Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding vSRX with AWS

    This section presents an overview of vSRX in Amazon Web Services (AWS) public clouds.

    vSRX with AWS

    vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on Junos OS and delivers networking and security features similar to those available on SRX Series Services Gateways for the branch.

    AWS provides on-demand services in the cloud. Services range from Infrastructure as a Service (IaaS) and Platform as a Service (SaaS), to Application and Database as a Service. AWS is a highly flexible, scalable, and reliable cloud platform where individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) service or bring-your-own-license (BYOL).

    Note: vSRX PAYG images do not require any Juniper Networks licenses.

    AWS Marketplace also enables you to discover and subscribe to software that supports regulated workloads through AWS Marketplace for AWS GovCloud (US).

    Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions.

    • vSRX Next-Generation Firewall Bundle 1—Includes standard (STD) features of core security, IPsec VPN, NAT, CoS, and routing services as well as the AppSecure features of AppID, AppFW, AppQoS, and AppTrack.
    • vSRX Next-Generation Firewall Bundle 2—Includes the features in vSRX Next-Generation Firewall Bundle 1 and the UTM antivirus feature.

    You can deploy vSRX in a virtual private cloud (VPC) hosted by AWS as an application instance in the AWS Elastic Compute Cloud (EC2). Each EC2 instance is deployed, accessed, and configured over the Internet using the AWS Management Console, and the capacity of each instance can be scaled up or down as needed.

    Note: In the current release, each vSRX instance uses two vCPUs and 4 GB of memory, even if the instance type selected in AWS is different.

    vSRX uses hardware assisted virtual machines (HVM) for high performance (enhanced networking), and supports the following deployments in AWS cloud environments:

    • As a firewall between other EC2 instances on your VPC and the Internet
    • As a VPN endpoint between your corporate network and your VPC
    • As a firewall between EC2 instances on different subnets

    vSRX Benefits and Use Cases

    vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX is ideal for public, private, and hybrid cloud environments.

    Some of the key benefits of vSRX in a virtualized private or public cloud multitenant environment include:

    • Stateful firewall protection at the tenant edge
    • Faster deployment of virtual firewalls into new sites
    • Full routing, VPN, core security, and networking capabilities
    • Application security features (including IPS and App-Secure)
    • Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)
    • Centralized management with Junos Space Security Director and local management with J-Web Interface
    • Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration

    AWS Glossary

    This section defines some common terms used in an AWS public cloud configuration. Table 1 defines common terms used for Virtual Private Clouds (VPCs) and Table 2 defines common terms for Elastic Compute Cloud (EC2) services.

    Table 1: VPC Related Terminology



    Internet gateways

    VPC components that allow communications between your instances in the VPC and the Internet.

    IP addressing

    AWS includes three types of IP address:

    • Public IP address–Addresses obtained from a public subnet that is publicly routable from the Internet. Public IP addresses are mapped to primary private IP addresses through AWS NAT.
    • Private IP address–IP addresses in the VPC Classless Interdomain Routing (CIDR) range, as specified in RFC 1918, that are not publicly routable.
    • Elastic IP address–A static IP address designed for dynamic cloud computing. When an Elastic IP address is associated with a public IP network interface, the public IP address associated with it is released until the Elastic IP address is disassociated from the network interface.

    Each network interface can be associated with multiple private IP addresses. Public subnets can have multiple private IP addresses, public addresses, and Elastic IP addresses associated with the private IP address of the network interface. Private subnets can have multiple private IP addresses and Elastic IP address associated with each private IP address.

    You can assign static private IP addresses in the subnet. The first five IP addresses and the last IP address in the subnet are reserved for VPC networking and routing. The first IP address is the gateway for the subnet.

    Network ACL

    AWS stateless virtual firewall operating at the subnet level.

    Route tables

    A set of routing rules used to determine where the network traffic is directed. Each subnet needs to be associated with a route table. Subnets not explicitly associated with a route table are associated with the main route table.

    Custom route tables can be created other than the default table.


    A virtual addressing space in the VPC CIDR block. The IP addresses for the EC2 instances are allocated from the subnet pool of IP addresses.

    You can create two types of subnets in the VPC:

    • Public subnets–Subnets that have traffic connections to the Internet gateway.
    • Private subnets–Subnets that do not have connections to the Internet gateway

    Note: With vSRX Network Address Translation (NAT) , you can launch all customer instances in private subnets and connect vSRX interfaces to the Internet. This protects your instances from being directly exposed to Internet traffic.


    Virtual private cloud.

    Table 2: EC2 Related Terminology



    Amazon Machine Image (AMI)

    Amazon image format that contains the information, such as the template for root volume, launch permissions, and block device mapping, that is required to launch an EC2 instance.

    Cluster networking

    Instances launched in a common cluster placement group. Instances within the cluster have networks with high bandwidth and low latency.

    Elastic Block Store (EBS)

    Persistent block storage that can be attached to an EC2 instance. Block storage volumes can be formatted and mounted on an instance. EBS optimized instances provide dedicated throughput between Amazon EC2 and Amazon EBS.

    Elastic Compute Cloud (EC2)

    Amazon Web service that enables launch and management of elastic virtual servers or computers that run on the Amazon infrastructure.

    Elastic IP

    A static IP designed for dynamic cloud computing. The public IP is mapped to the privet subnet IP using NAT.

    Enhanced networking

    Provides high packet per second performance, low latency, higher I/O performance, and lower CPU utilization compared to traditional implementations. vSRX leverages this networking with hardware virtualized machine (HVM) Amazon Machine Images (AMIs).


    A virtual machine or server on EC2 that uses XEN or, XEN-HVM hypervisor types. EC2 provides a selection of instances optimized for different use cases.

    Key pairs

    Public key cryptography used by AWS to encrypt and decrypt login information. Create these key pairs using AWS-EC2 or import your own key pairs.

    Note: AWS does not accept DSA. Limit the public key access permissions to 400.

    Network interfaces

    Virtual network interfaces that you can attach to an instance in the VPC. An Elastic Network Interface (ENI) can have a primary private IP address, multiple secondary IP addresses, one Elastic IP address per private IP address, one public IP address, one or more security groups, one MAC address, and a source/destination check flag.

    Note: For vSRX instances, disable the source/destination check for all interfaces.

    Network MTU

    All Amazon instance types support an MTU of 1500. Some instance types support jumbo frames (9100 MTU).

    Note: Use C3, C4, CC2, M3, M4, or T2 AWS instance types for vSRX instances with jumbo frames.

    Security groups

    An AWS-provided virtual firewall that controls the traffic for one or more instances. Security groups can be associated with an instance only at launch time.

    Note: Because vSRX manages your firewall settings, we recommend that you ensure there is no contradiction between rule sets in AWS security groups and rule sets in your vSRX configuration.


    Release History Table

    Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions.

    Modified: 2017-09-01