Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Deploying Service Chain (cSRX) with JCNR

Read this section to customize and deploy a security services instance (cSRX) with the Cloud-Native Router.

Starting Release 23.4, the Juniper Cloud-Native Router (JCNR) can be integrated with Juniper's containerized SRX (cSRX) platform to provide security services such as IPsec. This functionality is achieved using host-based service chaining. The cloud-native router is chained with a security service instance (cSRX) in the same Kubernetes cluster. The cSRX instance runs as a pod service in L3 mode. The cSRX instance is customized and deployed via a helm chart that you download from the Juniper Networks software download site.

Customize cSRX Helm Chart

The cSRX service chaining instance is deployed via a helm chart. The configuration parameters are provided via the values.yaml manifest file. The deployment consists of two essential components:

  • csrx-init: This is an init container that prepares the configuration for the main cSRX application. It extracts the necessary information from the values.yaml manifest file, processes it, and generates the configuration data for cSRX. This ensures that the main cSRX application starts with a valid, up-to-date configuration.

  • csrx: The csrx is the main application container and the core component of the cSRX deployment. It relies on the configuration provided by the csrx-init container to function correctly.

You can customize the cSRX deployment by specifying a range of configuration parameters in the values.yaml manifest file. Key configuration options include:

  • interfaceType: This is the type of interface on the cSRX to connect to JCNR. Must be set to vhost only.

  • interfaceConfigs: This is an array defining the interface IP address, gateway address and optionally routes. The interface IP must match the localAddress element in the ipSecTunnelConfigs array. The routes should contain prefixes to steer decrypted traffic to JCNR and reachability route for IPSec gateway.

  • ipSecTunnelConfigs: This is an array defining the IPsec configuration details such as ike-phase1, proposal, policy and gateway configuration. Traffic selector should contain traffic that is expected to be encrypted.

  • jcnr_config: This is an array defining the routes to be configured in JCNR to steer traffic from JCNR to cSRX and to steer IPsec traffic from the remote IPsec gateway to the cSRX to apply the security service chain.

Here is a sample values.yaml for cSRX deployment:

Install cSRX

The cSRX service chain is deployed after the JCNR deployment. Read this section to install the cSRX instance.

  1. Download the cSRX installation bundle from the Juniper Networks software download site. The file that you download is called junos_csrx_<release>.tar.gz. After downloading the file, expand it and change into the junos_csrx_release_number directory.

  2. The cSRX container images are required for deployment. You may choose one of the following options:
    1. Download and deploy images from the Juniper repository— See Configure Repository Credentials for instructions on how to configure repository credentials in the deployment helm chart.
    2. You can upload the cSRX images either to a local docker or to your own docker respository using the docker load command. The images are available in the junos_csrx_release_number/images directory.
  3. Enter the cSRX license into the secrets/csrx-secrets.yaml file. You must enter the password and license in base64 encoded format. You can view the sample contents of the csrx-secrets.yaml file below:

    To encode the license file, copy the license file onto your host server and issue the command:

    You must copy the base64 output and paste it into the secrets/csrx-secrets.yaml file in the appropriate location.


    You must obtain your license file from your account team and install it in the secrets.yaml file as instructed above. The csrx-init container performs a license check and proceeds only if the required secret service-chain-instance is found.

  4. Apply the csrx-secrets.yaml to the Kubernetes system.

  5. Ensure all components of JCNR are up and running before installing the cSRX instance.

  6. Ensure you have customized the cSRX helm chart. Navigate to the junos_csrx_release_number/helmchart directory. Expand the bundle to view the helmcharts. Refer to the example given above to configure the values.yaml. Navigate to the junos_csrx_release_number/helmchart/junos-csrx directory and issue the following command to install the cSRX instance.