Understanding vSRX with KVM

This section presents an overview of vSRX on KVM.

vSRX Overview

vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on the Junos operating system (Junos OS) and delivers networking and security features similar to those available on the software releases for the SRX Series Services Gateways.

The vSRX provides you with a complete Next-Generation Firewall (NGFW) solution, including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services such as Application Security, intrusion detection and prevention (IPS), and UTM features including Enhanced Web Filtering and Anti-Virus. Combined with Sky ATP, the vSRX offers a cloud-based advanced anti-malware service with dynamic analysis to protect against sophisticated malware, and provides built-in machine learning to improve verdict efficacy and decrease time to remediation.

Figure 1 shows the high-level architecture for vSRX.

Figure 1: vSRX Architecture



vSRX Architecture

vSRX includes the Junos control plane (JCP) and the packet forwarding engine (PFE) components that make up the data plane. vSRX uses one virtual CPU (vCPU) for the JCP and at least one vCPU for the PFE. Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, multi-core vSRX supports scaling vCPUs and GB virtual RAM (vRAM). Additional vCPUs are applied to the data plane to increase performance.

vSRX Benefits and Use Cases

vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX is ideal for public, private, and hybrid cloud environments.

Some of the key benefits of vSRX in a virtualized private or public cloud multitenant environment include:

  • Stateful firewall protection at the tenant edge

  • Faster deployment of virtual firewalls into new sites

  • Full routing, VPN, core security, and networking capabilities

  • Application security features (including IPS and App-Secure)

  • Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)

  • Centralized management with Junos Space Security Director and local management with J-Web Interface

  • Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration

vSRX on KVM

The Linux kernel uses the kernel-based virtual machine (KVM) as a virtualization infrastructure. KVM is open source software that you can use to create multiple virtual machines (VMs) and to install security and networking appliances.

The basic components of KVM include:

  • A loadable kernel module included in the Linux kernel that provides the basic virtualization infrastructure

  • A processor-specific module

When loaded into the Linux kernel, the KVM software acts as a hypervisor. KVM supports multitenancy and allows you to run multiple vSRX VMs on the host OS. KVM manages and shares the system resources between the host OS and the multiple vSRX VMs.

Note: vSRX requires you to enable hardware-based virtualization on a host OS that contains an Intel Virtualization Technology (VT) capable processor.

Figure 2 illustrates the basic structure of a vSRX VM on an Ubuntu server.

Figure 2: vSRX VM on Ubuntu

vSRX VM on Ubuntu

vSRX Scale Up Performance

Table 1 shows the vSRX scale up performance when deployed on KVM, based on the number of vCPUs and vRAM applied to a vSRX VM along with the Junos OS release in which a particular vSRX software specification was introduced.

Table 1: vSRX Scale Up Performance

vCPUs

vRAM

NICs

Release Introduced

2 vCPUs

4 GB

  • Virtio

  • SR-IOV (Intel 82599, X520/540)

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1

5 vCPUs

8 GB

  • Virtio

Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1

5 vCPUs

8 GB

  • SR-IOV (Intel X710/XL710)

Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1

9 vCPUs

16 GB

  • PCI passthrough (Intel XL710)

Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1

17 vCPUs

32 GB

  • PCI passthrough (Intel XL710)

Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1

You can scale the performance and capacity of a vSRX instance by increasing the number of vCPUs or the amount of vRAM allocated to the vSRX. The multi-core vSRX automatically selects the appropriate vCPUs and vRAM values at boot time, as well as the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU or vRAM setting allocated to a vSRX VM does not match what is currently available, the vSRX scales down to the closest supported value for the instance. For example, if a vSRX VM has 3 vCPUs and 8 GB of vRAM, vSRX boots to the smaller vCPU size, which requires a minimum of 2 vCPUs. You can scale up a vSRX instance to a higher number of vCPUs or amount of vRAM, but you cannot scale down an existing vSRX instance to a smaller setting.

Note: The number of RSS queues typically matches with the number of data plane vCPUs of a vSRX instance. For example, a vSRX with 4 data plane vCPUs should have 4 RSS queues.

Release History Table

Release
Description
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, multi-core vSRX supports scaling vCPUs and GB virtual RAM (vRAM). Additional vCPUs are applied to the data plane to increase performance.

Modified: 2018-04-13