Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Provisioning a Cloud Spoke Site in AWS VPC

Use the following high-level steps to provision a vSRX Virtual Firewall cloud spoke site in Amazon Web Services (AWS) virtual private cloud (VPC).

Before you begin:

  • Set up your Amazon Web Services (AWS) account.

  • Identify the virtual private cloud (VPC) in which the AWS spoke site must be provisioned.

  • Install licenses to use vSRX Virtual Firewall features. Choose any of the following AWS vSRX Virtual Firewall Image Licenses.

  • Ensure that you have the supported software version for the AWS spoke.

  • Reserve two elastic IP (public IP) addresses on AWS.

To set up and monitor your network:

Add a Cloud Spoke Site

To add a cloud spoke site:

  1. Select Resources > Site Management.

    The Sites page appears.

  2. Click Add > Add Cloud Spoke.

    The Add Cloud Spoke Site page appears.

  3. Specify the site information such as, site name, AWS region, VPC ID, management subnet, IP prefix and click Next.
  4. Specify vSRX Virtual Firewall as SD-WAN spoke in AWS as the device template.
    • Only hub-and-spoke topology is supported for AWS cloud spoke site.

    • Only Internet link is supported for WAN underlay connections.

  5. Provide the WAN details and click Next.

    The WAN traffic page appears, displaying a set of values for the WAN link configuration.

  6. Specify additional requirements and click Next.
  7. Specify LAN segment information and click Next.
  8. In the Summary tab, check the configuration and click Edit to modify the settings.
  9. Click OK to save the changes.

    The new cloud spoke site that you created appears in the Sites page.

Download the Cloud Formation Template

To download the cloud formation template:

  1. Click Resources > Devices.

    The Devices List page appears.

  2. Select the device and click Cloud Info Template.

    The Cloud Info Template page appears.

  3. Click Download to download the cloud formation template.

    The template is downloaded to your local computer in JSON format.

Provision the Device on AWS Server

CSO creates cloud formation template with stage-1 configuration bundled in JSON format. You must download this template and then upload to AWS to provision the vSRX Virtual Firewall. The cloud formation template creates the required resources such as subnet, interface, vSRX Virtual Firewall and so on and applies the stage-1 configuration.

To provision the device on AWS server:

  1. Log in to your AWS account.
    • If you have already logged in to your AWS account, the Create Stack page appears.

    • If you are not logged into your AWS account, a new Web page opens in your browser, displaying the AWS login information. Log in to your AWS account.


      If you do not see the Create Stack page when you log in to or access your AWS account, then search for CloudFormation service.

      The Create Stack page appears.

  2. Select CloudFormation > Stacks > Create Stack > Upload a template to Amazon S3.
  3. Click Choose File and select the cloud formation template that you downloaded in JSON format .
  4. Click Next.
  5. Specify the Stack name. For example, Oregonstack.
  6. In the Parameters section, specify the KeyName for your EC2 instance.
  7. Click Next.
  8. Select I acknowledge that AWS CloudFormation might create IAM Resources.
  9. Click Create.

    The Create Stack pages displays a list of existing stacks and indicates that it is creating the stack that you requested. The create stack process takes up to 30 minutes. if the process does not complete in 30 minutes, a timeout occurs and you need to retry the process.

Activate the Device

To activate the device:

  1. After the create stack process is complete, return to the Customer Portal and click Next.

    The Activate Device page displays a status indicating that CSO is detecting the provisioning agent. This process takes up to 30 minutes. if the process does not complete in 30 minutes, a timeout occurs and you need to retry the process.


    You need not download the cloud formation template again. You can log in to the Customer Portal, access the Activate Device page, enter the activation code and click Next. After the CREATE_COMPLETE message is displayed on the AWS server, click Next on the Activate Device page to proceed with device activation.

    If the spoke on AWS has been spawned successfully on AWS, it will contact CSO through outbound SSH connection. The device is detected and normal ZTP, process is triggered. The rest of the workflow is consistent with the normal on-premise workflow.

    On Device Activation page, the device is activated through the following steps:

    • Detecting the device

    • Applying stage-one configuration to the device

    • Bootstrapping of device

    • Activating the device

    After each successful step, you can see a green check mark. If any of these steps fails, a red exclamation mark appears.

  2. After the activation process is complete, click OK.

    The Sites page appears. To see the device activation status, hover over the device icon on the Sites page.