Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Deploying the vSRX Using the Security Gateway Solution Template from Azure Marketplace

    Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy the vSRX virtual security appliance in your Azure virtual network through the Azure portal using one of the available solution templates offered from Juniper Networks.

    You use the VPN security gateway solution template offered by Juniper Networks in the Azure Marketplace to automate the vSRX VM deployment. This solution template simplifies the configuration details of the vSRX VM through a customized deployment use case. The solution template defines subnets for the management network (fxp0), the trust security zone (ge-0/0/1.0), and the untrust security zone (ge-0/0/0.0) on the vSRX VM.

    Note: Be sure you have an account for and a subscription to Microsoft Azure before deploying the vSRX to Azure (see Microsoft Azure).

    If you do not have an Azure subscription, then you can create a free account before you begin. See the Microsoft Azure website for more details.

    Use the following procedures to deploy a vSRX VM using the Security Gateway solution template:

    Deploying the vSRX Using the Security Gateway Solution Template

    To deploy a vSRX VM into an Azure virtual network using the Security Gateway solution template from Azure Marketplace:

    1. Log in to the Microsoft Azure portal using your Microsoft account user name and password. The Dashboard appears in the Azure portal (see Figure 1). You will see a unified dashboard for all your assets in Azure. Verify that the dashboard includes all subscriptions to which you currently have access, and all resource groups and associated resources.

      Figure 1: Microsoft Azure Portal Dashboard


      Microsoft Azure Portal
Dashboard
    2. Click Marketplace from the dashboard to access the Azure Marketplace, and then click Compute (or click New > Compute). Enter vsrx to search for the vSRX Security Gateway solution template in the Azure Marketplace (see Figure 2).

      Figure 2: Locating the vSRX Security Gateway Solution Template in the Azure Marketplace


      Locating the vSRX Security Gateway Solution Template in the Azure
Marketplace
    3. Select the vSRX Security Gateway image from the list and then click Create to initiate the vSRX VM deployment process. Note that Bring Your Own License is enabled for the vSRX VM deployment, and that Resource Manager is automatically selected as the deployment model (see Figure 3).

      Figure 3: Creating vSRX VM Using Security Gateway Solution Template


      Creating vSRX VM Using Security Gateway Solution Template
    4. From the Create vSRX Security Gateway blade, 1 Basics (see Figure 4). Enter initial VM setup information (such as VM login credentials, Azure subscription plan, resource group, and geographic location), and then click OK.

      Figure 4: Create vSRX Security Gateway - Basics


      Create vSRX Security Gateway - Basics

      Parameter

      Description

      Admin Username

      Enter an administrator username to access the vSRX VM. The username cannot contain uppercase characters, special characters, or start with a “$” or “-” character.

      Authentication type

      Select the required method of authentication to access the vSRX VM: Password or SSH public key. Select Password as type of authentication and then enter (and confirm) your password.

      Note: In Junos OS Release 15.1X49-D91 for vSRX, SSH public key is not a supported authentication method. You will need to specify a password to log in to the vSRX VM.

      Admin User Password

      Enter an appropriate root password used to access the vSRX VM.

      Subscription

      Select your Microsoft Azure subscription.

      Resource Group

      Select an existing resource group or create a new one (see Creating a Resource Group).

      Location

      Select the Azure geographic region in which you are deploying the vSRX VM.

    5. From the Create vSRX Security Gateway blade, 2 Virtual Machine Settings:
      • Click VM size, and then click the right arrow to access the Choose a Size blade (see Figure 5). Select DS3_v2 Standard as the vSRX VM size, and then click Select.

        DS3_v2 Standard is used for a vSRX VM deployment. See System Requirements for vSRX on Microsoft Azure for the recommended system requirements for a vSRX instance in Microsoft Azure.


      Figure 5: Create vSRX VM Gateway - Virtual Machine Settings - VM Size


      Create vSRX VM Gateway - Virtual Machine Settings - VM Size
      • Click New Storage Account Name, and then click the right arrow to access the Create Storage Account blade (see Figure 5). Enter information for the new vSRX storage account in your Azure subscription, and then click OK.

      Figure 6: Create vSRX VM Gateway - Virtual Machine Settings - Create Storage Account


      Create vSRX VM Gateway - Virtual Machine Settings - Create
Storage Account

      Parameter

      Description

      Name

      Enter a unique name for your new storage account. A storage account name can contain only lowercase letters and numbers, and must be between 3 and 24 characters.

      Performance

      Select the type of performance: Standard or Premium. The default is Standard.

      Replication

      Select the replication option for the storage account: Locally redundant storage (LRS), Geo-redundant storage (GRS), Read-access geo-redundant storage (RA-GRS), or Zone-redundant storage (ZRS). The default is RA-GRS.

      Click OK when you complete selecting the vSRX VM size and, if necessary, a storage account for your Azure subscription.

    6. From the Create vSRX Security Gateway blade, 3 Network Settings:
      • Click Virtual network, and then click the right arrow to access the Create Virtual Network blade (see Figure 7). Enter information for the new vSRX virtual network in your Azure subscription, and then click OK.

      Figure 7: Create vSRX VM Gateway - Network Settings - Create Virtual Network


      Create vSRX VM Gateway - Network Settings - Create Virtual
Network

      Parameter

      Description

      Name

      Enter a unique name for your new virtual network. The virtual network name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

      Address Space

      Enter the virtual network’s address range in CIDR notation. By default, the address range is 10.0.0.0/16.

      Note: Ensure that the address space does not overlap with an existing network.

      • Click Subsets, and then click the right arrow to access the Subnets blade (see Figure 8). Enter information for the vSRX VM subnets, and then click OK.

      Figure 8: Create vSRX VM Gateway - Network Settings - Subnets


      Create vSRX VM Gateway - Network Settings - Subnets

      Parameter

      Description

      Management Subset Name

      Enter a unique name for the management subnet of the Azure virtual network. The management subnet is used by the management interface (fxp0) of the vSRX VM.

      The management subnet name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

      Management Subnet Address Prefix

      The management subnet’s address range in CIDR notation. It must be contained by the address space of the virtual network. Subnet address ranges cannot overlap one another. By default, the address range is 10.1.0.0/24.

      Note: The address range of a subnet that is already in use cannot be edited.

      Untrust Subnet Name

      Enter a unique name for the untrust subnet (the public subset) of the Azure virtual network. The untrust subnet is used by the revenue (data) interface of the vSRX VM and connects to the Internet.

      The untrust subnet name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

      Untrust Subnet Address Prefix

      The untrust subnet’s address range in CIDR notation. It must be contained by the address space of the virtual network. Subnet address ranges cannot overlap one another. By default, the address range is 10.1.1.0/24.

      Note: The address range of a subnet that is already in use cannot be edited.

      Trust Subnet Name

      Enter a unique name for the trust subnet (the private subnet) of the Azure virtual network. The trust subnet connects to a network segment that uses private IP addresses.

      The trust subnet name must begin with a letter or number, end with a letter, number, or underscore, and the name may contain only letters, numbers, underscore, periods, or hyphens.

      Trust Subnet Address Prefix

      The trust subnet’s address range in CIDR notation. It must be contained by the address space of the virtual network. Subnet address ranges cannot overlap one another. By default, the address range is 10.1.2.0/24.

      Note: The address range of a subnet that is already in use cannot be edited.

      Click OK when you complete specifying the information for the vSRX VM subnets (the management, trust, and untrust subnets), and if necessary, creating a virtual network for your Azure subscription.

    7. From the Create vSRX Security Gateway blade, 4 Summary, review the configuration settings (see Figure 9). If you are satisfied with the configuration settings, click OK.

      Figure 9: Create vSRX VM Gateway - Summary


      Create vSRX VM Gateway - Summary
    8. From the Create Virtual Machine blade, 5 Buy, review the offer details and the terms of use (see Figure 10). If you are satisfied with the offer details and terms of use, click Purchase.

      Figure 10: Create vSRX VM Gateway - Purchase


      Create
vSRX VM Gateway - Purchase
    9. You return to the Azure portal dashboard, and the dashboard displays the deployment status of the vSRX VM (see Figure 11).

      Figure 11: vSRX VM Deployment Status


       vSRX VM Deployment Status

    Verifying Deployment of vSRX to Microsoft Azure

    After the vSRX VM is created, the Azure portal dashboard lists the new vSRX VM under Resource Groups. The corresponding cloud service and storage account also are created and listed. Both the vSRX VM and the cloud service are started automatically and their status is listed as Running

    To verify the deployment of the vSRX instance to Microsoft Azure:

    1. To view the vSRX resource group and its resources after deployment is completed, from the right-hand menu, click Resource groups to access the Resource Groups page.

      Figure 12 shows an example of the Resources Groups page in the Microsoft Azure portal.

      Figure 12: Microsoft Azure Resource Groups Page


      Microsoft Azure Resource
Groups Page
    2. To view details of the vSRX VM associated with the resource group, click the name of the vSRX VM. Observe that the status is Running.

      Note: You can stop, start, restart, and delete a vSRX VM from the Virtual Machine page in the Microsoft Azure portal.

      Figure 13 shows an example of a Resource groups vSRX VM in the Microsoft Azure portal.

      Figure 13: Microsoft Azure Resource Groups VM Example


      Microsoft
Azure Resource Groups VM Example

    Logging In to a vSRX VM

    After vSRX deployment is completed, the vSRX VM is automatically powered on and launched. At this point you can use an SSH client to log in to the vSRX VM.

    Note: In Microsoft Azure, individuals and enterprises can host servers and services on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license (BYOL) service. For the vSRX on Microsoft Azure deployment, only the BYOL model is supported.

    To log in to the vSRX VM:

    1. From the Azure portal, click Resource groups from the menu of services on the dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX VM from the Settings blade.
    2. Use an SSH client to log in to a vSRX VM.
    3. At the prompt, enter the following login credentials:

      Note: The vSRX instance is automatically configured for username and password authentication. To log in, use the login credentials that were defined during the vSRX VM configuration. After initially logging in to the vSRX, you can configure SSH public and private key authentication.

      # ssh <username@vsrx_vm_ipaddress>

       
      The authenticity of host ’x.x.x.x (x.x.x.x)’ ...
      ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXX.
      Are you sure you want to continue connecting (yes/no)? yes  
      Warning: Permanently added ’x.x.x.x’ (ECDSA) to the list of known hosts.
      Password: xxxxxxxx
      username@vsrx_vm_ipaddress>
    4. Configure the basic settings for the vSRX VM (see Configuring vSRX Using the CLI).

    Release History Table

    Release
    Description
    Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy the vSRX virtual security appliance in your Azure virtual network through the Azure portal using one of the available solution templates offered from Juniper Networks.

    Modified: 2017-11-09