Configuring vSRX Using the CLI
Understanding vSRX on AWS Preconfiguration and Factory Defaults
vSRX on AWS deploys with the following preconfiguration defaults:
SSH access with the RSA key pair configured during the installation
No password access allowed for SSH access
The management (fxp0) interface is preconfigured with the AWS Elastic IP and default route
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances:
For Junos OS Release 15.1X49-D70 and earlier, the following example summarizes the preconfiguration statements added to a factory-default configuration for vSRX on AWS instances:
Do not use the load factory-default command on a vSRX AWS instance. The factory default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance.
Adding a Basic vSRX Configuration
You can either create a new configuration on vSRX or copy an existing configuration from another SRX or vSRX and load it onto your vSRX on AWS. Use the following steps to copy and load an existing configuration:
To configure a vSRX instance using the CLI:
- Log in to the vSRX instance using SSH and start the CLI.
Starting in Junos OS Release 17.4R1, the default user name has changed from root@ to ec2-user@.ec2-user@% cliec2-user@>
- Enter configuration mode.ec2-user@> configureec2-user@#
- Set the authentication method to log into
the vSRX. You can specify a password by entering a cleartext password
or an encrypted password. If you require a more robust level of authentication
security, we recommend that you select an SSH public key string (DSA,
ECDSA, or RSA).ec2-user@# set system root-authentication ssh-rsa <public-key>
orec2-user@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: password
- Optionally, enable passwords for SSH if you want to create
password access for additional users.ec2-user@# delete services ssh no-passwords
- Configure the hostname.ec2-user@# set system host-name host-name
- For each vSRX revenue interface, assign the IP address
defined on AWS. For example:ec2-user@# set interfaces ge-0/0/0 unit 0 family inet address 10.0.10.197/24
For multiple private addresses, enter a set command for each address. Do not assign the Elastic IP address.
- Specify a security zone for the public interface.ec2-user@# set security zones security-zone untrust interfaces ge-0/0/0.0
- Specify a security zone for the private interface.ec2-user@# set security security-zone trust interfaces ge-0/0/1.0
- Configure routing to add a separate virtual router and
routing option for the public and private interfaces.
We recommend putting the revenue (data) interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.set routing-instances aws instance-type virtual-routerset routing-instances aws interface ge-0/0/0.0set routing-instances aws interface ge-0/0/1.0set routing-instances aws interface st0.1set routing-instances aws routing-options static route 0.0.0.0/0 next-hop 10.0.0.1set routing-instances aws routing-options static route 10.20.20.0/24 next-hop st0.1
- Verify the configuration.ec2-user@# commit checkconfiguration check succeeds
- Commit the configuration to activate it on the device.ec2-user@# commitcommit complete
- Optionally, use the show command to display the configuration to verify that it is correct.
For an example of how to configure vSRX to NAT all hosts behind the vSRX instance in the Amazon Virtual Private Cloud (Amazon VPC) to the IP address of the vSRX egress interface on the untrust zone, see Example: Configuring NAT for vSRX. This configuration allows hosts behind vSRX in a cloud network to access the Internet.
For an example of how to configure IPsec VPN between two instances of vSRX on AWS on different Amazon VPCs, see Example: Configuring VPN on vSRX Between Amazon VPCs.
Adding DNS Servers
vSRX does not include any DNS servers in the default configuration. You might need DNS configured to deploy Layer 7 services, such as IPS, to pull down signature updates, for example. You can use your own external DNS server or use an AWS DNS server. If you enable DNS on your Amazon VPC, queries to the Amazon DNS server (169.254.169.253) or the reserved IP address at the base of the VPC network range plus two should succeed. See AWS - Using DNS with Your Amazon VPC for complete details.
Adding vSRX Feature Licenses
Certain Junos OS software features require a license to activate the feature. To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature.
See Managing Licenses for vSRX for details.