Understanding vSRX with AWS

This section presents an overview of vSRX on Amazon Web Services (AWS).

vSRX with AWS

vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on Junos OS and delivers networking and security features similar to those available on SRX Series Services Gateways for the branch.

AWS provides on-demand services in the cloud. Services range from Infrastructure as a Service (IaaS) and Platform as a Service (SaaS), to Application and Database as a Service. AWS is a highly flexible, scalable, and reliable cloud platform where individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) service or bring-your-own-license (BYOL).

Note: vSRX PAYG images do not require any Juniper Networks licenses.

AWS Marketplace also enables you to discover and subscribe to software that supports regulated workloads through AWS Marketplace for AWS GovCloud (US).

Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions.

  • vSRX Next Generation Firewall—Includes standard (STD) features of core security, including core firewall, IPsec VPN, NAT, CoS, and routing services, as well as advanced Layer 4 through 7 security services such as AppSecure features of AppID, AppFW, AppQoS, and AppTrack, IPS and rich routing capabilities.
  • vSRX Premium-Next Generation Firewall with Anti-Virus Protection—Includes the features in the vSRX Next- Generation Firewall package, including the UTM antivirus feature.

You deploy vSRX in an Amazon Virtual Private Cloud (Amazon VPC) as an application instance in the Amazon Elastic Compute Cloud (Amazon EC2). Each Amazon EC2 instance is deployed, accessed, and configured over the Internet using the AWS Management Console, and the capacity of each instance can be scaled up or down as needed.

Note: In the current release, each vSRX instance uses two vCPUs and 4 GB of memory, even if the instance type selected on AWS is different.

vSRX uses hardware assisted virtual machines (HVM) for high performance (enhanced networking), and supports the following deployments on AWS cloud environments:

  • As a firewall between other Amazon EC2 instances on your Amazon VPC and the Internet
  • As a VPN endpoint between your corporate network and your Amazon VPC
  • As a firewall between Amazon EC2 instances on different subnets

vSRX Benefits and Use Cases

vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX is ideal for public, private, and hybrid cloud environments.

Some of the key benefits of vSRX in a virtualized private or public cloud multitenant environment include:

  • Stateful firewall protection at the tenant edge
  • Faster deployment of virtual firewalls into new sites
  • Full routing, VPN, core security, and networking capabilities
  • Application security features (including IPS and App-Secure)
  • Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)
  • Centralized management with Junos Space Security Director and local management with J-Web Interface
  • Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration

AWS Glossary

This section defines some common terms used in an AWS configuration. Table 1 defines common terms used for Amazon Virtual Private Cloud (Amazon VPC) and Table 2 defines common terms for Amazon Elastic Compute Cloud (Amazon EC2) services.

Table 1: Amazon VPC Related Terminology

Term

Description

Internet gateways

Amazon VPC components that allow communications between your instances in the Amazon VPC and the Internet.

IP addressing

AWS includes three types of IP address:

  • Public IP address–Addresses obtained from a public subnet that is publicly routable from the Internet. Public IP addresses are mapped to primary private IP addresses through AWS NAT.
  • Private IP address–IP addresses in the Amazon VPC Classless Interdomain Routing (CIDR) range, as specified in RFC 1918, that are not publicly routable.
  • Elastic IP address–A static IP address designed for dynamic cloud computing. When an Elastic IP address is associated with a public IP network interface, the public IP address associated with it is released until the Elastic IP address is disassociated from the network interface.

Each network interface can be associated with multiple private IP addresses. Public subnets can have multiple private IP addresses, public addresses, and Elastic IP addresses associated with the private IP address of the network interface. Private subnets can have multiple private IP addresses and Elastic IP address associated with each private IP address.

You can assign static private IP addresses in the subnet. The first five IP addresses and the last IP address in the subnet are reserved for Amazon VPC networking and routing. The first IP address is the gateway for the subnet.

Network ACL

AWS stateless virtual firewall operating at the subnet level.

Route tables

A set of routing rules used to determine where the network traffic is directed. Each subnet needs to be associated with a route table. Subnets not explicitly associated with a route table are associated with the main route table.

Custom route tables can be created other than the default table.

Subnet

A virtual addressing space in the Amazon VPC CIDR block. The IP addresses for the Amazon EC2 instances are allocated from the subnet pool of IP addresses.

You can create two types of subnets in the Amazon VPC:

  • Public subnets–Subnets that have traffic connections to the Internet gateway.
  • Private subnets–Subnets that do not have connections to the Internet gateway

Note: With vSRX Network Address Translation (NAT) , you can launch all customer instances in private subnets and connect vSRX interfaces to the Internet. This protects your instances from being directly exposed to Internet traffic.

VPC

Virtual private cloud.

Table 2: Amazon EC2 Related Terminology

Term

Description

Amazon Elastic Block Store (EBS)

Persistent block storage that can be attached to an Amazon EC2 instance. Block storage volumes can be formatted and mounted on an instance. Amazon EBS optimized instances provide dedicated throughput between Amazon EC2 and Amazon EBS.

Amazon Elastic Compute Cloud (EC2)

Amazon Web service that enables launch and management of elastic virtual servers or computers that run on the Amazon infrastructure.

Amazon Machine Image (AMI)

Amazon image format that contains the information, such as the template for root volume, launch permissions, and block device mapping, that is required to launch an Amazon EC2 instance.

Elastic IP

A static IP designed for dynamic cloud computing. The public IP is mapped to the privet subnet IP using NAT.

Enhanced networking

Provides high packet per second performance, low latency, higher I/O performance, and lower CPU utilization compared to traditional implementations. vSRX leverages this networking with hardware virtualized machine (HVM) Amazon Machine Images (AMIs).

Instance

A virtual machine or server on Amazon EC2 that uses XEN or, XEN-HVM hypervisor types. Amazon EC2 provides a selection of instances optimized for different use cases.

Key pairs

Public key cryptography used by AWS to encrypt and decrypt login information. Create these key pairs using AWS-EC2 or import your own key pairs.

Note: AWS does not accept DSA. Limit the public key access permissions to 400.

Network interfaces

Virtual network interfaces that you can attach to an instance in the Amazon VPC. An Elastic Network Interface (ENI) can have a primary private IP address, multiple secondary IP addresses, one Elastic IP address per private IP address, one public IP address, one or more security groups, one MAC address, and a source/destination check flag.

Note: For vSRX instances, disable the source/destination check for all interfaces.

Network MTU

All Amazon instance types support an MTU of 1500. Some instance types support jumbo frames (9001 MTU).

Note: Use C3, C4, CC2, M3, M4, or T2 AWS instance types for vSRX instances with jumbo frames.

Placement Groups

Instances launched in a common cluster placement group. Instances within the cluster have networks with high bandwidth and low latency.

Security groups

An AWS-provided virtual firewall that controls the traffic for one or more instances. Security groups can be associated with an instance only at launch time.

Note: Because vSRX manages your firewall settings, we recommend that you ensure there is no contradiction between rule sets on AWS security groups and rule sets in your vSRX configuration.

Release History Table

Release
Description
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions.

Modified: 2017-11-21