Deploying vSRX from the Azure CLI
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX from the Azure CLI and customize the vSRX VM deployment settings and dependencies based on your network requirements in Microsoft Azure Cloud.
Use the following procedure to deploy and configure vSRX as a virtual security appliance in a Microsoft Azure virtual network from the Azure CLI. In this procedure, you use the Azure CLI running in Azure Resource Manager (ARM) mode.
Be sure you have an account for and a subscription to Microsoft Azure before deploying the vSRX to Azure (see Microsoft Azure).
If you do not have an Azure subscription, then you can create a free account before you begin. See the Microsoft Azure website for more details.
From the Azure portal, you must first manually deploy the vSRX image (only once) by using either the vSRX Next Generation Firewall (BYOL) or the vSRX Next Generation Firewall (PAYG) SKU to accept the EULA terms. This is a requirement before you can deploy the vSRX image from the Azure CLI. By default, the Azure portal deployment tool uses vSRX Next Generation Firewall (BYOL) SKU as the source image. Use your Microsoft account username and password to log into the Microsoft Azure portal.
You will encounter a MarketplacePurchaseEligibilityFailed error if do not first accept the EULA terms for the vSRX image in the Azure portal before attempting to deploy the vSRX image from the Azure CLI.
Installing the Microsoft Azure CLI
To install and log in to the Microsoft Azure CLI:
- Install the Microsoft Azure CLI 1.0 as outlined in Install
the Azure CLI. You have several options to install the Azure
CLI package for either the Linux or Mac OS; be sure to select the
correct installation package.
The vSRX for Azure deployment shell script
deploy-azure-vsrx.shis written in shell and Azure CLI version 1.0 commands and does not support Azure CLI version 2.0.
Deployment of vSRX to Microsoft Azure does not support the use of the Azure CLI from Microsoft Windows. This is because the
deploy-azure-vsrx.shshell script that is used as part of the deployment procedure can be run only from the Linux or Mac OS CLI.
- Log into the Azure CLI.
> azure login
- At the prompt. copy the code that appears in the command
Executing command login To sign in, use a web browser to open the page http://aka.ms/devicelogin. Enter the codeXXXXXXXXX to authenticate
- Open a Web browser to http://aka.ms/devicelogin, enter the code, and then click Continue. Enter your
Microsoft Azure username and password credentials. When the process
completes, the command shell completes the login process.
Added subscription Microsoft Azure Enterprise To sign in, use a web browser to open the page http://aka.ms/deviceloginlogin command OK
If you have multiple Azure subscriptions, connecting to Azure grants access to all subscriptions associated with your credentials. One subscription is selected as the default, and used by the Azure CLI when performing operations. You can view the subscriptions, including the current default subscription, using the azure account list command.
- Ensure that the Azure CLI is in Azure Resource Manager
> azure config mode arm
When the Azure CLI is initially installed, the CLI is in ARM mode.
Downloading the vSRX Deployment Tools
Juniper Networks provides a set of scripts, templates, parameter files, and configuration files in Juniper’s GitHub repository. These tools are intended to help simplify the deployment of the vSRX to Azure when using the Azure CLI.
For background information on the scripts, templates, parameter files, and configuration files, see Before You Deploy vSRX Using the Azure CLI.
To download the vSRX deployment tools:
- Access GitHub by using the following link: https://github.com/Juniper/vSRX-Azure.
- Click Clone or download to download to you
vSRX-Azure-master.zipfile from Github containing all files and directories from
vSRX-Azure-masterdirectory includes the following directories and files:
vSRX-Azure-master ├── README.md ├── LICENSE ├── sample-templates │ ├── arm-templates-tool │ ├── README.md │ ├── deploy-azure-vsrx.sh │ ├── templates │ │ ├── app-vm │ │ │ ├── vm.json │ │ │ └── vm.parameters.json │ │ └── vsrx-gateway │ │ ├── vsrx.json │ │ └── vsrx.parameters.json │ └── utils │ ├── decode_param_file.py │ ├── gen_param_file.py │ └── gen_template_file.py │ ├── simple-vsrx-demo │ ├── README.md │ ├── vsrx.json │ ├── vsrx.parameters.json └── marketplace-solution-templates └── vpn-gateway ├── createUiDefinition.json ├── mainTemplate.json ├── vSRX-password.json └── vSRX-sshPublicKey.json
- Extract the compressed
vSRX-Azure-master.zipfile to a location on your computer.
Changing Parameter Values in the vsrx.parameter.json File
vsrx.parameters.json file, you need to modify parameter values specific to your vSRX
deployment in Microsoft Azure. These parameters are used as part of
the automatic deployment performed by the
Keep in mind that by default vSRX uses fxp0 as the egress interface to the Internet. For features requiring Internet connections that use a revenue port (such as VPN, UTM, and so on), routing instances are required to isolate the traffic between the management network and the revenue network.
To change parameter values in the
- Open the
vsrx.parameters.jsonfile with a text editor.
- Modify the values in the
vsrx.parameters.jsonfile based on the specifics of your vSRX deployment. As an example, the following table outlines the parameters in the
vsrx.parameters.jsonfile found in
sample-templates\arm-templates-tool\templates\vsrx-gatewaythat might require modification.
It is critical that you change the vsrx-username and vsrx-password login credentials listed in the
vsrx.parameters.jsonfile before you launch the vSRX instance and login for the first time. Note that you cannot reset login credentials for the vSRX using the Microsoft Azure portal or the Azure CLI.
Must be unique for each deployment.
Name of the Microsoft Azure storage container (VHDs).
Specifies the vSRX hostname.
IP address of vSRX interface ge-0/0/0.0.
IP address of vSRX interface ge-0/0/1.0.
Change to an appropriate username for the login credentials used to access the vSRX.
Change to an appropriate password for the login credentials used to access the vSRX.
Specifies the root authentication password for the vSRX VM by entering an SSH public key string ( RSA or DSA). By default, the
deploy-azure-vsrx.shdeployment script selects the password authentication method, unless –p, followed by the SSH RSA public key file (id_rsa.pub by default), is specified.
Note: Starting in Junos OS Release 15.1X49-D100 for vSRX, both password and SSH public key authentication are supported, and password authentication is chosen by default.
The source image to create the vSRX instance. By default, the
deploy-azure-vsrx.shscript uses the vSRX Next Generation Firewall (BYOL) SKU in the Azure Marketplace as the source image to deploy vSRX instance, unless –i is used to explicitly specify the vSRX instance image location.
IP address prefix of the virtual network.
Name of management network connected to fxp0.
IP address prefix of management network connected to fxp0.
Name of network connected to trust security zone: ge-0/0/1.0 on the vSRX.
IP address prefix of network connected to trust security zone: ge-0/0/1.0 on the vSRX.
Name of network connected to untrust security zone: ge-0/0/0.0 on the vSRX.
IP address prefix of network connected to untrust security zone: ge-0/0/0.0 on the vSRX.
- Save your changes to the
Deploying the vSRX Using the Shell Script
script deploys the vSRX virtual machine in a
resource group that is based on your Azure Cloud geographic location.
The script uses the storage account and network values defined in
To deploy vSRX to the Azure virtual network:
- At the bash prompt in the Azure CLI, run
deploy-azure-vsrx.shscript. By default, the script deploys the vSRX VM using the vSRX Next Generation Firewall (BYOL) SKU as the source image from the Azure Marketplace. The following information is read from the vsrx.json file as part of the deployment:
VM Size: Standard_D3_v2
Publisher: Juniper Networks
The following is an example of the command syntax. In this example, the script uses the vSRX image to deploy the vSRX VM in resource group “example_rg” at the Azure location “westus.” The storage account and network values are defined in the
> ./deploy-azure-vsrx.sh -g example_rg -l westus -f vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.json -e vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.parameters.json
When you specify the vSRX source image URL with the option
-i, the script copies the vSRX source image to create the virtual hardware disk file and to set the
vsrx.parameters.jsonto this value.
The default parameter values in the command syntax include:
example_rg is the resource group name (-g).
westus is the Azure location (-l).
vsrx.json in the folder
vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gatewayis the default Azure template file (-f).
vsrx.parameters.json in the folder
vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gatewayis the default parameter file (-e).
- Monitor the stages of deployment of vSRX to Microsoft
Azure as they occur on screen. Deployment encompasses operations such
as creating a resource group, storage account, template group (including
Creation of the storage account can take approximately 3 to 5 minutes on average. However, in some cases, it might take as long as 15 to 20 minutes.
➜ arm-templates-tool ./deploy-azure-vsrx.sh Use default resource group name 'vsrx' info: Executing command config mode info: New mode is arm info: config mode command OK info: Executing command group create + Getting resource group vsrx + Creating resource group vsrx info: Created resource group vsrx data: Id: /subscriptions/1c3367ba-71fc-48df-898a-d9eab4f1d673/resourceGroups/vsrx data: Name: vsrx data: Location: westus data: Provisioning State: Succeeded data: Tags: null data: info: group create command OK info: Executing command storage account create … data: DeploymentName : deployvsrx data: ResourceGroupName : vsrx data: ProvisioningState : Succeeded data: Timestamp : Thu Jul 20 2017 12:31:45 GMT+0800 (CST) data: Mode : Incremental data: CorrelationId : a99b89f8-5919-4dbc-b8a5-6d76b30fcb67 data: DeploymentParameters : data: Name Type Value data: ---------------------------- ------------ ------------------- data: storageAccountName String jnprsa01 data: storageContainerName String vhds data: vsrx-name String vsrx-test01 data: vsrx-addr-ge-0-0-0 String 192.168.10.20 data: vsrx-addr-ge-0-0-1 String 192.168.20.20 data: vsrx-username String demo data: vsrx-password SecureString undefined data: vsrx-sshkey String ssh-rsa placeholder data: vsrx-disk String placeholder data: vnet-prefix String 192.168.0.0/16 data: vnet-mgt-subnet-basename String mgt-subnet data: vnet-mgt-subnet-prefix String 192.168.0.0/24 data: vnet-trust-subnet-basename String trust-subnet data: vnet-trust-subnet-prefix String 192.168.20.0/24 data: vnet-untrust-subnet-basename String untrust-subnet data: vnet-untrust-subnet-prefix String 192.168.10.0/24 info: group deployment create command OK
When the deployment process completes, you will see the message
“info: group deployment create command Ok.
Verifying Deployment of vSRX to Microsoft Azure
To verify the deployment of the vSRX instance to Microsoft Azure:
- Open a Web browser to https://portal.azure.com/ and login to the Microsoft Azure portal using your login credentials. The Dashboard view appears in the Azure portal . You will see a unified dashboard for all your assets in Azure. Verify that the Dashboard includes all subscriptions to which you currently have access, and all resource groups and associated resources.
- To view the vSRX resource group and its resources after
deployment is completed, from the right- hand menu, click Resource
groups to access the Resource Groups page.
Figure 1 shows an example of the Resources group page in the Microsoft Azure portal.
- To view details of the vSRX VM associated with the resource
group, click the name of the vSRX.
Figure 2 shows an example of the Resource groups VM in the Microsoft Azure portal.
- To see a summary view of the VMs in your subscription,
including the newly deployed vSRX, click the Virtual Machines icon
in the left pane. On the Virtual machines page, check the vSRX VM
status after deployment is completed. Observe that the status is
You can stop, start, restart, and delete a VM from the Virtual machines page in the Microsoft Azure portal.
Figure 3 shows an example of the Microsoft Azure Virtual machines page.
Logging In to a vSRX Instance
After vSRX deployment is completed, the vSRX instance is automatically powered on and launched. At this point you can use an SSH client to log in to the vSRX instance.
In Microsoft Azure, individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service. For the vSRX on Microsoft Azure deployment, only the BYOL model is supported.
To log in to the vSRX VM:
- From the Azure portal, click Resource groups from the menu of services on the dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX VM from the Settings blade.
- Use an SSH client to log in to a vSRX instance.
- At the prompt, enter the following login credentials:
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, only password authentication is supported. Starting in Junos OS Release 15.1X49-D100 for vSRX, both password and SSH public key authentication are supported, and password authentication is chosen by default.
The vSRX instance is automatically configured for username and password authentication. To log in, use the login credentials that were defined in the
vsrx.parameters.jsonfile (see Changing Parameter Values in the vsrx.parameter.json File). After initially logging to the vSRX, you can configure SSH public and private key authentication.
# ssh <username@vsrx_vm_ipaddress>
The authenticity of host ’x.x.x.x (x.x.x.x)’ ... ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXX. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ’x.x.x.x’ (ECDSA) to the list of known hosts. Password: xxxxxxxx username@vsrx_vm_ipaddress>
- Configure the basic settings for the vSRX VM (see Configuring vSRX Using the CLI).