Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Adding Cloud Spoke Sites for SD-WAN Deployment

 

A cloud spoke represents an automation endpoint (virtual machine (VM) or an EC2 Instance) running with Juniper Networks vSRX image in the Amazon Web Services(AWS) virtual private cloud (VPC). The cloud spoke sites are connected with the hub sites using the overlay connections. You create a cloud spoke site from the Sites page. This topic describes how to add a cloud site for a tenant.

To add a cloud spoke site:

  1. Select Sites > Site Management.

    The Sites page appears.

  2. Click Add and select Cloud Spoke.

    The Add Site for Tenant Name page appears.

  3. Complete the configuration settings in the Site Information, Configuration, and Service Attachment Points sections according to the guidelines provided in Table 1.Note

    Fields marked with an asterisk (*) are mandatory.

  4. Review the configuration and modify the settings, if needed, from the Summary tab.
  5. Click OK.

    The newly added cloud spoke site is displayed on the Sites page.

Table 1: Fields on the Add Cloud Spoke Site Page

Field

Description

Site Information

Site Name

Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 15 characters.

Example: aws-cloud-spoke

Site Type

Displays the site type as Spoke. This field cannot be modified.

Tenant Topology

Displays the SD-WAN mode for the tenant. This field cannot be modified.

Site Group

(Optional) Select a site group to which you want to assign the site.

Example: cloud-spoke

Cloud Information

Region

Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account.

Example: Ohio

VPC ID

Enter the VPC ID from the AWS account.

To obtain VPC ID:

  1. Log in to AWS account.
  2. Search for VPC service.
  3. Click the VPC dashboard.
  4. Select a VPC ID.

Ensure that the VPC is attached to the Internet gateway.

To check whether VPC is attached:

  1. Log in to AWS account.
  2. Search for VPC service.
  3. Click the Internet Gateway dashboard.
  4. Check whether the VPC state is attached.

Example: vpc-6d810314

Management Subnet

Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX is used to push the initial stage-1 configuration. The following options are available:

  • Use an existing subnet in AWS account

  • Create new

IP Prefix

Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

Example: 105.0.1.5/24

Connectivity Requirements

Click a connection plan to select the plan for WAN connectivity.

A connection plan contains information prepopulated from the device template, and includes the device information, a list of SD-WAN features supported, and the number of links supported.

Note: vSRX as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC.

Management Connectivity IP Prefix

IP Prefix

Enter an IPv4 address prefix for the cloud spoke site. The IP address prefix must be unique across the entire network.

Example: 192.0.2.10/24

WAN Underlay Links

WAN_0

WAN_1

Select the check boxes to configure the WAN links. Depending on the connection plan selected, you can configure up to two WAN links per site that support SD-WAN. You can configure these links as MPLS or Internet links.

Type

Displays the connection type for WAN underlays. Only Internet link is supported.

Subscribed Bandwidth

Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link.

Provider

Enter the name of the service provider (SP).

Cost/Month

Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic if multiple WAN links meet SLA profile parameters. For more information on link switching based on the cost parameter, see Cost-Based Link Switching.

Enable Local Breakout

Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.

Note: If you enable local breakout on a WAN link, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

Breakout Options

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Static IP Prefix

Enter the private IPv4 address from the subnet. For example, if the IPv4 CIDR address is 105.0.2.0/24 for a WAN interface in the AWS account, then enter any IP address inside the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

Example: 105.0.2.12/24

Gateway IP

Enter the IPv4 address for the gateway. Typically, the first IP address in the subnet is selected for gateway IP address.

Example: 105.0.2.1

Elastic IP

Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the privet subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses.

Example: 34.213.255.184

Traffic Type

Select the traffic type. The options available are:

  • DATA_ONLY—Select this option if you want to use the WAN link to transmit only data traffic.

  • OAM_AND_DATA—Select this option if you want to use the WAN link to transmit both data traffic and management traffic.

Note: You must select at least one WAN link with the OAM_AND_DATA traffic type.

Connect to Hub

Click the toggle button to specify whether to use the WAN link to connect the spoke site to a hub. By default, this option is disabled for all WAN links.

Note: In real time-optimized deployments, you must enable the Connect to Hubs feature to establish secure OAM IPsec tunnels.

Used for OAM

Click the toggle button to specify whether to use the WAN link to setup OAM tunnel to the OAM hub. By default, this option is disabled for all WAN links.

Note: In bandwidth-optimized deployments, you must enable the Use for OAM Traffic option on at least one WAN link to establish secure OAM IPsec tunnels.

Additional Requirements

Based on the connectivity requirement, the following fields are populated:

Default Links

Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet.

Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP).

Backup Link

Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link.

Preferred Breakout Link

Select the preferred link for local breakout. If no link is selected, then the breakout link is chosen using ECMP from the available links.

Enable Hub Multihoming

Select this option to enable multihoming on the site. Multihoming is the ability of a spoke site to connect to multiple hub sites, thereby providing redundancy.\

LAN Segments

Add at least one LAN segment.

Name

Enter a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters.

Type

Select the type of LAN segment:

  • Directly Connected—Indicates that the LAN segment is directly connected to the site. This is the default.

  • Dynamic Routed—Indicates that the LAN segment is not directly connected to the site and is reachable by using a dynamic route. If you select this option, you must specify the dynamic routing information.

    Note: You can configure dynamically routed LAN segments only for gateway sites.

Port

Select one or more port numbers from the list depending on the connection plan that you previously specified.

Note: The ports in LAN segment must be contiguous. For example, If both WAN_0 and WAN_1 are enabled and are using interfaces ge-0/0/0 and ge-0/0/1 respectively, then LAN_0 must use ge-0/0/2. If only WAN_0 is enabled and is using interface ge-0/0/0, the LAN_0 must use ge-0/0/1.

IP Address Prefix

Enter the IP address prefix for the LAN segment. The IP prefix is for the network on the LAN side of the CPE device with vSRX instance. Go to AWS account, check the subnet and provide an IPv4 address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

Example: 105.0.4.5/24

Department

Select a department to which the LAN segment is to be assigned. You group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.

Alternatively, click Create Department to create a new department and assign the LAN segment to it. See Adding a Department.