Skip to content

Deploying Cisco Meraki vMX with BICEP

This technical article walks you through deploying a Cisco Meraki vMX virtual appliance in Azure using a Bicep template. The vMX is commonly used for SD-WAN and secure connectivity between Azure and on-premises or branch locations. This guide explains the Bicep code, required parameters, and best practices for secure deployment.

Prerequisites

  • Meraki Dashboard Authentication Token: Obtain your Meraki authentication string from the Meraki Dashboard. Do not hardcode this in your template or documentation.
  • Azure Subscription: Ensure you have sufficient permissions to deploy marketplace resources and managed applications.
  • Resource Groups: Identify or create the resource groups for your vMX and virtual network.

Bicep Template: meraki.bicep

Below is the Bicep template for deploying the Cisco Meraki vMX. Sensitive values (such as the authentication token) are not included and should be provided securely at deployment time.

@description('Deployment location')
param location string = 'westus'

@description('This is the name of your VM')
@metadata({ title: 'VM Name' })
param vmName string = 'DRAZGDEPMEDGE01'

@description('This is your authentication string generated by Meraki Dashboard')
param merakiAuthToken string // Provide securely at deployment time

@description('Availability zone number for the vMX')
@allowed([
  '0'
  '1'
  '2'
  '3'
])
param zone string = '0'

@description('New or Existing VNet Name')
param virtualNetworkName string = 'vnet-gdep-pwus-fortinet'

@description('Boolean indicating whether the VNet is new or existing')
param virtualNetworkNewOrExisting string = 'existing'

@description('VNet address prefix')
param virtualNetworkAddressPrefix string = '10.27.1.0/24'

@description('Resource group of the VNet')
param virtualNetworkResourceGroup string = 'dr-rg-gdep-pwus-vnets'

@description('The size of the VM')
param virtualMachineSize string = 'Standard_F4s_v2'

@description('New or Existing subnet Name')
param subnetName string = 'snet-gdep-pwus-sdwan-public-new'

@description('Subnet address prefix')
param subnetAddressPrefix string = '10.27.35.0/24'
param applicationResourceName string = 'DRCiscoMeraki'
param managedResourceGroupId string = '/subscriptions/<your-subscription-id>/resourceGroups/<your-managed-rg>'

param managedIdentity object = { type: 'SystemAssigned' }

resource applicationResource 'Microsoft.Solutions/applications@2021-07-01' = {
  name: applicationResourceName
  location: location
  kind: 'MarketPlace'
  identity: managedIdentity
  plan: {
    name: 'cisco-meraki-vmx'
    product: 'cisco-meraki-vmx'
    publisher: 'cisco'
    version: '15.37.4'
  }
  properties: {
    managedResourceGroupId: managedResourceGroupId
    parameters: {
      location: {
        value: location
      }
      merakiAuthToken: {
        value: merakiAuthToken
      }
      subnetAddressPrefix: {
        value: subnetAddressPrefix
      }
      subnetName: {
        value: subnetName
      }
      virtualMachineSize: {
        value: virtualMachineSize
      }
      virtualNetworkAddressPrefix: {
        value: virtualNetworkAddressPrefix
      }
      virtualNetworkName: {
        value: virtualNetworkName
      }
      virtualNetworkNewOrExisting: {
        value: virtualNetworkNewOrExisting
      }
      virtualNetworkResourceGroup: {
        value: virtualNetworkResourceGroup
      }
      vmName: {
        value: vmName
      }
      zone: {
        value: zone
      }
    }
  }
}

Parameter Explanations

  • location: Azure region for deployment (e.g., westus).
  • vmName: Name for the Meraki vMX VM.
  • merakiAuthToken: Meraki Dashboard authentication string. Provide this securely at deployment time (e.g., via parameter file or secret).
  • zone: Availability zone for the vMX (0-3).
  • virtualNetworkName: Name of the VNet to deploy into.
  • virtualNetworkNewOrExisting: Specify if the VNet is new or existing.
  • virtualNetworkAddressPrefix: Address prefix for the VNet.
  • virtualNetworkResourceGroup: Resource group containing the VNet.
  • virtualMachineSize: Azure VM size for the vMX.
  • subnetName: Name of the subnet for the vMX.
  • subnetAddressPrefix: Address prefix for the subnet.
  • applicationResourceName: Name for the managed application resource.
  • managedResourceGroupId: Resource ID of the managed resource group for the application (update with your values).
  • managedIdentity: System-assigned managed identity for the deployment.

How the Bicep Template Works

  • Marketplace Deployment: Uses the Microsoft.Solutions/applications resource to deploy the Cisco Meraki vMX from the Azure Marketplace.
  • Parameterization: All key settings (network, VM size, zone, etc.) are parameterized for flexibility.
  • Security: The Meraki authentication token is never hardcoded—always provide it securely.
  • Managed Identity: Uses a system-assigned managed identity for secure resource access.

Best Practices

  • Never commit sensitive tokens to source control. Use parameter files, Azure Key Vault, or pipeline secrets.
  • Review and update the managedResourceGroupId and other resource IDs for your environment.
  • Monitor deployment via Azure Portal or CLI for success and troubleshooting.

Summary

This Bicep template enables automated, secure deployment of Cisco Meraki vMX in Azure. By parameterizing all key settings and handling secrets securely, you can quickly integrate Meraki SD-WAN into your Azure landing zone.

Ready to deploy? Use this template with your own parameters and secrets for a secure, repeatable deployment.