Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
187 questions
VWAN hub Meraki
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 3%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
HHinparadise
6
Reputation points
We are configuring a VWAN hub with multiple site to site connections. Branch to branch connectivity is not desire with the exception of 1 location(hub2). While natively in Meraki we could have the hub2 location configured as a hub and peer all of the spokes to it, we would like for the VWAN to be the only hub. Meraki 3rd party VPN is an organizational wide setting so currently all spokes are connected and the remote subnets are configured for all Azure subnets. I cannot add the subnet of hub 2 as hub 2 would then send all of its traffic to the VWAN. I am thinking if I put a DNAT on the VWAN and advertised it in the Meraki remote subnets for the 3rd party VPN that connectivity could be achieved with minimal effort . (i would have to add static routes on the hub2 network for the branch locations to the private gw address of the VWAN as the next hop) Has anyone attempted this configuration and if so what implications or issues did you see?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee2021-11-08T21:15:08.637+00:00 Hello @HHinparadise , Thank you for reaching out. If I have understood the question correctly you want to set Branch-Branch connectivity using Hub2 MX only and from the given diagram above Spoke 1 MX can reach out to 10.2.0.0/24 subnet (Remote) it will use NAT at VWAN hub 192.168.40.0/24 - 10.2.0.0/24.
As per the documentation when using NAT with Virtual WAN VPN gateway be aware ofSite-to-site NAT is not supported with Site-to-site VPN connections where policy based traffic selectors are used
NAT usually used when you have overlapping IP addresses, from the diagram I am not sure if there are any overlapping address. Secondly to better understand the scenario can you please tell us what will be routes associated with VWAN hub? and which routes will be propagated from you Hub2 branch to VWAN hub?
Also, as per the Additional considerations for Virtual WAN routing Branch-to-branch via Azure Firewall is currently not supported. -
HHinparadise 6 Reputation points
2021-11-08T23:36:35.4+00:00 Hi @ChaitanyaNaykodi-MSFT thank you for the reply. The diagram is an example and there will be 70 additional spokes. The intent is to use routebased not policy based. The hub2 subnet overlaps itself as a remote subnet because the Meraki appliance advertises its remote subnets organizational wide (all spokes that are in the Meraki Organization) If I don't advertise the hub2 subnet the spokes will not know how to reach the hub2 but if I don't Nat hub2 subnet the local traffic will loop as it will send 192.168.40.0 to the vwan hub.
Example of routing
spoke 1 to VNet next hop vwan
spoke 1 to hub2 next hop vwanhub 2 to VNET next hop vwan
hub 2 to spoke1 next hop vwan
hub 2 to spoke2 next hop vwan -
ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee
2021-11-30T18:31:31.333+00:00 Hello @HHinparadise , apologies for the delay and Thank you for providing additional details. Please do let us know if you face any issues while configuring this set-up. Thank you!
Sign in to comment