Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Adding Cloud Spoke Sites for SD-WAN Deployment


A cloud spoke represents an automation endpoint (virtual machine (VM) or an EC2 Instance) running a Juniper Networks vSRX image in the Amazon Web Services(AWS) virtual private cloud (VPC). The cloud spoke sites are connected to the hub sites using the overlay connections. You create a cloud spoke site from the Sites page. This topic describes how to add a cloud spoke site for a tenant.

  • You can add a cloud spoke site only in hub-and-spoke topology.

  • To ensure that only hub-and-spoke topology is created, we recommend you to disable the DVPN configuration while adding the tenant.

  • You cannot add a cloud spoke site in full mesh topology.

  • Only the tenants with SD-WAN Advanced service level can create a cloud spoke site.

To add a cloud spoke site:

  1. Select Resources > Site Management.

    The Sites page appears.

  2. Click Add and select Cloud Spoke.

    The Add Cloud Spoke Site page appears.

  3. Complete the configuration settings according to the guidelines provided in Table 1.Note

    Fields marked with an asterisk (*) are mandatory.

  4. Review the configuration and modify the settings, if needed, from the Summary tab.
  5. Click OK.

    The newly added cloud spoke site is displayed on the Sites page.

Table 1: Fields on the Add Cloud Spoke Site Page




Site Information

Site Name

Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 32 characters.

Example: aws-cloud-spoke

Device Host Name

The device host name is auto-generated and uses the format You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.

Site Group

(Optional) Select a site group to which you want to assign the site.

Example: cloud-spoke

Site Capabilities

Note: Only the tenants with SD-WAN Advanced service level can create a cloud spoke site.

The Secure SD-WAN Advanced option is selected automatically.



Primary Provider Hub

Select the hub site to which the spoke site must connect.

Address and Contact Information

Street Address

Enter the street address of the site.


Enter the name of the city where the site is located.


Select the state or province where the site is located.

ZIP/Postal Code

Enter the postal code for the site.


Select the country where the site is located.

You can click the Validate button to verify the address that you specified:

  • The Site address verification successful message is displayed if the address can be verified. You can click the View location on a map link to see the address location.

  • If the address cannot be verified, the Site address could not be validated message is displayed .

Contact Name

Enter the name of the contact person for the site.


Enter the e-mail address of the contact person for the site.


Enter the phone number of the contact person for the site.

Advanced Configuration


Domain Name Server (DNS)

Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.

NTP Server

Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: The site must have DNS reachability to resolve the FQDN during site configuration.

Select Timezone

Select the time zone for the site.

Click Next to continue.


Serial Number

Enter the serial number of the CPE device. Serial numbers are case-sensitive.

Zero Touch Provisioning

Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.

To use ZTP, ensure the following:

  • Device must have connectivity to CSO and Juniper phone-home server (

    Use telnet to verify connectivity:


    telnet CSO Hostname/IP:443

    If the connection is established, the device has connectivity to the phone-home server and CSO.

  • Required certificates for phone-home server and CSO must be present on the device.

If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.

If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged/preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO.

If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration:

  • Click the Click to copy stage-1 config link next to Prestage Device task on the Site Activation Progress page.

    If you close the Site Activation Progress page inadvertently, you can access the page from the Site Management page. Click the View link next to the status of the site under the Site Status column.

  • On the Devices page (Resources > Devices), select the device and click Stage1 Config.

Auto Activate

Click the toggle button to enable (default) or disable automatic activation of the CPE device.

Activation Code

If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.

Management Interface Family

Select IPv4 or IPv6. This field is displayed only if you have enabled Zero Touch Provisioning.

Device Template

Click a device template to select the plan for WAN connectivity.

A device template contains information such as device family, a list of SD-WAN features supported, and the number of links supported.

Note: vSRX as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC.

Management Connectivity

Note: This section is displayed only when Zero Touch Provisioning is disabled.

Address Family

Select IPv4 or IPv6.

Interface Name

This is the WAN interface that the device uses to connect to CSO.

Access Type

Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.

Address Assignment

DHCP is selected by default. If you want to provide a static IP address, select STATIC.

Management VLAN ID

Enter a VLAN ID for the WAN link.

Range: 0 through 4094


Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).

Cloud Information


Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account.

Example: Ohio


Enter the VPC ID from the AWS account.

To obtain VPC ID:

  1. Log in to your AWS account.
  2. Search for the VPC service.
  3. Click the VPC dashboard.
  4. Select a VPC ID.

Ensure that the VPC is connected to an Internet gateway.

To check whether VPC is attached:

  1. Log in to your AWS account.
  2. Search for the VPC service.
  3. Click the Internet Gateway dashboard.
  4. Check whether the VPC state is attached.

Example: vpc-6d810314

Management Subnet

Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX is used to push the initial stage-1 configuration. The following options are available:

  • Use an existing subnet in AWS account

  • Create new

IP Prefix

Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP address prefix other than the reserved IP address prefix.


Device Information

Activation Code

Enter the activation code of the primary device that your service provider supplied for the device. If you do not want to specify an activation code, on the Template Settings page, disable the ACTIVATION_CODE_ENABLED field and save the changes.

WAN Links

WAN_0 (ge-0/0/0)

WAN_1 (ge-0/0/1)

Select the check boxes to configure the WAN links. You can configure up to two WAN links per site that support SD-WAN.

Link Type

Displays the connection type for WAN underlays. Only Internet link is supported.

Egress Bandwidth

Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link.

Address Assignment

Select the method of assigning an IP address to the WAN link—DHCP or STATIC.

  • If you select DHCP, the IP address is provided by using the DHCP server of the service provider of the WAN link.

  • If you select STATIC, you must provide the IP address prefix and the gateway address for the WAN link.

Static IP Prefix

If you configure the address assignment method as STATIC, enter the private IPv4 address of the WAN link from the subnet. For example, if the IPv4 CIDR address is for a WAN interface in the AWS account, then enter any IP address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.


Gateway IP

If you configured the address assignment method as STATIC, enter the IPv4 address for the gateway of the WAN service provider. Typically, the first IP address in the subnet is selected for gateway IP address.


Elastic IP

Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the private subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses.


Advanced Settings

Based on the connectivity requirement, the following fields are populated:


Enter the name of the service provider (SP).


Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.

Link Priority

Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255.

Enable Local Breakout

Click the toggle button to enable or disable (default) local breakout on the WAN link.

  • If you enable this option, the WAN link can be used for local breakout. The decision of whether traffic breaks out locally from the site depends on the breakout profile that is referenced in the SD-WAN policy intent.

  • If you do not enable local breakout on at least one WAN link for a single CPE connection plan and at least two WAN links for a dual CPE connection plan, then local breakout is disabled for the site.

Breakout Options

Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.

Autocreate Source NAT Rule

If the WAN link is enabled for local breakout, you can click the toggle button to automatically create an interface-based source NAT rule on the WAN link. The automatically-created source NAT rule is implicitly defined and applied to the site and is not visible on the NAT Policies page.

By default, this field is disabled.

Note: If this option is enabled for a WAN interface W1 during the site addition workflow, a series of NAT source rules are automatically created. Each automatically created NAT rule is from a zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.

For example, the following zone to W1 interface rule-set might be created:

Zone1 --> W1: Translation=Interface
Zone2 --> W1: Translation=Interface
Zone3 --> W1: Translation=Interface

To manually override any of these rules, you can create a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant zone and WAN interface as the source and destination. For example:

Zone1 --> W1 : Translation=Pool-2

The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule.

You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example:

Zone1, Port 56578 --> W1: Translation=Pool-2

Preferred Breakout Link

Click the toggle button to enable the WAN link as the preferred breakout link.

If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.

Use for OAM Traffic

If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link.

This WAN link is then used to establish the OAM tunnel.

Overlay Tunnel Type

Select the mesh overlay tunnel type—GRE and GRE_IPSEC.

MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.

Overlay Peer Device

Displays the peer hub device to which the site is connected.

Overlay Peer Interface

Select the interface name of the hub device to which the WAN link of the site is connected.

Backup Link

Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available.

When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link.

Default Links

Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet.

Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP).

Management Connectivity


IP Prefix

Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. If you do not specify an IPv4 address prefix, CSO automatically assigns the IP prefix from the reserved pool



Add at least one LAN segment.

LAN Segment

Displays the LAN segment that you configure on the switch.

To add a LAN segment, click the + icon on the top, right corner of the LAN table. The Add LAN Segment page appears. See Table 2.

Table 2: Fields on the Add LAN Segment Page



Add LAN Segment


Enter a name for the LAN segment.

The name for a LAN segment should be a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters.


Select a department to which the LAN segment is to be assigned.

Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details.

You group LAN segments as departments for ease of management and for applying policies at the department-level.

Gateway Address/Mask

Enter a valid gateway IP address and mask for the LAN segment; for example,

CPE Ports

Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment:

  • CPE ports that you can include in the LAN segment are listed.

    Select the ports from the Available column and click the right-arrow to move the ports to the Selected column.

Note: You can select only one port if the CPE is an SRX Series device.