Understanding vSRX with AWS
This section presents an overview of vSRX on Amazon Web Services (AWS).
vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on the Junos operating system (Junos OS) and delivers networking and security features similar to those available on the software releases for the SRX Series Services Gateways.
The vSRX provides you with a complete Next Generation Firewall (NGFW) solution, including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services such as Application Security, intrusion detection and prevention (IPS), and UTM features including Enhanced Web Filtering and Anti-Virus. Combined with Sky ATP, the vSRX offers a cloud-based advanced anti-malware service with dynamic analysis to protect against sophisticated malware, and provides built-in machine learning to improve verdict efficacy and decrease time to remediation.
Junos OS Release 18.4R1 supports two software architectures. Figure 1 shows the high-level vSRX software architecture.
Figure 2 shows the high-level vSRX 3.0 software architecture with new features.
Starting in Junos OS Release 18.4R1, in addition to the existing vSRX software architecture and enhanced vSRX software architecture vSRX3.0 is also available to support FreeBSD 11.x as the guest OS and the Routing Engine and Packet Forwarding Engine running on FreeBSD 11.x as a single virtual machine for improved performance and scalability. The Data Plane Development Kit (DPDK) pmd process is supported to process the data packets in the data plane.
Image upgrade from previous releases to Junos OS Release 18.4R1 is not supported.
vSRX Benefits and Use Cases
vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of vSRX in a virtualized private or public cloud multitenant environment include:
Stateful firewall protection at the tenant edge
Faster deployment of virtual firewalls into new sites
Full routing, VPN, core security, and networking capabilities
Application security features (including IPS and App-Secure)
Content security features (including antivirus, Web filtering, antispam, and content filtering)
Centralized management with Junos Space Security Director and local management with J-Web Interface
Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration
vSRX with AWS
AWS provides on-demand services in the cloud. Services range from Infrastructure as a Service (IaaS) and Platform as a Service (SaaS), to Application and Database as a Service. AWS is a highly flexible, scalable, and reliable cloud platform. In AWS, you can host servers and services on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service.
vSRX PAYG images do not require any Juniper Networks licenses.
vSRX can be deployed in a virtual private cloud (VPC) in the Amazon Web Services (AWS) cloud. You can launch vSRX as an Amazon Elastic Compute Cloud (EC2) instance in an Amazon VPC dedicated to a specific user account. The vSRX Amazon Machine Image (AMI) uses hardware virtual machine (HVM) virtualization.
Figure 3 shows an example of deploying a vSRX instance to provide security for applications running in a private subnet of an Amazon VPC.
In the Amazon VPC, public subnets have access to the Internet gateway, but private subnets do not. vSRX requires two public subnets and one or more private subnets for each individual instance group. The public subnets consist of one for the management interface (fxp0) and one for a revenue (data) interface. The private subnets, connected to the other vSRX interfaces, ensure that all traffic between applications on the private subnets and the Internet must pass through the vSRX instance.
AWS Marketplace also enables you to discover and subscribe to software that supports regulated workloads through AWS Marketplace for AWS GovCloud (US).
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports two bundles for PAYG that are available as 1-hour or 1-year subscriptions.
vSRX Next Generation Firewall—Includes standard (STD) features of core security, including core firewall, IPsec VPN, NAT, CoS, and routing services, as well as advanced Layer 4 through 7 security services such as AppSecure features of AppID, AppFW, AppQoS, and AppTrack, IPS and rich routing capabilities.
vSRX Premium-Next Generation Firewall with Anti-Virus Protection—Includes the features in the vSRX Next- Generation Firewall package, including the UTM antivirus feature.
You deploy vSRX in an Amazon Virtual Private Cloud (Amazon VPC) as an application instance in the Amazon Elastic Compute Cloud (Amazon EC2). Each Amazon EC2 instance is deployed, accessed, and configured over the Internet using the AWS Management Console, and the number of instances can be scaled up or down as needed.
In the current release, each vSRX instance uses two vCPUs and 4 GB of memory, even if the instance type selected on AWS provides more resources.
vSRX uses hardware assisted virtual machines (HVM) for high performance (enhanced networking), and supports the following deployments on AWS cloud environments:
As a firewall between other Amazon EC2 instances on your Amazon VPC and the Internet
As a VPN endpoint between your corporate network and your Amazon VPC
As a firewall between Amazon EC2 instances on different subnets
This section defines some common terms used in an AWS configuration. Table 1 defines common terms used for Amazon Virtual Private Cloud (Amazon VPC) and Table 2 defines common terms for Amazon Elastic Compute Cloud (Amazon EC2) services.
Table 1: Amazon VPC Related Terminology
Amazon VPC components that allow communications between your instances in the Amazon VPC and the Internet.
AWS includes three types of IP address:
Each network interface can be associated with multiple private IP addresses. Public subnets can have multiple private IP addresses, public addresses, and Elastic IP addresses associated with the private IP address of the network interface. Instances in private and public subnets can have multiple private IP addresses. One Elastic IP address can be associated with each private IP address for instances in public subnets.
You can assign static private IP addresses in the subnet. The first five IP addresses and the last IP address in the subnet are reserved for Amazon VPC networking and routing. The first IP address is the gateway for the subnet.
AWS stateless virtual firewall operating at the subnet level.
A set of routing rules used to determine where the network traffic is directed. Each subnet needs to be associated with a route table. Subnets not explicitly associated with a route table are associated with the main route table.
Custom route tables can be created other than the default table.
A virtual addressing space in the Amazon VPC CIDR block. The IP addresses for the Amazon EC2 instances are allocated from the subnet pool of IP addresses.
You can create two types of subnets in the Amazon VPC:
Note: With vSRX Network Address Translation (NAT) , you can launch all customer instances in private subnets and connect vSRX interfaces to the Internet. This protects customer instances from being directly exposed to Internet traffic.
Virtual private cloud.
Table 2: Amazon EC2 Related Terminology
Amazon Elastic Block Store (EBS)
Persistent block storage that can be attached to an Amazon EC2 instance. Block storage volumes can be formatted and mounted on an instance. Amazon EBS optimized instances provide dedicated throughput between Amazon EC2 and Amazon EBS.
Amazon Elastic Compute Cloud (EC2)
Amazon Web service that enables launch and management of elastic virtual servers or computers that run on the Amazon infrastructure.
Amazon Machine Image (AMI)
Amazon image format that contains the information, such as the template for root volume, launch permissions, and block device mapping, that is required to launch an Amazon EC2 instance.
A static IP designed for dynamic cloud computing. The public IP is mapped to the privet subnet IP using NAT.
Provides high packet per second performance, low latency, higher I/O performance, and lower CPU utilization compared to traditional implementations. vSRX leverages this networking with hardware virtualized machine (HVM) Amazon Machine Images (AMIs).
A virtual machine or server on Amazon EC2 that uses XEN or, XEN-HVM hypervisor types. Amazon EC2 provides a selection of instances optimized for different use cases.
Public key cryptography used by AWS to encrypt and decrypt login information. Create these key pairs using AWS-EC2 or import your own key pairs.
Note: AWS does not accept DSA. Limit the public key access permissions to 400.
Virtual network interfaces that you can attach to an instance in the Amazon VPC. An Elastic Network Interface (ENI) can have a primary private IP address, multiple secondary IP addresses, one Elastic IP address per private IP address, one public IP address, one or more security groups, one MAC address, and a source/destination check flag.
Note: For vSRX instances, disable the source/destination check for all interfaces.
All Amazon instance types support an MTU of 1500. Some instance types support jumbo frames (9001 MTU).
Note: Use C3, C4, CC2, M3, M4, or T2 AWS instance types for vSRX instances with jumbo frames.
Instances launched in a common cluster placement group. Instances within the cluster have networks with high bandwidth and low latency.
An AWS-provided virtual firewall that controls the traffic for one or more instances. Security groups can be associated with an instance only at launch time.
Note: Because vSRX manages your firewall settings, we recommend that you ensure there is no contradiction between rule sets on AWS security groups and rule sets in your vSRX configuration.