Adding Cloud Spoke Sites for SD-WAN Deployment
A cloud spoke represents an automation endpoint (virtual machine (VM) or an EC2 Instance) running a Juniper Networks vSRX image in the Amazon Web Services(AWS) virtual private cloud (VPC). The cloud spoke sites are connected to the hub sites using the overlay connections. You create a cloud spoke site from the Sites page. This topic describes how to add a cloud spoke site for a tenant.
You can add a cloud spoke site only in hub-and-spoke topology.
To ensure that only hub-and-spoke topology is created, we recommend you to disable the DVPN configuration while adding the tenant.
You cannot add a cloud spoke site in full mesh topology.
Only the tenants with SD-WAN Advanced service level can create a cloud spoke site.
To add a cloud spoke site:
- Select Resources > Site Management.
The Sites page appears.
- Click Add and select Cloud Spoke.
The Add Cloud Spoke Site page appears.
- Complete the configuration settings according to the guidelines
provided in Table 1.
Fields marked with an asterisk (*) are mandatory.
- Review the configuration and modify the settings, if needed, from the Summary tab.
- Click OK.
The newly added cloud spoke site is displayed on the Sites page.
Table 1: Fields on the Add Cloud Spoke Site Page
Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 32 characters.
Device Host Name
The device host name is auto-generated and uses the format tenant-name.host-name. You cannot change the tenant-name part in the device host name. Use alphanumeric characters and hyphen (-); the maximum length allowed is 32 characters.
(Optional) Select a site group to which you want to assign the site.
Note: Only the tenants with SD-WAN Advanced service level can create a cloud spoke site.
The Secure SD-WAN Advanced option is selected automatically.
Primary Provider Hub
Select the hub site to which the spoke site must connect.
Address and Contact Information
Enter the street address of the site.
Enter the name of the city where the site is located.
Select the state or province where the site is located.
Enter the postal code for the site.
Select the country where the site is located.
You can click the Validate button to verify the address that you specified:
Enter the name of the contact person for the site.
Enter the e-mail address of the contact person for the site.
Enter the phone number of the contact person for the site.
Domain Name Server (DNS)
Enter one or more IPv4 addresses of the DNS server. To enter more than one DNS server address, type address, press Enter, and then type the next address, and so on. DNS servers are used to resolve hostnames into IP addresses.
Enter the fully qualified domain names (FQDNs) or IP addresses of one or more NTP servers. Example: ntp.example.net The site must have DNS reachability to resolve the FQDN during site configuration.
Select the time zone for the site.
Click Next to continue.
Enter the serial number of the CPE device. Serial numbers are case-sensitive.
Zero Touch Provisioning
Click the toggle button to enable or disable Zero Touch Provisioning (ZTP). This option is enabled by default.
To use ZTP, ensure the following:
If ZTP is enabled, the Boot Image field is displayed and you must select an image that supports the Phone-Home client. During ZTP, the image on the firewall device is upgraded to the image that you select for the Boot Image.
If you disable ZTP, ensure that the device has connectivity to CSO. If the device is not prestaged/preconfigured, then you must provide the details under the Management Connectivity section so that CSO can generate the configuration as part of the stage-1 configuration. You can skip the Management Connectivity section if the device has connectivity to CSO.
If you disable ZTP, you must copy the stage-1 configuration from CSO and commit it on the device to start the onboarding process. Use any of the following options to copy the stage-1 configuration:
Click the toggle button to enable (default) or disable automatic activation of the CPE device.
If the automatic activation of the device is disabled, enter the activation code to manually activate the device. The activation code is provided by the administrator who adds the site.
Management Interface Family
Select IPv4 or IPv6. This field is displayed only if you have enabled Zero Touch Provisioning.
Click a device template to select the plan for WAN connectivity.
A device template contains information such as device family, a list of SD-WAN features supported, and the number of links supported.
Note: vSRX as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC.
Note: This section is displayed only when Zero Touch Provisioning is disabled.
Select IPv4 or IPv6.
This is the WAN interface that the device uses to connect to CSO.
Select the access type for the underlay link. LTE, ADSL, and VDSL access types are supported only on Internet links. You cannot add LTE, ADSL, and VDSL access types to the same WAN link.
DHCP is selected by default. If you want to provide a static IP address, select STATIC.
Management VLAN ID
Enter a VLAN ID for the WAN link.
Range: 0 through 4094
Click the toggle button to enable authenticated address assignment for the WAN link by using PPPoE (Point-to-Point Protocol over Ethernet).
Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account.
Enter the VPC ID from the AWS account.
To obtain VPC ID:
Ensure that the VPC is connected to an Internet gateway.
To check whether VPC is attached:
Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX is used to push the initial stage-1 configuration. The following options are available:
Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP address prefix other than the reserved IP address prefix.
Enter the activation code of the primary device that your service provider supplied for the device. If you do not want to specify an activation code, on the Template Settings page, disable the ACTIVATION_CODE_ENABLED field and save the changes.
Select the check boxes to configure the WAN links. You can configure up to two WAN links per site that support SD-WAN.
Displays the connection type for WAN underlays. Only Internet link is supported.
Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link.
Select the method of assigning an IP address to the WAN link—DHCP or STATIC.
Static IP Prefix
If you configure the address assignment method as STATIC, enter the private IPv4 address of the WAN link from the subnet. For example, if the IPv4 CIDR address is 220.127.116.11/24 for a WAN interface in the AWS account, then enter any IP address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.
If you configured the address assignment method as STATIC, enter the IPv4 address for the gateway of the WAN service provider. Typically, the first IP address in the subnet is selected for gateway IP address.
Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the private subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses.
Based on the connectivity requirement, the following fields are populated:
Enter the name of the service provider (SP).
Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic when multiple WAN links meet SLA profile parameters.
Enter a value in the range 1-255. A lower value indicates a more preferred link. A value of 1 indicates highest priority and a value of 255 indicates lowest priority. If you do not enter a value, the link priority is considered as 255.
Enable Local Breakout
Click the toggle button to enable or disable (default) local breakout on the WAN link.
Select whether you want to use the WAN link for both breakout and WAN traffic (default) or only for breakout traffic.
Autocreate Source NAT Rule
If the WAN link is enabled for local breakout, you can click the toggle button to automatically create an interface-based source NAT rule on the WAN link. The automatically-created source NAT rule is implicitly defined and applied to the site and is not visible on the NAT Policies page.
By default, this field is disabled.
Note: If this option is enabled for a WAN interface W1 during the site addition workflow, a series of NAT source rules are automatically created. Each automatically created NAT rule is from a zone to the WAN interface, with a translation of type interface. Each pair of [zone - interface] represents a rule-set.
For example, the following zone to W1 interface rule-set might be created:
Zone1 --> W1: Translation=Interface
Zone2 --> W1: Translation=Interface
Zone3 --> W1: Translation=Interface
To manually override any of these rules, you can create a NAT rule within a particular rule-set. For example, to use a source NAT pool instead of an interface for translation, create a NAT rule within this particular rule-set, that includes the relevant zone and WAN interface as the source and destination. For example:
Zone1 --> W1 : Translation=Pool-2
The manually created NAT rule is placed at a higher priority than the corresponding automatically created NAT rule.
You can also add other fields (such as addresses, ports, protocols, and so on) as part of the source or destination endpoints. For example:
Zone1, Port 56578 --> W1: Translation=Pool-2
Preferred Breakout Link
Click the toggle button to enable the WAN link as the preferred breakout link.
If you disable this option, then the breakout link is chosen using ECMP from the available breakout links.
Use for OAM Traffic
If you have specified that the WAN link is connected to a hub, click the toggle button to enable sending the OAM traffic over the WAN link.
This WAN link is then used to establish the OAM tunnel.
Overlay Tunnel Type
Select the mesh overlay tunnel type—GRE and GRE_IPSEC.
MPLS links can have both GRE and GRE_IPSEC as the overlay link type where as Internet links can have only GRE_IPSEC as the overlay link type.
Overlay Peer Device
Displays the peer hub device to which the site is connected.
Overlay Peer Interface
Select the interface name of the hub device to which the WAN link of the site is connected.
Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available.
When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link.
Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet.
Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP).
Enter an IPv4 address prefix for the loopback interface on the CPE device. The IP address prefix must be a /32 IP address prefix and must be unique across the entire management network. If you do not specify an IPv4 address prefix, CSO automatically assigns the IP prefix from the reserved pool 100.124.0.0/14
Add at least one LAN segment.
Displays the LAN segment that you configure on the switch.
To add a LAN segment, click the + icon on the top, right corner of the LAN table. The Add LAN Segment page appears. See Table 2.
Table 2: Fields on the Add LAN Segment Page
Add LAN Segment
Enter a name for the LAN segment.
The name for a LAN segment should be a unique string of alphanumeric characters. No spaces are allowed and the maximum length is 15 characters.
Select a department to which the LAN segment is to be assigned.
Alternatively, click the Create Department link to create a new department and assign the LAN segment to it. See Add a Department for details.
You group LAN segments as departments for ease of management and for applying policies at the department-level.
Enter a valid gateway IP address and mask for the LAN segment; for example, 192.0.2.8/24.
Click the toggle button to include or exclude the CPE in the LAN segment. When you include the CPE in the LAN segment:
Note: You can select only one port if the CPE is an SRX Series device.