Multinode High Availability in Azure Cloud
Read this document to understand how to configure Multinode High Availability on vSRX instances deployed on Azure cloud.
Overview
You can configure Multinode High Availability on vSRX Virtual Firewalls deployed in the Microsoft Azure Cloud. Microsoft Azure is Microsoft's application platform for the public cloud. It is an open, flexible, enterprise-grade cloud computing platform for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers.
You can configure a pair of vSRX virtual firewalls on Azure to operate as in an active/backup Multinode high availability configuration. Participating nodes run both active control and data planes at the same time. The nodes backup each other to ensure a fast synchronized failover in case of a system or hardware failure. The interchassis link (ICL) connection between the two devices synchronizes and maintains the state information and handles device failover scenarios.
You can configure Multinode High Availability on vSRX Virtual Firewall VMs by customizing firewall deployment settings in Microsoft Azure Cloud.
IPsec VPN Support
Starting in Junos OS Release 24.4R1, we support IPsec VPN for active/backup Multinode High Availability in Azure Cloud deployments.
Limitation
Multinode High Availability doesn’t support multiple SRG configurations (active/active) in public cloud deployments. Active/backup mode supports SRG0 or SRG1. IPsec VPN tunnel anchors at the SRG1, which works in a stateful active/backup mode. All VPN tunnels terminate on the device where the SRG1 is active.
Architecture
Figure 1 shows two vSRX Virtual Firewall instances form a Multinode high availability pair in the in the Azure cloud. One vSRX Virtual Firewall instance acts as the active node and the other instance acts as the backup node. Both nodes connect to each other using an ICL to synchronize and maintain state information and to handle device failover scenarios.

vSRX Virtual Firewall requires two public IP addresses and one or more private IP address for each individual instance group. The public subnets consist of one for the management interface (fxp0) and one for a revenue (data) interface. You can use any four revenue interfaces for the subnet configuration. The private interface is connected to the protected resources. It ensures that all traffic between applications on the private subnet and the Internet must pass through the vSRX Virtual Firewall instance.
For Multinode High Availability on Azure, you must deploy both the firewalls within the same Azure Resource Group. An Azure Resource Group is a logical container that holds related resources for an Azure solution. It can include all the resources for the solution, or only those resources that you want to manage as a group.
You must allocate a node-specific primary address to each node and a common secondary or floating IP address to both the nodes. The secondary IP address, which acts as a floating IP address, is always attached to the active node. In case of failure on the current active node, the secondary IP address transitions from the failed active node to the current active node. The new active node ensures the continue flow of traffic.
Initially both the nodes are launched with predefined tags stating which one is the owner of the secondary IP address during boot up. That particular node starts operating as the active node and other one starts as a backup node.
Split-Brain Protection
The split-brain scenario refers to a situation where both nodes of the Multinode High Availability system become stuck in the same state, either active or backup, when the inter-chassis link (ICL) between the nodes is down. To prevent this state, both nodes attempt to probe the primary IP address of the trust or the untrust interface, based on the configuration.
When an Interchassis Link (ICL) experiences a failure along with a probe failure, the node that does not receive a reply from its peer will take on the active role. However, if the probe succeeds and confirms that the peer node is still operational, the node will maintain its current state. This probing process persists until the ICL is restored.
Example: Configure Multinode High Availability in Azure Cloud Deployment
You can configure Multinode High Availability on vSRX Virtual Firewalls deployed in the Microsoft Azure Cloud. Microsoft Azure is Microsoft's application platform for the public cloud. It is an open, flexible, enterprise-grade cloud computing platform for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers.
You can configure a pair of vSRX virtual firewalls on Azure to operate as in an active/backup Multinode high availability configuration. Participating nodes run both active control and data planes at the same time. The nodes backup each other to ensure a fast synchronized failover in case of a system or hardware failure. The interchassis link (ICL) connection between the two devices synchronizes and maintains the state information and handles device failover scenarios.
Reading Time |
1 hour |
Configuration Time |
2 hour |
Example Prerequisites
Read this topic to understand how to configure the Multinode High Availability solution on SRX Series Firewalls.
In this example, we'll show you how to configure Multinode High Availability on two vSRX Virtual Firewall instances deployed in the Azure Cloud.
VMs requirements |
Two vSRX Virtual Firewalls deployed on Azure Cloud |
Software requirements |
Junos OS Release 23.4R1 or later releases |
Licensing requirements |
Use vSRX Virtual Firewall license or request an evaluation license. Licenses can be procured from the Juniper Networks License Management System (LMS). |
Before You Begin
Benefits |
Increases the availability of vSRX Series firewalls deployed in Azure that results in improved reliability and reduced downtime. |
Know more |
|
Learn more |
Functional Overview
Technologies used |
|
Primary verification tasks |
|
Topology Overview
Figure 2 shows the topology used in this example.

As shown in the topology, two vSRX Virtual Firewall instances (vSRX Node 0 and vSRX Node 1) are deployed in the Azure Cloud. The untrust side connects to a public network while the trust side connects to the protected resources.
Two vSRX Virtual Firewall instances are placed in the public subnet as public subnets have access to the Internet gateway.
In a Multinode High-Availability setup, a floating IP address moves between two SRX Series Firewalls, if a link or firewall fails. Since the primary interface's IP address on the Azure firewall cannot be moved, you assign a secondary IP address as a floating IP. When the active node fails, the floating IP address shifts to the backup node, allowing it to seamlessly handle traffic as the new active peer.
In addition, you must set up an interchassis link (ICL) for data synchronization and maintaining state information. The nodes communicate with each other using a routable IP address that is assigned to ICL.
The following table provides interface and IP address details used in this example.
Interface | Function | Primary Node (vSRX Node 0) | Backup Node (vSRX Node 1) |
---|---|---|---|
ge-0/0/0 |
ICL to connect to peer node |
10.0.1.10/24 |
10.0.1.11/24 |
ge-0/0/1 |
Untrust interface |
|
|
ge-0/0/2 |
Trust interface |
|
|
You need to select the vSRX Virtual Firewall image from Azure Marketplace and customize the vSRX Virtual Firewall VM deployment settings and dependencies based on your network requirements in Microsoft Azure Cloud. This deployment approach might be required for configuring Multinode High Availability on vSRX VMs. Note that this deployment scenario is outside of the use cases offered in the vSRX Virtual Firewall VM solution templates available from Juniper Networks.
Let’s dive into the details of each step for deploying the vSRX Virtual Firewall on Microsoft Azure.
Configuration in Azure Portal
Name | Type |
---|---|
azure-vsrx3.0 | Resource Group |
azure-vsrx3.0-vnet | Virtual network |
vsrx3.0-node0 | Virtual machine for Node 0 |
vsrx3.0-node1 | Virtual machine for Node 1 |
vsrx3.0-node0-ip | Public IP address for Node 0 |
vsrx3.0-node1-ip | Public IP address for Node 1 |
vsrx3.0-node0-nsg | Network security group for Node 0 |
vsrx3.0-node1-nsg | Network security group for Node 1 |
vsrx3.0-node172 | Network Interface for Node 0 |
vsrx3.0-node719 | Network Interface for Node 1 |
Name | Primary Private IP |
---|---|
L3HA-ge-0 | 10.0.1.10 |
L3HALink-node1 | 10.0.1.11 |
node0-ge-1 | 10.0.2.110 |
node0-ge-2 | 10.0.3.10 |
node1-ge-1 | 10.0.2.20 |
node1-ge-2 | 10.0.3.20 |
- Create a Resource Group
- Assign IAM (Identity and Access Management) Role
- Create a Storage Account
- Create a Virtual Network
- Assign IAM Role
Create a Resource Group
A resource group is a logical container for resources deployed in Azure. It helps you manage and organize related resources. The vSRX VM is a resource within an Azure resource group. All components related to the vSRX (such as virtual network, storage account, public IP, etc.) are part of the same resource group.- Sign into the Azure portal.
- Click on Create a resource.
- Search for Resource group and create a new one.
- Choose a name, enter subscription, and select region for the resource group.
- Click Review + create and then
Create. The following image shows a sample of
Resource Group.
See Create a Resource Group for details.
Assign IAM (Identity and Access Management) Role
IAM roles control access to Azure resources. Assigning roles ensures that only authorized users can manage specific resources. You must grant the "service principal" role to the user or user groups to manage IAM.
- Navigate to your resource group.
- Click on Access control (IAM).
- Add a new role assignment.
- Select the desired role (Example: Service Principal Contributor, Owner, and so on).
- Choose the user or user group to assign the role to.
- Click Save.
Create a Storage Account
A storage account provides a unique name space to store and access data objects in Azure.- In your resource group, click on Create (+).
- Search for "Storage account” and create a new one.
- Specify the name, deployment model, performance, and other settings.
- Click Review + create and then Create. See Create a Storage Account for details.
Create a Virtual Network
A virtual network (VNet) is the foundation for your Azure infrastructure. It allows you to securely connect Azure resources.
- In your resource group, click on Create (+).
- Search for Virtual network and create a new one.
- Define the name, address space, and subnet configuration.
- Click Review + create and then Create.
- Click Settings > Subnets. The subnets are used to
connect the two vSRX Virtual Firewall nodes using a logical connection (like
the physical cable connecting ports).
Following table shows a sample configuration used in this example.
Table 5: Subnet Configuration in Azure Portal Function CIDR Role Management Subnet 10.0.3.0/24 Management traffic ICL subnet 10.0.1.0/24 RTO, synchronization, and probes- related traffic Untrust Subnet 10.0.2.0/24 External traffic Trust Subnet 10.0.3.0/24 Internal traffic
Assign IAM Role
- Enable permissions to use Azure API by navigating Home > Managed Identities.
- Select your Resource Group and select Azure role
assignments and click the role that you want to assign
permissions.
You need to enable the following permissions:
- Microsoft.Authorization/*/read
- Microsoft.Compute/virtualMachines/read
- Microsoft.Network/networkSecurityGroups/join/action
- Microsoft.Network/networkInterfaces/*
- Microsoft.Network/virtualNetworks/join/action
- Microsoft.Network/publicIPAddresses/read
- Microsoft.Network/publicIPAddresses/write
- Microsoft.Network/publicIPAddresses/join/action
- Microsoft.Authorization/*/read
- Microsoft.Compute/virtualMachines/read
- Microsoft.Network/routeTables/*
- Microsoft.Network/networkInterfaces/*
Now you are ready to deploy vSRX VMs.
Deploy vSRX VMs
Use the following steps to deploy two vSRX VM instances. You’ll use these two instances to setup Multinode High Availability. For details, see Deploy the vSRX Virtual Firewall Image from Azure Marketplace.
- Sign into the Azure portal using your Microsoft account credentials.
- Search for vSRX in the Azure Marketplace by clicking on Create a resource and search for vSRX Virtual Firewall.
Select the vSRX VM image from the Azure Marketplace.
- Configure deployment settings by providing the following details:
- Name for your vSRX VM.
- Resource Group. (You can create a new one or use an existing group). In
this example, use the azure-vsrx3.0 which you
created in previously.Note:
Deploy both vSRX Virtual Firewall instances in the same resource group. The resource group will hold all the resources associated with the vSRX Virtual Firewalls for this deployment.
- Subscription
- VM Disk Type
- Region where you want to deploy the VM.
- Authentication Type
- Username and password for VM access.
- Configure the storage, networking, and monitoring settings for the vSRX Virtual Firewall VM. This includes specifying the storage account, virtual network, subnet, public IP address, network security group, VM extensions, availability set, and monitoring options.
- Review your settings and click Create.
Azure will start provisioning the vSRX VM based on your configuration. After the vSRX Virtual Firewall VMs are created, the Azure portal dashboard lists the new vSRX Virtual Firewall VMs under Resource Groups.
Remember to customize these steps based on your specific requirements and network design.
Complete the following configurations for the vSRX Virtual Firewall instances you just deployed in Azure portal:
- Create Tags
- Create a Public IP Address
- Create a Network Interface
- Create a Network Security Group (NSG)
- Set up Interfaces and IP Addresses
Create Tags
On your vSRX VM page, select Tags from left-navigation bar.
Create tags in Azure for both VMs to identify the trust and untrust interfaces on two vSRX Virtual Firewall instances. The following tables shows sample tags used in this example.
Tag Name |
Value |
---|---|
local_trust_interface |
node0-ge-002 |
local_untrust_interface |
node0-ge-001 |
peer_trust_interface |
node1-ge-002 |
peer_untrust_interface |
node1-ge-001 |
Note that the tag names mentioned in the table is for default configuration. We recommend to use the same tag names in the configuration.
Create a Public IP Address
In the Azure portal, go to the Create a resource section. Locate and select Networking and then go to Public IP address.
- Click on Create to start setting up a new public IP address.
- Configure IP address settings with following details:
- Name: Enter a unique name for the public IP resource.
- SKU: Choose between Basic and Standard offerings.
- IP Version: Select IPv4 or IPv6 based on your requirements.
- IP address assignment: Choose Static or Dynamic.
- Select or create a resource group where this IP will reside.
- Location: Choose the Azure region closest to your users.
- Once configured, review the settings and then click Create to allocate the public IP address.
Create a Network Interface
Plan the network interface configuration on the vSRX Series firewalls on Azure.
- Navigate to Network interfaces in the Azure portal under the Networking section.
- Click on Create network interface.
- Enter the following details for the new network interface:
- Name: Provide a unique name for your NIC.
- Region: Select the same region as your VNet, VMs, and IP addresses.
- Virtual network: Choose the virtual network that you want your NIC to be associated with.
- Subnet: Select the appropriate subnet.
- Attach the public IP address you created earlier, if required.
- Choose to create a new network security group or associate with an existing one.
- Review the settings and click Create to provision the new NIC.
Create a Network Security Group (NSG)
- Select Network security groups in the Networking category on the Azure portal.
- Select Create network security group.
- Set up your NSG with the following details:
- Name: Create a name for your NSG.
- Subscription: Verify you're working within the right subscription.
- Resource group: Select an existing one or create a new one.
- Location: Match it to the location of the resources you're protecting.
- Add rules: After creation, define inbound and outbound security rules to control traffic to and from your NIC and VMs.
- Go back to your NIC or subnet and associate it with the new NSG.
- Check the configurations and then create the NSG.
Remember to define appropriate security rules for your NSG to manage the traffic flow as per your requirements.
Once you have created a network interface, a public IP address, and a network security group, you can proceed to attach the NIC to a virtual machine and the NSG to the NIC or a subnet. This complets the setup required for network connectivity and security for your Azure environment.
Set up Interfaces and IP Addresses
- Navigate to your deployed vSRX VM and click Settings > Networking.
- Locate the attached network interface.
- Click the network interface name to open its details. In the IP configurations section, you’ll find the assigned IP address (if any) and you can also configure IP address. For this example, use IP address configuration as mentioned in the following table:
VMs |
vSRX VM Node 0 (vsrx3.0-node0) (Active Node) |
vSRX VM Node 1 (vsrx3.0-node1) (Backup Node) |
||||
---|---|---|---|---|---|---|
Untrust Interface |
Trust Interface |
ICL |
Untrust Interface |
Trust Interface |
ICL |
|
Interfaces | ge-0/0/1 | ge-0/0/2 |
ge-0/0/0 |
ge-0/0/1 | ge-0/0/2 |
ge-0/0/0 |
Primary IP Address |
10.0.2.110 |
10.0.3.10 |
10.0.1.10/24 |
10.0.2.20 |
10.0.3.20 |
10.0.1.11/24 |
Secondary IP address (static IP address from subnet) |
10.0.2.11 |
10.0.3.12 |
- |
The node acting as backup node receives the same IP address when it transitions into active role.- | The node acting as backup node receives the same IP address when it transitions into active role.- |
- |
Associate public IP address to secondary to reach Internet |
172.16.0.0 |
(Not Applicable in this example) |
- |
Note: The node acting as backup node receives the same IP address when it transitions into active role. |
(Not Applicable in this example) |
- |
Ensure you enable IP forwarding on control link interface and configure default routes on both trust and untrust sides.
Click Settings > Networking to display interfaces, subnet, and IP configurations of your VM.
After vSRX Virtual Firewall deployment is completed, the vSRX Virtual Firewall VM is automatically powered on and launched. At this point you can use an SSH client to log in to the vSRX Virtual Firewall VM.
Now that all configurations required on Azure portal are complete, let’s start configuration on vSRX Virtual Firewall using CLI.
Ensure you use the latest version of vSRX software image (23.4R1 or later). You can directly upgrade the Junos OS for vSRX Virtual Firewall software using the CLI. Upgrading or downgrading Junos OS can take several hours, depending on the size and configuration of the network. You download the desired Junos OS Release for vSRX Virtual Firewall.tgz file from the Juniper Networks website. See Migration, Upgrade, and Downgrade Instructions.
Configure vSRX Virtual Firewalls
For complete sample configurations on the DUT, see:
Junos IKE package is recommended on your SRX Series Firewalls for Multinode High Availability configuration. This package is available as a default package or as an optional package on SRX Series Firewalls. See Support for Junos IKE Package for details.
If the package is not installed by default on your SRX Series firewall, use the following command to install it. You require this step for ICL encryption.
user@host> request system software add optional://junos-ike.tgz Verified junos-ike signed by PackageProductionECP256_2022 method ECDSA256+SHA256 Rebuilding schema and Activating configuration... mgd: commit complete Restarting MGD ... ...... Restart cli using the new version ? [yes,no] (yes)
Verification
Use the show commands to confirm that the configuration is working properly.
Command | Verification Task |
---|---|
|
Display details of the Multinode High Availability status on your security device including health status of the peer node. |
show security cloud high- availability
information |
Display status about Multinode High Availability deployment on public cloud (AWS or Azure). |
Check Multinode High Availability Details
Purpose
View and verify the details of the Multinode High Availability setup configured on your vSRX Virtual Firewall instance.
Action
From operational mode, run the following command on both the devices.
On Node 0 (Active Node)
user@srx-00> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 1
Local-IP: 10.0.1.10
HA Peer Information:
Peer Id: 2 IP address: 10.0.1.11 Interface: ge-0/0/0.0
Routing Instance: default
Encrypted: NO Conn State: UP
Configured BFD Detection Time: 5 * 400ms
Cold Sync Status: COMPLETE
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: CLOUD
Status: ACTIVE
Activeness Priority: 200
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: NOT READY
On Node 1 (Backup Node)
user@srx-01# show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 10.0.1.11
HA Peer Information:
Peer Id: 1 IP address: 10.0.1.10 Interface: ge-0/0/0.0
Routing Instance: default
Encrypted: NO Conn State: UP
Configured BFD Detection Time: 5 * 400ms
Cold Sync Status: COMPLETE
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: CLOUD
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: NOT READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Meaning
Verify these details from the command output:
- Local node and peer node details such as IP address and ID.
- The field Deployment Type: CLOUD indicates that configuration is for the cloud deployment.
- The field Services Redundancy Group:1 indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.
Check Multinode High Availability Information on Azure
Purpose
Check the status of Multinode High Availability deployment in Azure Cloud.
Action
From operational mode, run the following command:
user@srx-00> show security cloud high-availability information Cloud HA Information: Cloud Type Cloud Service Type Cloud Service Status AZURE Secondary IP Bind to Peer Node
Meaning
Verify these details from the command output:
- The field Cloud Type: Azure indicates the deployment is for Azure.
- The field Cloud Service Type: Secondary IP indicates that the Azure deployment uses the secondary IP to control traffic.
- The field Cloud Service Status: Bind to Peer Node indicates the binding of the secondary IP address to the peer node meaning the current node is backup node.
Basic Troubleshooting Checklist
- Check secondary IP for untrust interface and trust interface are on the same vsrx3.0 VM instance.
- Check the four tag values to match the interface names.
- Check inbound rule is correct to permit the traffic.
- Check IP forwarding is enabled in Azure portal.
- Check Azure portal route and vSRX CLI route are synced.
- Check untrust interface of the active node to see if the floating IP addresses attached to it in Azure portal.
Set Commands on all Devices
vSRX Virtual Firewall (Node 0)
set chassis high-availability local-id 1 set chassis high-availability local-id local-ip 10.0.1.10 set chassis high-availability peer-id 2 peer-ip 10.0.1.11 set chassis high-availability peer-id 2 interface ge-0/0/0.0 set chassis high-availability peer-id 2 liveness-detection minimum-interval 400 set chassis high-availability peer-id 2 liveness-detection multiplier 5 set chassis high-availability services-redundancy-group 1 mode active-backup set chassis high-availability services-redundancy-group 1 deployment-type cloud set chassis high-availability services-redundancy-group 1 peer-id 2 set chassis high-availability services-redundancy-group 1 prefix-list pref1 routing-instance s1-router set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 activeness-priority 200 set security policies default-policy permit-all set security zones security-zone icl host-inbound-traffic system-services all set security zones security-zone icl host-inbound-traffic protocols all set security zones security-zone icl interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set security cloud high-availability azure peer-liveliness probe-ip 10.0.2.20 set security cloud high-availability azure peer-liveliness probe-ip source-ip 10.0.2.110 set security cloud high-availability azure peer-liveliness probe-ip routing-instance s1-router set interfaces ge-0/0/0 unit 0 family inet address 10.0.1.10/24 set interfaces ge-0/0/1 unit 0 family inet address 10.0.2.110/24 primary set interfaces ge-0/0/1 unit 0 family inet address 10.0.2.11/24 set interfaces ge-0/0/2 unit 0 family inet address 10.0.3.10/24 primary set interfaces ge-0/0/2 unit 0 family inet address 10.0.3.12/24 set interfaces lo0 description HA_LOOPBACK set interfaces lo0 unit 0 family inet address 10.11.1.10/32 primary set policy-options prefix-list pref1 10.0.2.0/24 set routing-instances s1-router instance-type virtual-router set routing-instances s1-router routing-options static route 0.0.0.0/0 next-hop 10.0.2.1 set routing-instances s1-router interface ge-0/0/1.0 set routing-instances s1-router interface ge-0/0/2.0
vSRX Virtual Firewall (Node 1)
set chassis high-availability local-id 2 set chassis high-availability local-id local-ip 10.0.1.11 set chassis high-availability peer-id 1 peer-ip 10.0.1.10 set chassis high-availability peer-id 1 interface ge-0/0/0.0 set chassis high-availability peer-id 1 liveness-detection minimum-interval 400 set chassis high-availability peer-id 1 liveness-detection multiplier 5 set chassis high-availability services-redundancy-group 1 mode active-backup set chassis high-availability services-redundancy-group 1 deployment-type cloud set chassis high-availability services-redundancy-group 1 peer-id 1 set chassis high-availability services-redundancy-group 1 prefix-list pref1 routing-instance s1-router set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 activeness-priority 100 set security policies default-policy permit-all set security zones security-zone icl host-inbound-traffic system-services all set security zones security-zone icl host-inbound-traffic protocols all set security zones security-zone icl interfaces ge-0/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set security cloud high-availability azure peer-liveliness probe-ip 10.0.2.110 set security cloud high-availability azure peer-liveliness probe-ip source-ip 10.0.2.20 set security cloud high-availability azure peer-liveliness probe-ip routing-instance s1-router set interfaces ge-0/0/0 unit 0 family inet address 10.0.1.11/24 set interfaces ge-0/0/1 unit 0 family inet address 10.0.2.20/24 primary set interfaces ge-0/0/1 unit 0 family inet address 10.0.2.11/24 set interfaces ge-0/0/2 unit 0 family inet address 10.0.3.20/24 primary set interfaces ge-0/0/2 unit 0 family inet address 10.0.3.12/24 set interfaces lo0 description HA_LOOPBACK set interfaces lo0 unit 0 family inet address 10.11.1.11/32 primary set policy-options prefix-list pref1 10.0.2.0/24 set routing-instances s1-router instance-type virtual-router set routing-instances s1-router routing-options static route 0.0.0.0/0 next-hop 10.0.2.1 set routing-instances s1-router interface ge-0/0/1.0 set routing-instances s1-router interface ge-0/0/2.0
Show Configuration Output
From configuration mode, confirm your configuration by entering the show high
availability
, show security zones
, and show
interfaces
commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example to correct
it.
vSRX Virtual Firewall (Node 0)
user@srx-00# show chassis high-availability local-id { 1; local-ip 10.0.1.10; } peer-id 2 { peer-ip 10.0.1.11; interface ge-0/0/0.0; liveness-detection { minimum-interval 400; multiplier 5; } } services-redundancy-group 1 { mode active-backup; deployment-type cloud; peer-id { 2; } prefix-list pref1 { routing-instance s1-router; } managed-services ipsec; activeness-priority 200; }
user@srx-00# show security zones security-zone icl { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone untrust { host-inbound-traffic { system-services { ike; ping; } protocols { bfd; bgp; } } interfaces { ge-0/0/1.0; } } security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/2.0; } }
user@srx-00# show security cloud high-availability { azure { peer-liveliness { probe-ip 10.0.2.20 source-ip 10.0.2.110 routing-instance s1-router; } } }
user@srx-00# show interfaces ge-0/0/0 { unit 0 { family inet { address 10.0.1.10/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.0.2.110/24 { primary; } address 10.0.2.11/24; } } } ge-0/0/2 { unit 0 { family inet { address 10.0.3.10/24 { primary; } address 10.0.3.12/24; } } } lo0 { description HA_LOOPBACK; unit 0 { family inet { address 10.11.1.10/32 { primary; } } } }
user@srx-00# show routing-instances s1-router { instance-type virtual-router; routing-options { static { route 0.0.0.0/0 next-hop 10.0.2.1; } interface ge-0/0/1.0; interface ge-0/0/2.0; }
vSRX Virtual Firewall (Node 1)
user@srx-01# show chassis high-availability local-id { 2; local-ip 10.0.1.11; } peer-id 1 { peer-ip 10.0.1.10; interface ge-0/0/0.0; liveness-detection { minimum-interval 400; multiplier 5; } } services-redundancy-group 1 { mode active-backup; deployment-type cloud; peer-id { 1; } prefix-list pref1 { routing-instance s1-router; } managed-services ipsec; activeness-priority 100; }
user@srx-01# show security zones security-zone icl { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone untrust { host-inbound-traffic { system-services { ike; ping; } protocols { bfd; bgp; } } interfaces { ge-0/0/1.0; } } security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/2.0; } }
user@srx-01# show security cloud high-availability { azure { peer-liveliness { probe-ip 10.0.2.110 source-ip 10.0.2.20 routing-instance s1-router; } } }
user@srx-01# show interfacesge-0/0/0 { unit 0 { family inet { address 10.0.1.11/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.0.2.20/24 { primary; } address 10.0.2.11/24; } } } ge-0/0/2 { unit 0 { family inet { address 10.0.3.20/24 { primary; } address 10.0.3.12/24; } } } lo0 { description HA_LOOPBACK; unit 0 { family inet { address 10.11.1.11/32 { primary; } } } }
user@srx-01# show routing-instances s1-router { instance-type virtual-router; routing-options { static { route 0.0.0.0/0 next-hop 10.0.2.1; } interface ge-0/0/1.0; interface ge-0/0/2.0; }