Deploying the vSRX Using the Security Gateway Solution Template from Azure Marketplace

 

Starting in Junos OS Release 15.1X49-D100 for vSRX, you can deploy the vSRX virtual security appliance in your Azure virtual network through the Azure portal using one of the available solution templates offered from Juniper Networks.

You use the security gateway solution template offered by Juniper Networks in the Azure Marketplace to automate the vSRX VM deployment. This solution template simplifies the configuration details of the vSRX VM through a customized deployment use case. The solution template defines subnets for the management network (fxp0), the trust security zone (ge-0/0/1.0), and the untrust security zone (ge-0/0/0.0) on the vSRX VM.

Note

Be sure you have an account for and a subscription to Microsoft Azure before deploying the vSRX to Azure (see Microsoft Azure).

If you do not have an Azure subscription, then you can create a free account before you begin. See the Microsoft Azure website for more details.

Use the following procedures to deploy a vSRX VM using the Security Gateway solution template:

Deploying the vSRX Using the Security Gateway Solution Template

To deploy a vSRX VM into an Azure virtual network using the Security Gateway solution template from Azure Marketplace:

  1. Log in to the Microsoft Azure portal using your Microsoft account user name and password. The Dashboard appears in the Azure portal (see Figure 1). You will see a unified dashboard for all your assets in Azure. Verify that the dashboard includes all subscriptions to which you currently have access, and all resource groups and associated resources.



    Figure 1: Microsoft Azure Portal Dashboard

    Microsoft Azure Portal
Dashboard
  2. Click Marketplace from the dashboard to access the Azure Marketplace, and then click Everything (or click New > Everything). Enter vsrx to search for the vSRX Security Gateway solution template in the Azure Marketplace (see Figure 2). The vSRX image is available as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service.



    Figure 2: Locating the vSRX Security Gateway Solution Template in the Azure Marketplace

    Locating the vSRX Security Gateway Solution Template in the Azure
Marketplace
  3. Select the vSRX Security Gateway image from the list and then click Create to initiate the vSRX VM deployment process (see Figure 3).



    Figure 3: Creating vSRX VM Using Security Gateway Solution Template

    Creating vSRX VM Using Security Gateway Solution Template
  4. From the Create vSRX Security Gateway blade, 1 Basics (see Figure 4). Enter initial VM setup information (such as VM login credentials, Azure subscription plan, resource group, and geographic location), and then click OK.
    Figure 4: Create vSRX Security Gateway - Basics

    Create vSRX Security Gateway - Basics

    Parameter

    Description

    Admin Username

    Enter an administrator username to access the vSRX VM. The username cannot contain uppercase characters, special characters, or start with a “$” or “-” character.

    Authentication type

    Select the required method of authentication to access the vSRX VM: Password or SSH public key. Select Password as type of authentication and then enter (and confirm) your password.

    Note: In Junos OS Release 15.1X49-D91 for vSRX, SSH public key is not a supported authentication method. You will need to specify a password to log in to the vSRX VM.

    Starting in Junos OS Release 15.1X49-D110 for vSRX, SSH public key is a supported authentication method.

    Admin User Password

    Enter an appropriate root password used to access the vSRX VM. The password must be between 12 and 72 characters.

    Subscription

    Select your Microsoft Azure subscription.

    Resource Group

    Select an existing resource group or create a new one (see Creating a Resource Group). Note that the resource group must be empty.

    Location

    Select the Azure geographic region in which you are deploying the vSRX VM.

  5. From the Create vSRX Security Gateway blade, 2 Virtual Machine Settings:
    • Specify a vSRX VM name In the vSRX host name field. The vSRX VM name must be between 4 and 25 characters, and can only contain lowercase letters and numbers.

    • Click VM size, and then click the right arrow to access the Choose a Size blade (see Figure 5).

      Note

      See Requirements for vSRX on Microsoft Azure for the recommended system requirements for a vSRX instance in Microsoft Azure.

      There are two performance tiers for storage in Microsoft Azure Cloud that you can choose from when creating your disks -- Standard Storage and Premium Storage. Premium Storage is backed by SSDs, and delivers high-performance, low-latency disk support for VMs running I/O-intensive workloads. Standard Storage is backed by HDDs. and delivers cost-effective storage.

      • For the SSD supported disk type, DS3_v2 Standard is used for the vSRX VM deployment. Select DS3_v2 Standard as the vSRX VM size, and then click Select.



        Figure 5: Create vSRX VM Gateway - Virtual Machine Settings - VM Size for SSD

        Create vSRX VM Gateway - Virtual Machine Settings - VM Size
for SSD
      • For the HDD supported disk type, you can choose either DS3_v2 Standard or D4_V2 Standard for the vSRX VM deployment. Choose the vSRX VM size, and then click Select.



        Figure 6: Create vSRX VM Gateway - Virtual Machine Settings - VM Size for HDD

        Create vSRX VM Gateway - Virtual Machine Settings - VM Size
for HDD
    • Click New Storage Account Name, and then click the right arrow to access the Create Storage Account blade (see Figure 7). Enter information for the new vSRX storage account in your Azure subscription, and then click OK.



    Figure 7: Create vSRX VM Gateway - Virtual Machine Settings - Create Storage Account

    Create vSRX VM Gateway - Virtual Machine Settings - Create
Storage Account

    Parameter

    Description

    Name

    Enter a unique name for your new storage account. A storage account name can contain only lowercase letters and numbers, and must be between 3 and 24 characters.

    Performance

    Select the type of performance: Standard or Premium. The default is Standard.

    Replication

    Select the replication option for the storage account: Locally redundant storage (LRS), Geo-redundant storage (GRS), Read-access geo-redundant storage (RA-GRS), or Zone-redundant storage (ZRS). The default is RA-GRS.

    Click OK when you complete selecting the vSRX VM size and, if necessary, a storage account for your Azure subscription.

  6. From the Create vSRX Security Gateway blade, 3 Network Settings:
    • Click Virtual network, and then click the right arrow to access the Create Virtual Network blade (see Figure 8). Enter information for the new vSRX virtual network in your Azure subscription, and then click OK.



    Figure 8: Create vSRX VM Gateway - Network Settings - Create Virtual Network

    Create vSRX VM Gateway - Network Settings - Create Virtual
Network

    Parameter

    Description

    Name

    Enter a unique name for your new virtual network. The virtual network name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

    Address Space

    Enter the virtual network’s address range in CIDR notation. By default, the address range is 10.0.0.0/16.

    Note: Ensure that the address space does not overlap with an existing network.

    • Click Subnets, and then click the right arrow to access the Subnets blade (see Figure 9). Enter information for the vSRX VM subnets, and then click OK.



    Figure 9: Create vSRX VM Gateway - Network Settings - Subnets

    Create vSRX VM Gateway - Network Settings - Subnets

    Parameter

    Description

    Management Subnet Name

    Enter a unique name for the management subnet of the Azure virtual network. The management subnet is used by the management interface (fxp0) of the vSRX VM.

    The management subnet name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

    Management Subnet Address Prefix

    The management subnet’s address range in CIDR notation. It must be contained by the address space of the virtual network. Subnet address ranges cannot overlap one another. By default, the address range is 10.1.0.0/24.

    Note: The address range of a subnet that is already in use cannot be edited.

    Untrust Subnet Name

    Enter a unique name for the untrust subnet (the public subnet) of the Azure virtual network. The untrust subnet is used by the revenue (data) interface of the vSRX VM and connects to the Internet.

    The untrust subnet name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

    Untrust Subnet Address Prefix

    The untrust subnet’s address range in CIDR notation. It must be contained by the address space of the virtual network. Subnet address ranges cannot overlap one another. By default, the address range is 10.1.1.0/24.

    Note: The address range of a subnet that is already in use cannot be edited.

    Trust Subnet Name

    Enter a unique name for the trust subnet (the private subnet) of the Azure virtual network. The trust subnet connects to a network segment that uses private IP addresses.

    The trust subnet name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

    Trust Subnet Address Prefix

    The trust subnet’s address range in CIDR notation. It must be contained by the address space of the virtual network. Subnet address ranges cannot overlap one another. By default, the address range is 10.1.2.0/24.

    Note: The address range of a subnet that is already in use cannot be edited.

    Click OK when you complete specifying the information for the vSRX VM subnets (the management, trust, and untrust subnets), and if necessary, creating a virtual network for your Azure subscription.

  7. From the Create vSRX Security Gateway blade, 4 Summary, review the configuration settings (see Figure 10). If you are satisfied with the configuration settings, click OK.



    Figure 10: Create vSRX VM Gateway - Summary

    Create vSRX VM Gateway - Summary
  8. From the Create Virtual Machine blade, 5 Buy, review the offer details and the terms of use (see Figure 11). If you are satisfied with the offer details and terms of use, click Purchase.



    Figure 11: Create vSRX VM Gateway - Purchase

    Create
vSRX VM Gateway - Purchase
  9. You return to the Azure portal dashboard, and the dashboard displays the deployment status of the vSRX VM (see Figure 12).



    Figure 12: vSRX VM Deployment Status

     vSRX VM Deployment Status

Verifying Deployment of vSRX to Microsoft Azure

After the vSRX VM is created, the Azure portal dashboard lists the new vSRX VM under Resource Groups. The corresponding cloud service and storage account also are created and listed. Both the vSRX VM and the cloud service are started automatically and their status is listed as Running

To verify the deployment of the vSRX instance to Microsoft Azure:

  1. To view the vSRX resource group and its resources after deployment is completed, from the right-hand menu, click Resource groups to access the Resource Groups page.

    Figure 13 shows an example of the Resources Groups page in the Microsoft Azure portal.

    Figure 13: Microsoft Azure Resource Groups Page

    Microsoft Azure Resource
Groups Page
  2. To view details of the vSRX VM associated with the resource group, click the name of the vSRX VM. Observe that the status is Running.Note

    You can stop, start, restart, and delete a vSRX VM from the Virtual Machine page in the Microsoft Azure portal.

    Figure 14 shows an example of a Resource groups vSRX VM in the Microsoft Azure portal.

    Figure 14: Microsoft Azure Resource Groups VM Example

    Microsoft
Azure Resource Groups VM Example

Logging In to a vSRX VM

After vSRX deployment is completed, the vSRX VM is automatically powered on and launched. At this point you can use an SSH client to log in to the vSRX VM.

Note

In Microsoft Azure, individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service. For the vSRX on Microsoft Azure deployment, only the BYOL model is supported.

To log in to the vSRX VM:

  1. From the Azure portal, click Resource groups from the menu of services on the dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX VM from the Settings blade.
  2. Use an SSH client to log in to a vSRX VM.
  3. At the prompt, enter the following login credentials:Note

    The vSRX instance is automatically configured for username and password authentication. To log in, use the login credentials that were defined during the vSRX VM configuration. After initially logging in to the vSRX, you can configure SSH public and private key authentication.

    # ssh <username@vsrx_vm_ipaddress>

  4. Configure the basic settings for the vSRX VM (see Configuring vSRX Using the CLI).
Release History Table
Release
Description
Starting in Junos OS Release 15.1X49-D100 for vSRX, you can deploy the vSRX virtual security appliance in your Azure virtual network through the Azure portal using one of the available solution templates offered from Juniper Networks.