Step 1: Begin
Juniper Networks® vSRX Virtual Firewall is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on Junos OS and delivers networking and security features similar to those available on the software releases for the SRX Series Services Gateways.
The Juniper vSRX is available on the Google Cloud Platform (GCP) Marketplace. You can use the GCP Marketplace to set up your vSRX as a VM running on a Google Compute Engine instance.
Before you begin deployment, you'll need to do the following:
Familiarize yourself with your vSRX VM license agreement. See Requirements for vSRX on Google Cloud Platform.
Set up a Google account with an identity and access management (IAM) role with all required permissions to access, create, modify, and delete Compute Engine Instances and Storage Service.
Create Google’s Virtual Private Cloud (VPC) objects. For this, have the private IP addresses for all network and management devices handy.
Create an SSH public and private key pair.
Generate SSH Keys
You'll need to generate a private and public SSH key pair as follows:
- Generate the public key and the private key.
If you are using Linux or MacOS: Use the ssh-keygen tool to create the key pair in your .ssh directory. In the following sample, gcp-user-1 is name of the key file and gcp-user is the username.ssh-keygen -t rsa -f ~/.ssh/gcp-user-1 -C gcp-user
If you are using Windows: Use the PuTTY Key Generator to create the key pair.
- Copy your public key in a text editor. You’ll need this key later while deploying vSRX in the GCP Marketplace.
- Save your private key in .ppk format. You’ll need this key later to authenticate the vSRX instance.
Create VPC Networks
You'll need to create the VPC networks and subnetworks before you start deploying your vSRX VM on GCP Marketplace.
- Log in to the Google Cloud console.
- In the left side of the navigation area, click VPC network under NETWORKING.
- Select VPC network.
- In the top pane, click CREATE VPC NETWORK.
- Enter a name for the network.
- Create a subnet with the following details:
Name—Name of the subnetwork.
IP Address—Assign an IP address range for creating interface subnetworks. This range is used for your internal network, so ensure that the address range does not overlap with other subnets.
Region—Select the region where you want to launch your vSRX VM.
Private Google Access—Retain the default value Off.
Flow logs—Retain the default value Off.
- Click Create.
We recommend that you create a minimum of three VPC networks. The vSRX VM uses the first VPC network you create as the management interface and assigns the ge-0/0/0 and ge-0/0/1 interfaces to the remaining two VPC networks.
Deploy vSRX on Google Cloud Platform
Here's how to deploy vSRX from the GCP Marketplace:
- Log in to the Google Cloud Platform console.
- In the left side of the navigation area, select the Marketplace.
- In the Search box, enter vSRX.
- Click one of the following options based on your licensing
For the purpose of the example setup, we're using the vSRX Next Generation Firewall option.
vSRX Next Generation Firewall
vSRX Next Generation Firewall BYOL
vSRX Next Generation Firewall with Antivirus Protection
- Click Launch. The New vSRX Next Generation Firewall deployment page appears.
- Provide the details for the vSRX VM.
Deployment Name—Enter a unique name for your vSRX VM.
Zone—Select a zone for your vSRX VM. For a list of supported zones, see Regions and Zones.
Machine type—Select a machine type based on the system requirements for your license. See Requirements for vSRX on Google Cloud Platform.
SSH key—Paste your public SSH key that you created earlier. See Generate SSH Keys.
Paste the key after the text gcp-user.
Retain the default option Block project-wide SSH keys.
Network interfaces—Select the VPC network and the subnets. Note that you can add only those subnets that you’ve created for the selected zone for this vSRX VM.
IP Forwarding—Retain the default value On. This is a mandatory requirement for the vSRX VM.
Enable External IP—Select the ephemeral option. This setting allows the GCP to provide an ephemeral IP address to act as the external IP address.
Allow HTTP traffic from the Internet—Retain the default value as selected. We recommend not providing HTTP access unless absolutely necessary.
Allow TCP port 22 traffic from the Internet—Retain the default value as selected. For security reasons, we recommend that you limit the SSH access only to the specific IP address to access the vSRX instance.
- Accept GCP Marketplace Terms of Service.
- Click Deploy.
You can see the progress of your vSRX deployment on the GCP console. When the deployment is complete, a message appears on the screen to let you know the deployment was successful. You'll also receive an e-mail notification.
- Click your VM under vSRX Next Generation Firewall to view the details. You can view your VM details by navigating to the Compute Engine under COMPUTE in the left side of the navigation area.
- Make note of the external IP address, shown under Network interfaces. You'll need this address later to log in to your vSRX instance using the CLI.
Now that you’ve completed the deployment of the vSRX VM, let's get you up and running!