Deploying vSRX from the Azure CLI

 

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX from the Azure CLI and customize the vSRX VM deployment settings and dependencies based on your network requirements in Microsoft Azure Cloud.

Use the following procedure to deploy and configure vSRX as a virtual security appliance in a Microsoft Azure virtual network from the Azure CLI. In this procedure, you use the Azure CLI running in Azure Resource Manager (ARM) mode.

Note

Be sure you have an account for and a subscription to Microsoft Azure before deploying the vSRX to Azure (see Microsoft Azure).

If you do not have an Azure subscription, then you can create a free account before you begin. See the Microsoft Azure website for more details.

Note

From the Azure portal, you must first manually deploy the vSRX image (only once) by using either the vSRX Next Generation Firewall (BYOL) or the vSRX Next Generation Firewall (PAYG) SKU to accept the EULA terms. This is a requirement before you can deploy the vSRX image from the Azure CLI. By default, the Azure portal deployment tool uses vSRX Next Generation Firewall (BYOL) SKU as the source image. Use your Microsoft account username and password to log into the Microsoft Azure portal.

You will encounter a MarketplacePurchaseEligibilityFailed error if do not first accept the EULA terms for the vSRX image in the Azure portal before attempting to deploy the vSRX image from the Azure CLI.

Installing the Microsoft Azure CLI

To install and log in to the Microsoft Azure CLI:

  1. Install the Microsoft Azure CLI 1.0 as outlined in Install the Azure CLI. You have several options to install the Azure CLI package for either the Linux or Mac OS; be sure to select the correct installation package.Note

    The vSRX for Azure deployment shell script deploy-azure-vsrx.sh is written in shell and Azure CLI version 1.0 commands and does not support Azure CLI version 2.0.

    Note

    Deployment of vSRX to Microsoft Azure does not support the use of the Azure CLI from Microsoft Windows. This is because the deploy-azure-vsrx.sh shell script that is used as part of the deployment procedure can be run only from the Linux or Mac OS CLI.

  2. Log into the Azure CLI.

    > azure login

  3. At the prompt. copy the code that appears in the command output.
  4. Open a Web browser to http://aka.ms/devicelogin, enter the code, and then click Continue. Enter your Microsoft Azure username and password credentials. When the process completes, the command shell completes the login process.
    Note

    If you have multiple Azure subscriptions, connecting to Azure grants access to all subscriptions associated with your credentials. One subscription is selected as the default, and used by the Azure CLI when performing operations. You can view the subscriptions, including the current default subscription, using the azure account list command.

  5. Ensure that the Azure CLI is in Azure Resource Manager (ARM) mode.

    > azure config mode arm

    Note

    When the Azure CLI is initially installed, the CLI is in ARM mode.

Downloading the vSRX Deployment Tools

Juniper Networks provides a set of scripts, templates, parameter files, and configuration files in Juniper’s GitHub repository. These tools are intended to help simplify the deployment of the vSRX to Azure when using the Azure CLI.

Note

For background information on the scripts, templates, parameter files, and configuration files, see Before You Deploy vSRX Using the Azure CLI.

To download the vSRX deployment tools:

  1. Access GitHub by using the following link: https://github.com/Juniper/vSRX-Azure.
  2. Click Clone or download to download to you computer the vSRX-Azure-master.zip file from Github containing all files and directories from vSRX-Azure. The vSRX-Azure-master directory includes the following directories and files:
  3. Extract the compressed vSRX-Azure-master.zip file to a location on your computer.

Changing Parameter Values in the vsrx.parameter.json File

In the vsrx.parameters.json file, you need to modify parameter values specific to your vSRX deployment in Microsoft Azure. These parameters are used as part of the automatic deployment performed by the deploy-azure-vsrx.sh script.

Keep in mind that by default vSRX uses fxp0 as the egress interface to the Internet. For features requiring Internet connections that use a revenue port (such as VPN, UTM, and so on), routing instances are required to isolate the traffic between the management network and the revenue network.

To change parameter values in the vsrx.parameters.json file:

  1. Open the vsrx.parameters.json file with a text editor.
  2. Modify the values in the vsrx.parameters.json file based on the specifics of your vSRX deployment. As an example, the following table outlines the parameters in the vsrx.parameters.json file found in sample-templates\arm-templates-tool\templates\vsrx-gateway that might require modification.Caution

    It is critical that you change the vsrx-username and vsrx-password login credentials listed in the vsrx.parameters.json file before you launch the vSRX instance and login for the first time. Note that you cannot reset login credentials for the vSRX using the Microsoft Azure portal or the Azure CLI.

    Parameter

    Default Value

    Comment

    storageAccountName

    juniperstore01

    Must be unique for each deployment.

    storageContainerName

    vhds

    Name of the Microsoft Azure storage container (VHDs).

    vsrx-name

    vsrx-gw

    Specifies the vSRX hostname.

    vsrx-addr-ge-0-0-0

    192.168.10.20

    IP address of vSRX interface ge-0/0/0.0.

    vsrx-addr-ge-0-0-1

    192.168.20.20

    IP address of vSRX interface ge-0/0/1.0.

    vsrx-username

    demo

    Change to an appropriate username for the login credentials used to access the vSRX.

    vsrx-password

    Demo123456

    Change to an appropriate password for the login credentials used to access the vSRX.

    vsrx-sshkey

    ssh-rsa placeholder

    Specifies the root authentication password for the vSRX VM by entering an SSH public key string ( RSA or DSA). By default, the deploy-azure-vsrx.sh deployment script selects the password authentication method, unless –p, followed by the SSH RSA public key file (id_rsa.pub by default), is specified.

    Note: Starting in Junos OS Release 15.1X49-D100 for vSRX, both password and SSH public key authentication are supported, and password authentication is chosen by default.

    vsrx-disk

    placeholder

    The source image to create the vSRX instance. By default, the deploy-azure-vsrx.sh script uses the vSRX Next Generation Firewall (BYOL) SKU in the Azure Marketplace as the source image to deploy vSRX instance, unless –i is used to explicitly specify the vSRX instance image location.

    vnet-prefix

    192.168.0.0/16

    IP address prefix of the virtual network.

    vnet-mgt-subnet-basename

    mgt-subnet

    Name of management network connected to fxp0.

    vnet-mgt-subnet-prefix

    192.168.0.0/24

    IP address prefix of management network connected to fxp0.

    vnet-trust-subnet-basename

    trust-subnet

    Name of network connected to trust security zone: ge-0/0/1.0 on the vSRX.

    vnet-trust-subnet-prefix

    192.168.20.0/24

    IP address prefix of network connected to trust security zone: ge-0/0/1.0 on the vSRX.

    vnet-untrust-subnet-basename

    untrust-subnet

    Name of network connected to untrust security zone: ge-0/0/0.0 on the vSRX.

    vnet-untrust-subnet-prefix

    192.168.10.0/24

    IP address prefix of network connected to untrust security zone: ge-0/0/0.0 on the vSRX.

  3. Save your changes to the vsrx.parameters.json file.

Deploying the vSRX Using the Shell Script

The deploy-azure-vsrx.sh shell script deploys the vSRX virtual machine in a resource group that is based on your Azure Cloud geographic location. The script uses the storage account and network values defined in the vsrx.parameters.json file.

To deploy vSRX to the Azure virtual network:

  1. At the bash prompt in the Azure CLI, run the deploy-azure-vsrx.sh script. By default, the script deploys the vSRX VM using the vSRX Next Generation Firewall (BYOL) SKU as the source image from the Azure Marketplace. The following information is read from the vsrx.json file as part of the deployment:
    • VM Size: Standard_D3_v2

    • Publisher: Juniper Networks

    • SKU: vsrx-byol-azure-image

    • Offering: vsrx-next-generation-firewall

    The following is an example of the command syntax. In this example, the script uses the vSRX image to deploy the vSRX VM in resource group “example_rg” at the Azure location “westus.” The storage account and network values are defined in the vsrx.parameters.json file.

    > ./deploy-azure-vsrx.sh -g example_rg -l westus -f vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.json -e vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.parameters.json

    Note

    When you specify the vSRX source image URL with the option -i, the script copies the vSRX source image to create the virtual hardware disk file and to set the vsrx-disk parameter in vsrx.parameters.json to this value.

    The default parameter values in the command syntax include:

    • example_rg is the resource group name (-g).

    • westus is the Azure location (-l).

    • vsrx.json in the folder vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway is the default Azure template file (-f).

    • vsrx.parameters.json in the folder vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway is the default parameter file (-e).

  2. Monitor the stages of deployment of vSRX to Microsoft Azure as they occur on screen. Deployment encompasses operations such as creating a resource group, storage account, template group (including configuration parameters).Note

    Creation of the storage account can take approximately 3 to 5 minutes on average. However, in some cases, it might take as long as 15 to 20 minutes.

    When the deployment process completes, you will see the message “info: group deployment create command Ok.

Verifying Deployment of vSRX to Microsoft Azure

To verify the deployment of the vSRX instance to Microsoft Azure:

  1. Open a Web browser to https://portal.azure.com/ and login to the Microsoft Azure portal using your login credentials. The Dashboard view appears in the Azure portal . You will see a unified dashboard for all your assets in Azure. Verify that the Dashboard includes all subscriptions to which you currently have access, and all resource groups and associated resources.
  2. To view the vSRX resource group and its resources after deployment is completed, from the right- hand menu, click Resource groups to access the Resource Groups page.

    Figure 1 shows an example of the Resources group page in the Microsoft Azure portal.

    Figure 1: Microsoft Azure Resource Groups Page Example

    Microsoft Azure Resource
Groups Page Example
  3. To view details of the vSRX VM associated with the resource group, click the name of the vSRX.

    Figure 2 shows an example of the Resource groups VM in the Microsoft Azure portal.

    Figure 2: Microsoft Azure Resource Groups VM Example

    Microsoft
Azure Resource Groups VM Example
  4. To see a summary view of the VMs in your subscription, including the newly deployed vSRX, click the Virtual Machines icon in the left pane. On the Virtual machines page, check the vSRX VM status after deployment is completed. Observe that the status is Running. Note

    You can stop, start, restart, and delete a VM from the Virtual machines page in the Microsoft Azure portal.

    Figure 3 shows an example of the Microsoft Azure Virtual machines page.

    Figure 3: Microsoft Azure Virtual Machines Page Example

    Microsoft Azure Virtual
Machines Page Example

Logging In to a vSRX Instance

After vSRX deployment is completed, the vSRX instance is automatically powered on and launched. At this point you can use an SSH client to log in to the vSRX instance.

Note

In Microsoft Azure, individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service. For the vSRX on Microsoft Azure deployment, only the BYOL model is supported.

To log in to the vSRX VM:

  1. From the Azure portal, click Resource groups from the menu of services on the dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX VM from the Settings blade.
  2. Use an SSH client to log in to a vSRX instance.
  3. At the prompt, enter the following login credentials:Note

    Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, only password authentication is supported. Starting in Junos OS Release 15.1X49-D100 for vSRX, both password and SSH public key authentication are supported, and password authentication is chosen by default.

    The vSRX instance is automatically configured for username and password authentication. To log in, use the login credentials that were defined in the vsrx.parameters.json file (see Changing Parameter Values in the vsrx.parameter.json File). After initially logging to the vSRX, you can configure SSH public and private key authentication.

    # ssh <username@vsrx_vm_ipaddress>

  4. Configure the basic settings for the vSRX VM (see Configuring vSRX Using the CLI).
Release History Table
Release
Description
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX from the Azure CLI and customize the vSRX VM deployment settings and dependencies based on your network requirements in Microsoft Azure Cloud.
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, only password authentication is supported.
Starting in Junos OS Release 15.1X49-D100 for vSRX, both password and SSH public key authentication are supported, and password authentication is chosen by default.
Starting in Junos OS Release 15.1X49-D100 for vSRX, both password and SSH public key authentication are supported, and password authentication is chosen by default.