Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Provisioning a Cloud Spoke Site in AWS VPC


Use the following high-level steps to provision a vSRX cloud spoke site in Amazon Web Services (AWS) virtual private cloud (VPC).

Before you begin:

  • Set up your Amazon Web Services (AWS) account.

  • Identify the virtual private cloud (VPC) to which the AWS spoke site must be provisioned.

  • Install licenses to use vSRX features. Choose any of the following AWS vSRX Image Licenses.

  • Ensure that you have the supported software version for the AWS spoke.

  • Reserve two elastic IP addresses on AWS.

  • Reserve two public IP addresses.

To set up and monitor your network:

Add a Cloud Spoke Site

To add a cloud spoke site:

  1. Select Sites > Site Management.

    The Sites page appears.

  2. On the Sites page, click Add > Cloud Spoke.

    The Add Cloud Spoke Site page appears.

  3. Specify the site information such as, site name, AWS region, VPC ID, management subnet, IP prefix and click Next.
  4. Specify vSRX as SD-WAN spoke in AWS as the connection plan. Note
    • Only Hub-Spoke topology is supported for AWS cloud spoke site.

    • Only Internet link is supported for WAN underlay connections.

  5. Provide the WAN details and click Next.

    The WAN traffic page appears, displaying a set of values for the WAN link configuration.

  6. Specify additional requirements and click Next.
  7. Specify LAN segment information and click Next.
  8. In the Summary tab, check the configuration and click Edit to modify the settings.
  9. Click OK to save the changes.

    The new cloud spoke site that you created appears in the Sites page.

Configure the Cloud Spoke Site

To configure a cloud spoke site:

  1. Select Sites > Site Management .

    The Sites page appears.

  2. Select the cloud spoke site that you created and click Configure Site.

    The configure site page appears.

  3. In the Connectivity tab, specify the primary hub site detail, overlay tunnel information, and WAN interface details.
  4. Click Ok.
  5. Click Devices tab and enter the activation code provided by your service provider.
  6. Click Ok

    The site status is changed to Configured.

Download the Cloud Formation Template

To download the cloud formation template:

  1. Click Resources > Devices.

    The Devices page appears.

  2. Identify the device that you want to activate.

    You can activate a device if it has the status as Expected.

  3. Select the device and click Activate Device.

    The Activate device page appears.

  4. Enter the activation code supplied by the service provider.

    You can download the cloud formation template after you enter the correct activation code.

  5. Click Download to download the cloud formation template.

    The template is downloaded to your local computer in JSON format.

Provision the Device on AWS Server

CSO creates cloud formation template with stage-1 configuration bundled in JSON format. You must download this template and then upload to AWS to provision the vSRX. The cloud formation template creates the required resources such as subnet, interface, vSRX and so on and applies the stage-1 configuration.

To provision the device on AWS server:

  1. Log in to your AWS account.
    • If you have already logged in to your AWS account, the Create Stack page appears.

    • If you are not logged into your AWS account, a new Web page opens in your browser, displaying the AWS login information. Log in to your AWS account.


      If you do not see the Create Stack page when you log in to or access your AWS account, then search for CloudFormation service.

      The Create Stack page appears.

  2. Select CloudFormation > Stacks > Create Stack > Upload a template to Amazon S3.
  3. Click Choose File and select the cloud formation template that you downloaded in JSON format .
  4. Click Next.
  5. Specify the Stack name. For example, Oregonstack.
  6. Specify the Custom Image Id for the vSRX.

    You must ensure that you have the supported software image for the AWS spoke. If the image is unavailable on the AWS marketplace, you must do the following to get the AMI number for your desired region:

    1. Log in into the Administration Portal.
    2. Select Resources > Device Templates.

      The Device Template page appears.

    3. Select vSRX as SD-WAN spoke in AWS.
    4. Select Edit Device Template > Template Settings.

      The Template Settings page appears.

    5. Modify the image ID to the AMI ID for your region.
    6. Click Save.
    7. Paste the AMI ID in the CustomImageId field.

    You must specify the Custom Image ID field because not doing so results in failure during stack creation or provisioning.

  7. In the Parameters section, specify the KeyName for your EC2 instance.
  8. Click Next.
  9. Select I acknowledge that AWS CloudFormation might create IAM Resources.
  10. Click Create.

    The Create Stack pages displays a list of existing stacks and indicates that it is creating the stack that you requested. The create stack process takes up to 30 minutes. if the process does not complete in 30 minutes, a timeout occurs and you need to retry the process.

Activate the Device

To activate the device:

  1. After the create stack process is complete, return to the Customer Portal and click Next.

    The Activate Device page displays a status indicating that CSO is detecting the provisioning agent. This process takes up to 30 minutes. if the process does not complete in 30 minutes, a timeout occurs and you need to retry the process.


    You need not download the cloud formation template again. You can log in to the Customer Portal, access the Activate Device page, enter the activation code and click Next. After the CREATE_COMPLETE message is displayed on the AWS server, click Next on the Activate Device page to proceed with device activation.

    If the spoke on AWS has been spawned successfully on AWS, it will contact CSO through outbound SSH connection. The device is detected and normal ZTP, process is triggered. The rest of the workflow is consistent with the normal on-premise workflow.

    On Device Activation page, the device is activated through the following steps:

    • Detecting the device

    • Applying stage-one configuration to the device

    • Bootstrapping of device

    • Activating the device

    After each successful step, you can see a green check mark. If any of these steps fails, a red exclamation mark appears.

  2. After the activation process is complete, click OK.

    The Sites page appears. To see the device activation status, hover over the device icon on the Sites page.