Adding Cloud Spoke Sites for SD-WAN Deployment
A cloud spoke represents an automation endpoint (virtual machine (VM) or an EC2 Instance) running with Juniper Networks vSRX image in the Amazon Web Services(AWS) virtual private cloud (VPC). The cloud spoke sites are connected with the hub sites using the overlay connections. You create a cloud spoke site from the Sites page. This topic describes how to add a cloud site for a tenant.
To add a cloud spoke site:
- Select Sites > Site Management.
The Sites page appears.
- Click Add and select Cloud Spoke.
The Add Site for Tenant Name page appears.
- Complete the configuration settings in the Site Information,
Configuration, and Service Attachment Points sections according to
the guidelines provided in Table 1.
Fields marked with an asterisk (*) are mandatory.
- Review the configuration and modify the settings, if needed, from the Summary tab.
- Click OK.
The newly added cloud spoke site is displayed on the Sites page.
Table 1: Fields on the Add Cloud Spoke Site Page
Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 15 characters.
Displays the site type as Spoke. This field cannot be modified.
Displays the SD-WAN mode for the tenant. This field cannot be modified.
(Optional) Select a site group to which you want to assign the site.
Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account.
Enter the VPC ID from the AWS account.
To obtain VPC ID:
Ensure that the VPC is attached to the Internet gateway.
To check whether VPC is attached:
Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX is used to push the initial stage-1 configuration. The following options are available:
Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.
Click a connection plan to select the plan for WAN connectivity.
A connection plan contains information prepopulated from the device template, and includes the device information, a list of SD-WAN features supported, and the number of links supported.
Note: vSRX as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC.
Management Connectivity IP Prefix
Enter an IPv4 address prefix for the cloud spoke site. The IP address prefix must be unique across the entire network.
WAN Underlay Links
Select the check boxes to configure the WAN links. Depending on the connection plan selected, you can configure up to two WAN links per site that support SD-WAN. You can configure these links as MPLS or Internet links.
Displays the connection type for WAN underlays. Only Internet link is supported.
Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link.
Enter the name of the service provider (SP).
Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic if multiple WAN links meet SLA profile parameters. For more information on link switching based on the cost parameter, see Cost-Based Link Switching.
Enable Local Breakout
Click the toggle button to enable local breakout on the WAN link. By default, local breakout is disabled.
Note: If you enable local breakout on a WAN link, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.
Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.
Static IP Prefix
Enter the private IPv4 address from the subnet. For example, if the IPv4 CIDR address is 184.108.40.206/24 for a WAN interface in the AWS account, then enter any IP address inside the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.
Enter the IPv4 address for the gateway. Typically, the first IP address in the subnet is selected for gateway IP address.
Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the privet subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses.
Select the traffic type. The options available are:
Note: You must select at least one WAN link with the OAM_AND_DATA traffic type.
Connect to Hub
Click the toggle button to specify whether to use the WAN link to connect the spoke site to a hub. By default, this option is disabled for all WAN links.
Note: In real time-optimized deployments, you must enable the Connect to Hubs feature to establish secure OAM IPsec tunnels.
Used for OAM
Click the toggle button to specify whether to use the WAN link to setup OAM tunnel to the OAM hub. By default, this option is disabled for all WAN links.
Note: In bandwidth-optimized deployments, you must enable the Use for OAM Traffic option on at least one WAN link to establish secure OAM IPsec tunnels.
Based on the connectivity requirement, the following fields are populated:
Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet.
Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP).
Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available.
When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link.
Preferred Breakout Link
Select the preferred link for local breakout. If no link is selected, then the breakout link is chosen using ECMP from the available links.
Enable Hub Multihoming
Select this option to enable multihoming on the site. Multihoming is the ability of a spoke site to connect to multiple hub sites, thereby providing redundancy.\
Add at least one LAN segment.
Enter a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters.
Select the type of LAN segment:
Select one or more port numbers from the list depending on the connection plan that you previously specified.
Note: The ports in LAN segment must be contiguous. For example, If both WAN_0 and WAN_1 are enabled and are using interfaces ge-0/0/0 and ge-0/0/1 respectively, then LAN_0 must use ge-0/0/2. If only WAN_0 is enabled and is using interface ge-0/0/0, the LAN_0 must use ge-0/0/1.
IP Address Prefix
Enter the IP address prefix for the LAN segment. The IP prefix is for the network on the LAN side of the CPE device with vSRX instance. Go to AWS account, check the subnet and provide an IPv4 address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.
Select a department to which the LAN segment is to be assigned. You group LAN segments as departments for ease of management and for applying policies at the department-level. For LAN segments that are dynamically routed, you can assign only a data center department.
Alternatively, click Create Department to create a new department and assign the LAN segment to it. See Adding a Department.