Use the following high-level steps to provision a vSRX cloud spoke site in Amazon Web Services (AWS) virtual private cloud (VPC).
Before you begin:
Set up your Amazon Web Services (AWS) account.
Identify the virtual private cloud (VPC) in which the AWS spoke site must be provisioned.
Install licenses to use vSRX features. Choose any of the following AWS vSRX Image Licenses.
Bring Your Own License (BYOL)— If you plan to use a BYOL, then you must install the license on the device before deploying CSO SD-WAN functionality. See https://aws.amazon.com/marketplace/pp/B01LYWCGDX.
License included. See https://aws.amazon.com/marketplace/pp/B01NAUWN0G.
Ensure that you have the supported software version for the AWS spoke.
Reserve two elastic IP (public IP) addresses on AWS.
To set up and monitor your network:
To add a cloud spoke site:
The Sites page appears.
The Add On-Premise Spoke Site for Tenant-Name page appears.
Note
Only hub-and-spoke topology is supported for AWS cloud spoke site.
Only Internet link is supported for WAN underlay connections.
The WAN traffic page appears, displaying a set of values for the WAN link configuration.
The new cloud spoke site that you created appears in the Sites page.
To download the cloud formation template:
The Devices List page appears.
The Cloud Info Template page appears.
The template is downloaded to your local computer in JSON format.
CSO creates cloud formation template with stage-1 configuration bundled in JSON format. You must download this template and then upload to AWS to provision the vSRX. The cloud formation template creates the required resources such as subnet, interface, vSRX and so on and applies the stage-1 configuration.
To provision the device on AWS server:
If you have already logged in to your AWS account, the Create Stack page appears.
If you are not logged into your AWS account, a new Web page opens in your browser, displaying the AWS login information. Log in to your AWS account.
Tip If you do not see the Create Stack page when you log in to or access your AWS account, then search for CloudFormation service.
The Create Stack page appears.
The Create Stack pages displays a list of existing stacks and indicates that it is creating the stack that you requested. The create stack process takes up to 30 minutes. if the process does not complete in 30 minutes, a timeout occurs and you need to retry the process.
To activate the device:
The Activate Device page displays a status indicating that CSO is detecting the provisioning agent. This process takes up to 30 minutes. if the process does not complete in 30 minutes, a timeout occurs and you need to retry the process.
Note You need not download the cloud formation template again. You can log in to the Customer Portal, access the Activate Device page, enter the activation code and click Next. After the CREATE_COMPLETE message is displayed on the AWS server, click Next on the Activate Device page to proceed with device activation.
If the spoke on AWS has been spawned successfully on AWS, it will contact CSO through outbound SSH connection. The device is detected and normal ZTP, process is triggered. The rest of the workflow is consistent with the normal on-premise workflow.
On Device Activation page, the device is activated through the following steps:
Detecting the device
Applying stage-one configuration to the device
Bootstrapping of device
Activating the device
After each successful step, you can see a green check mark. If any of these steps fails, a red exclamation mark appears.
The Sites page appears. To see the device activation status, hover over the device icon on the Sites page.