).  So use the Custom option and set them to match the Azure document.

picture18

Once youre done, the VPN status will show up under Non-meraki peer in the VPN status section.  The green light normally means that the connection is up, but checking the event logs for errors is a must, as the dashboard will show a green light for connections that are failing in phase 2 (another wish submitted for that as well).

picture20

You now have a site to site VPN configured between your Meraki and Azure environments!

1 comment on “Connecting Azure to Meraki

  1. Greg Winch

    Great example how to set up Azure site-to-site with Meraki. Only part that I messed up on was the Phase 1 and Phase 2 settings. Once set up, connection was made and verified in Azure.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: