Wondering if anyone else has any experience with incorporating two separate point-to-site VPN solutions successfully into Azure - I’m currently running into some routing issues. For a little back story - we are in the process of replacing all of our firewalls (roughly 35) with the Cisco Meraki MX series along with a virtual MX that is hosted in our primary Azure virtual network. Our two primary physical locations as well as our vMX are configured as hubs, and the remaining sites are configured as spokes. In attempt to avoid disruption as best we can, we’re using the Merakis in the hub locations as a VPN concentrator for the spoke sites that have had their MX’s installed, and have static routes configured to point to our existing firewall for LAN networks that haven’t been cut over yet. This is all working as expected for our internal resources and hosted Azure services (for sites that have been cut over to a new MX we leverage route tables with next-hop-routes in Azure per Cisco’s documentation here: vMX Setup Guide for Microsoft Azure - Cisco Meraki).
The hangup. Until this point, our client VPN solution has been Azure VPN as configured following this guide: Tutorial – Create & manage a VPN gateway – Azure portal - Azure VPN Gateway | Microsoft Learn. This has worked seamlessly for our old firewall environment, as we leveraged Local Network Gateways and Connections to create site-to-site VPNs from our on-premises locations to Azure whose routes automatically get added to the Azure VPN client. As we’ve been bringing spoke sites online, I’m finding that once I add those routes to the route tables that they disappear from my Azure VPN client and I’m no longer able to connect to anything at those sites. Interestingly, before my PC receives the update from Azure and the route still exists in my client, I can communicate with the spoke sites as I would expect. Once that route is removed from my VPN client I can RDP into a server in Azure that’s included in one of the presented subnets and connect to those sites as expected, but my client PC loses the ability to connect.
Does anyone have any idea how I can retain those routes in the Azure VPN client? Route tables are incapable of targeting Virtual Network Gateways (only Virtual Networks and subnets), and I’ve tried setting the Local Network Gateways target IP address to our internal vMX IP like I did with the next-hop-route in the route table but have been unsuccessful.
We will eventually be migrating over to Cisco AnyConnect, but I was hoping we could do a staged migration so we don’t have to try and update 200 VPN clients overnight.
Update: WOW. I must simply be blind. I found the ‘Additional routes to advertise’ parameter in the Point-to-site configuration blade, and after adding the routes of the spoke sites that have an MX installed I’m able to reach them via the Azure VPN client. Thank you for the responses!
