Requirements for vSRX on Microsoft Azure

 

This section presents an overview of requirements for deploying a vSRX instance on Microsoft Azure Cloud.

System Requirements for vSRX on Microsoft Azure Cloud

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX to the Microsoft Azure Cloud. Microsoft Azure supports a wide variety of sizes and options for deployed Azure virtual machines (VMs).

For the vSRX deployment in Microsoft Azure, we recommend D-series VMs. The D-series VMs provided from Microsoft Azure are ideal for applications that demand faster CPUs and better local disk performance, or have higher memory demands. Of the available D-series VMs, we recommend that you select DS3_v2 Standard or D4_V2 Standard for the vSRX VM deployment in Microsoft Azure.

There are two performance tiers for storage in Microsoft Azure Cloud that you can choose from when creating your disks -- Standard Storage and Premium Storage. Premium Storage is backed by SSDs, and delivers high-performance, low-latency disk support for VMs running I/O-intensive workloads. Standard Storage is backed by HDDs. and delivers cost-effective storage. For background details, see About disks storage for Azure Windows VMs.

  • For the SSD supported disk type, use DS3_v2 Standard for the vSRX VM deployment in Microsoft Azure.

  • For the HDD supported disk type, you can choose either DS3_v2 Standard or D4_V2 Standard for the vSRX VM deployment.

Table 1 outlines the recommended system requirements for a vSRX instance, Standard_DS3_v2 size VM.

Table 1: System Requirements for vSRX in Microsoft Azure - Standard_DS3_v2 VM

Component

Specification

Size

Standard_DS3_v2

CPU cores

4

Memory

14 GB

Maximum number of data disks

8

Maximum cached and local disk storage throughput: IOPS/MBps (cache size in GB)

16,000/128 (172)

Maximum uncached disk throughput: IOPS/MBps

12,800/192

Maximum number of NICs/network bandwidth

4 high

Table 2 outlines the recommended system requirements for a vSRX instance, Standard_D4_v2 size VM.

Table 2: System Requirements for vSRX in Microsoft Azure - Standard_D4_v2 VM

Component

Specification

Size

Standard D4_v2

CPU cores

8

Memory

28 GB

Maximum number of data disks

16

Maximum local disk storage throughput: IOPS/MBps

24000/375/187

Maximum data disk throughput: IOPS

16/16x500

Maximum number of NICs/network bandwidth

8 high

Note

The vSRX does not provide support for a high-availability configuration in Microsoft Azure. In addition, the vSRX does not support Layer 2 transparent mode in Microsoft Azure.

Network Requirements for vSRX on Microsoft Azure Cloud

When you deploy a vSRX VM in a Microsoft Azure virtual network, note the following specifics of the deployment configuration:

  • A dual public IP network configuration is a requirement for vSRX VM network connectivity; the vSRX VM requires two public subnets and one or more private subnets for each instance group.

  • The public subnets required by the vSRX VM consist of one subnet for the out-of-band management interface (fxp0) for management access and another for the two revenue (data) interfaces. By default, one interface is assigned to the untrust security zone and the other to the trust security zone on the vSRX VM.

  • In the Microsoft Azure deployment of the vSRX VM, the vSRX supports the management interface (fxp0) and the two revenue (data) interfaces (port ge-0/0/0 and ge-0/0/1), which includes public IP address mapping and data traffic forwarding to and from the vSRX VM.

Interface Mapping for vSRX on Microsoft Azure

Table 3 lists the vSRX and Microsoft Azure interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX.

Table 3: vSRX and Microsoft Azure Interface Names

Interface

Number

vSRX Interface

Microsoft Azure Interface

1

fxp0

eth0

2

ge-0/0/0

eth1

3

ge-0/0/1

eth2

4

ge-0/0/2

eth3

We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance. Ensure that interfaces belonging to the same security zone are in the same routing instance.

vSRX Default Settings on Microsoft Azure

vSRX requires the following basic configuration settings:

  • Interfaces must be assigned IP addresses.

  • Interfaces must be bound to zones.

  • Policies must be configured between zones to permit or deny traffic.

Table 4 lists the factory-default settings for security policies on the vSRX

Table 4: Factory-Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit

Caution

Do not use the load factory-default command on the vSRX instance in Microsoft Azure. The factory-default configuration removes the “azure provision” preconfiguration. This group contains critical system-level settings and route information for the vSRX. A misconfiguration in the group “azure-provision” may result in the possible loss of connectivity to vSRX from Microsoft Azure. If you must revert to factory default, ensure that you first manually reconfigure the Microsoft Azure preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance.

We strongly recommend that when you commit a configuration, perform an explicit commit confirmed to avoid the possibility of losing connectivity to vSRX. Once you have verified that the change works correctly, you can keep the new configuration active by entering the commit command within 10 minutes. Without the timely second confirm, configuration changes will be rolled back. See Configuring vSRX Using the CLI for preconfiguration details.

Best Practices for Improving vSRX Performance

Review the following deployment practices to improve vSRX performance:

  • Disable the source/destination check for all vSRX interfaces.

  • Limit public key access permissions to 400 for key pairs.

  • Ensure that there are no contradictions between Microsoft Azure security groups and your vSRX configuration.

  • Use vSRX NAT to protect your instances from direct Internet traffic.

Release History Table
Release
Description
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX to the Microsoft Azure Cloud.