Deploying the vSRX Image from Azure Marketplace
Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy the vSRX virtual security appliance in your Azure virtual network by selecting the vSRX image from Azure Marketplace and customizing the vSRX VM deployment settings and dependencies based on your network requirements in Microsoft Azure Cloud.
This deployment approach might be needed if you have a vSRX VM deployment scenario that is outside of the use cases offered in the vSRX VM solution templates available from Juniper Networks.
Be sure you have an account for and a subscription to Microsoft Azure before deploying the vSRX to Azure (see Microsoft Azure).
If you do not have an Azure subscription, then you can create a free account before you begin. See the Microsoft Azure website for more details.
Use the following procedures to deploy and configure a vSRX VM into an Azure virtual network from the Azure portal.
Deploying the vSRX Image
To deploy and configure a vSRX VM into an Azure virtual network using the vSRX image from Azure Marketplace:
- Log in to the Microsoft
Azure portal using your Microsoft account user name and password.
The Dashboard appears in the Azure portal (see Figure 1). You will see a unified dashboard
for all your assets in Azure. Verify that the dashboard includes all
subscriptions to which you currently have access, and all resource
groups and associated resources.
- Click Marketplace from the dashboard to access
the Azure Marketplace, and then click Everything (or click New > Everything). Enter vsrx to search for the
available Juniper Networks vSRX VM images in the Azure Marketplace
(see Figure 2). The vSRX
image is available as a pay-as-you-go (PAYG) or bring-your-own-license
- Select the vSRX VM image from the list and then click Create to initiate the vSRX VM deployment process (see Figure 3).
- From the Create Virtual Machine blade, 1 Basics, configure the following parameters (see Figure 4).
Specify a name for your vSRX VM. Your vSRX VM name cannot contain non-ASCII or special characters.
VM Disk Type
Specify the disk type to use for the vSRX VM: SSD or HDD. The default is SSD.
Enter a username to access the vSRX VM. The username cannot contain uppercase characters, special characters, or start with a “$” or “-” character.
Select the required method of authentication to access the vSRX VM: Password or SSH public key. Select Password as type of authentication and then enter (and confirm) your password.
Note: In Junos OS Release 15.1X49-D91 for vSRX, SSH public key is not a supported authentication method. You will need to specify a password to log in to the vSRX VM.
Starting in Junos OS Release 15.1X49-D110 for vSRX, SSH public key is a supported authentication method.
Enter an appropriate root password used to access the vSRX VM.
Select your Microsoft Azure subscription.
Select an existing resource group or create a new one (see Creating a Resource Group).
Select the Azure geographic region in which you are deploying the vSRX VM.
- From the Create Virtual Machine blade, 2 Size, select DS3_v2 Standard as the vSRX VM size (see Figure 5). Click Select.
DS3_v2 Standard is used for a vSRX VM deployment. See Requirements for vSRX on Microsoft Azure for the recommended system requirements for a vSRX instance in Microsoft Azure.
- From the Create Virtual Machine blade, 3 Settings, configure the following parameters to define the storage, networking,
and monitoring settings for the vSRX VM (see Figure 6). Click OK when completed.
Used Managed Disks
Specify whether you want Azure to automatically manage the availability of disks to provide data redundancy and fault tolerance without you creating and managing a storage account. Click No.
If you need to change the storage account for the vSRX VM, click the right arrow to access the Choose Storage Account blade. Select an existing storage account for the vSRX VM, or click Create new (+) to create a new one. See Creating a Storage Account for details about creating a new storage account.
If you need to change the virtual network for the vSRX VM, click the right arrow to access the Choose Virtual Network blade. Select an existing virtual network for the vSRX VM, or click Create new (+) to create a new one. See Creating a Virtual Network for details about creating a new virtual network.
Enter a subnet, which is a range of IP addresses in your virtual network to isolate VMs. Public subnets have access to the Internet gateway, but private subnets do not.
A vSRX VM requires two public subnets and one or more private subnets for each individual instance group. The public subnets consist of one for the management interface (fxp0) and another for the two revenue (data) interfaces. The private subnets, connected to other vSRX interfaces, ensure that all traffic between applications on the private subnets and the Internet must pass through the vSRX instance.
To modify the subset for the virtual network, click the right arrow to access the Create Subnet blade.
Configure the following parameters:
Subnet name—A unique name for the subnet in the Azure virtual network.
Subnet address range—The subnet’s address range in CIDR notation. It must be contained by the address space of the virtual network. Subnet address ranges cannot overlap one another. By default, the address range is 10.0.0.0/24.
Note: The address range of a subnet that is already in use cannot be edited.
Public IP address
Specify the public IP address that allows communication to the vSRX VM from outside the Azure virtual network. To modify the public IP address for the vSRX VM, click the right arrow to access the Choose Public IP Address blade. Select a public IP address in your Azure subscription and location, or click Create new (+) to create a new one.
Configure the following parameters:
Name—A unique name for the public IP address.
Assignment—There are two methods in which an IP address is allocated to a public IP resource: dynamic or static. By default, public IP addresses are dynamic, where an IP address is not allocated at the time of its creation. Instead, the public IP address is allocated when you start (or create) the resource. The IP address associated to them may change when the vSRX VM is deleted.
To guarantee that the vSRX VM always uses the same public IP address, we recommend you assign a static public IP address.
Network security group
Specify a network security group, which is a set of firewall rules that control traffic to and from the vSRX VM. Each network security group can contain multiple inbound and outbound security rules that enable you to filter traffic by source and destination IP address, port, and protocol. You can apply a network security group to each NIC in the VM.
To modify the network security group for the vSRX VM to filter traffic, click the right arrow to access the Choose Network Security blade. Select a network security group in your Azure subscription and location, or click Create new (+) to create a new one.
Configure the following parameters:
Name—A unique name for the network security group.
Inbound rules—You can add one or more inbound security rules to allow or deny traffic to the vSRX VM.
Outbound rules—You can add one or more outbound security rules to allow or deny traffic originating from the vSRX VM.
No extensions are used for the vSRX VM.
Confiigure two or more VMs in an availability set to provide redundancy to an application.
Note: Availability Set should be set to None for the vSRX VM. Availablilty Set is not used for the vSRX VM in Azure because chassis clustering is not supported by the vSRX at this time.
Enables or disables the capturing of serial console output and screenshots of the VM running on the host to help diagnose start-up issues. The default is Enabled.
Guest OS Diagnostics
Enables or disables the ability to obtain metrics every minute for the VM. Choices are: Disabled or Enabled. The default is Disabled.
Diagnostics Storage Account
Click the right arrow to view the details of the diagnostics storage account. Automatically fills in with the name of the diagnostics storage account from which you can analyze a set of metrics with your own tools.
- From the Create Virtual Machine blade, 4 Summary , review the configuration settings (see Figure 7). If you are
satisfied with the configuration settings, click OK.
You return to the Azure portal dashboard, and the dashboard displays the deployment status of the vSRX VM.
Verifying Deployment of vSRX to Microsoft Azure
After the vSRX VM is created, the Azure portal dashboard lists
the new vSRX VM under Resource Groups. The corresponding cloud service
and storage account also are created and listed. Both the vSRX VM
and the cloud service are started automatically and their status is
To verify the deployment of the vSRX instance to Microsoft Azure:
- To view the vSRX resource group and its resources after deployment is completed, from the right-hand menu, click Resource groups to access the Resource Groups page.
- To view details of the vSRX VM associated with the resource
group, click the name of the vSRX VM. Observe that the status is
You can stop, start, restart, and delete a vSRX VM from the Virtual Machine page in the Microsoft Azure portal.
Figure 9 shows an example of a Resource groups vSRX VM in the Microsoft Azure portal.
Logging In to a vSRX VM
After vSRX deployment is completed, the vSRX VM is automatically powered on and launched. At this point you can use an SSH client to log in to the vSRX VM.
In Microsoft Azure, individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service. For the vSRX on Microsoft Azure deployment, only the BYOL model is supported.
To log in to the vSRX VM:
- From the Azure portal, click Resource groups from the menu of services on the dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX VM from the Settings blade.
- Use an SSH client to log in to a vSRX VM.
- At the prompt, enter the following login credentials:
The vSRX instance is automatically configured for username and password authentication. To log in, use the login credentials that were defined during the vSRX VM configuration (see Deploying the vSRX Image). After initially logging in to the vSRX, you can configure SSH public and private key authentication.
# ssh <username@vsrx_vm_ipaddress>
The authenticity of host ’x.x.x.x (x.x.x.x)’ ... ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXX. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ’x.x.x.x’ (ECDSA) to the list of known hosts. Password: xxxxxxxx username@vsrx_vm_ipaddress>
- Configure the basic settings for the vSRX VM (see Configuring vSRX Using the CLI).