Share via

Azure Vwan migration away from Meraki

Jeremy Kinder 20 Reputation points
2025-04-28T20:37:27.6833333+00:00

My current environment is a mesh network with Meraki routers and a vmx in Azure which uses route tables to route all the traffic in specific subnets to the Meraki VMX in another subnet on in the same vnet.

My goal is to move the Azure Vwan solution. I would remove the Meraki routers and put another router that will do site to site vpn into the Azure Vwan hub and then tie in the vnet to the hub and route the traffic that way.

I am unsure on how to peer the Vwan hub to the vnet. Is it just going through the peering process and then changing the custom route tables for the subnets in question from next hop router from the vmx to the Vwan hub?

Any thoughts or questions appreciated.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
255 questions
Accepted answer
  1. Sai Prasanna Sinde 5,870 Reputation points Microsoft External Staff Moderator
    2025-04-29T02:57:17.5133333+00:00

    Hi @Jeremy Kinder

    We think you are correct that you need to connect your existing VNet to the VWAN Hub. However, this isn't done through the standard peering's section of the VNet resource itself. Instead, you create a Virtual Network Connection from within the VWAN Hub resource.

    Go to your Azure VWAN Hub > Connectivity > Virtual network connections > Click on Add connection

    You need to provide a name for the connection, select the Hub, the subscription, the RG, and the Vnet you want to connect. Associate the route table and the routes in this table dictate where traffic coming into the Hub from this VNet can go.

    And you need to propagate the route table, and this allows other connected resources to learn how to reach this VNet via the Hub and also you need to propagate to labels which is used for more advanced custom routing scenarios, often involving specific groups of connections and the default is common initially.

    You can also define specific static routes on this connection if needed, pointing traffic destined for certain prefixes from the Hub towards this VNet to a specific IP within the VNet.

    Your subnets have UDRs associated with Route Tables. These UDRs likely have routes with the next hop type set to virtual appliance and the next hop IP address set to the private IP of your Meraki VMX. So, when you create the Vnet Connection from the Hub to the VNet and configure route propagation, the VWAN Hub automatically advertises routes to the VNet. Azure fabric updates the VNet effective routes to include paths to networks connected to the Hub via the Hub internal gateway infrastructure.

    The UDRs take precedence over routes learned via propagation from the VWAN Hub and if you leave your existing UDRs pointing to the old VMX IP address, traffic matching those UDRs will continue to be sent to the VMX, and not to the VWAN Hub gateway. So, you must remove or modify the UDRs on your subnet route tables that currently force traffic to the Meraki VMX.

    If your goal is for traffic destined for on Prem to go via the VWAN Hub, you need to remove the specific UDRs that point to the VMX. Once removed, the routes propagated from the VWAN Hub will become effective for those destinations or if you only routed specific prefixes to the VMX, you'd remove just those UDRs. If you still need other UDRs for different purposes those can remain, but the ones directing traffic towards the networks now reachable via VWAN must be removed.

    • Make sure that you are using a Standard VWAN Hub, as Basic Hubs do not support ExpressRoute/P2S VPN gateway functionality.

    User's image

    Kindly let us know if the above helps or you need further assistance on this issue.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 5,430 Reputation points
    2025-04-30T08:19:55.4366667+00:00

    Hi Jeremy,

    Thank you for posting your question on the Q&A portal! The community is happy to help you with your migration from Meraki to Azure Virtual WAN (VWAN).

    Your goal is to replace the Meraki VMX with Azure VWAN, using a new router for site-to-site VPN connections. Lets do this.

    Set Up Azure Virtual WAN Hub. Deploy a Virtual WAN Hub in Azure. Configure Site-to-Site VPN to connect your on-premises router to the VWAN hub. Connect Your VNet to the VWAN Hub

    Instead of VNet peering, use Virtual Hub Connection to link your existing VNet to the VWAN hub.

    This automatically propagates routes, eliminating the need for manual route tables (unless you need custom routing). Update Route Tables. If you were using custom route tables pointing to the Meraki VMX, update them to use the Virtual Hub as the next hop. VWAN uses automated routing, so manual route changes may not be necessary.

    Pls review the docs bellow, it could be helpfull

    Azure Virtual WAN Documentation

    Connect a VNet to a Virtual WAN Hub

    Migrate to Azure VWAN from traditional VPN

    If you need custom routing, consider Route Tables or Azure Firewall (if using Secure Hub).

    And of coz test it in a non-production environment first )

    Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.