Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring vSRX Using the CLI


Understanding vSRX on AWS Preconfiguration and Factory Defaults

vSRX on AWS deploys with the following preconfiguration defaults:

  • SSH access with the RSA key pair configured during the installation

  • No password access allowed for SSH access

  • The management (fxp0) interface is preconfigured with the AWS Elastic IP and default route

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances:

For Junos OS Release 15.1X49-D70 and earlier, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances:


Do not use the load factory-default command on a vSRX AWS instance. The factory default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance.

Adding a Basic vSRX Configuration

You can either create a new configuration on vSRX or copy an existing configuration from another SRX or vSRX and load it onto your vSRX on AWS. Use the following steps to copy and load an existing configuration:

  1. Saving a Configuration File

  2. Loading a Configuration File

To configure a vSRX instance using the CLI:

  1. Log in to the vSRX instance using SSH and start the CLI.Note

    Starting in Junos OS Release 17.4R1, the default user name has changed from root@ to ec2-user@.

  2. Enter configuration mode.
  3. Set the authentication method to log into the vSRX. You can specify a password by entering a cleartext password or an encrypted password. If you require a more robust level of authentication security, we recommend that you select an SSH public key string (DSA, ECDSA, or RSA).


  4. Optionally, enable passwords for SSH if you want to create password access for additional users.
  5. Configure the hostname.
  6. For each vSRX revenue interface, assign the IP address defined on AWS. For example:

    For multiple private addresses, enter a set command for each address. Do not assign the Elastic IP address.

  7. Specify a security zone for the public interface.
  8. Specify a security zone for the private interface.
  9. Configure routing to add a separate virtual router and routing option for the public and private interfaces.Note

    We recommend putting the revenue (data) interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.

  10. Verify the configuration.
  11. Commit the configuration to activate it on the device.
  12. Optionally, use the show command to display the configuration to verify that it is correct.

For an example of how to configure vSRX to NAT all hosts behind the vSRX instance in the Amazon Virtual Private Cloud (Amazon VPC) to the IP address of the vSRX egress interface on the untrust zone, see Example: Configuring NAT for vSRX. This configuration allows hosts behind vSRX in a cloud network to access the Internet.

For an example of how to configure IPsec VPN between two instances of vSRX on AWS on different Amazon VPCs, see Example: Configuring VPN on vSRX Between Amazon VPCs.

Adding DNS Servers

vSRX does not include any DNS servers in the default configuration. You might need DNS configured to deploy Layer 7 services, such as IPS, to pull down signature updates, for example. You can use your own external DNS server or use an AWS DNS server. If you enable DNS on your Amazon VPC, queries to the Amazon DNS server ( or the reserved IP address at the base of the VPC network range plus two should succeed. See AWS - Using DNS with Your Amazon VPC for complete details.

Adding vSRX Feature Licenses

Certain Junos OS software features require a license to activate the feature. To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature.

See Managing Licenses for vSRX for details.