Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Requirements for vSRX on AWS

This section presents an overview of requirements for deploying a vSRX instance on Amazon Web Services (AWS).

Minimum System Requirements for AWS

Table 1 lists the minimum system requirements for vSRX instances to be deployed on AWS.

Table 1: Minimum System Requirements for vSRX

Component

Specification and Details

Hypervisor support

XEN-HVM

Memory

4 GB

Disk space

16 GB

vCPUs

2

vNICs

3

vNIC type

SR-IOV

Interface Mapping for vSRX on AWS

vSRX on AWS supports up to a maximum of eight network interfaces, but the actual maximum number of interfaces that can be attached to a vSRX instance is dictated by the AWS instance type in which it is launched. For AWS instances that allow more than eight interfaces, vSRX will support up to a maximum of eight interfaces only.

For more information on maximum network interfaces by instance type, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html .

Table 2 shows a mapping between vSRX interface names and their corresponding AWS interface names for up to eight network interfaces. The first network interface is used for the out-of-band management (fxp0) for vSRX.

Table 2: vSRX and AWS Interface Names

Interface

Number

vSRX Interface

AWS Interface

1

fxp0

eth0

2

ge-0/0/0

eth1

3

ge-0/0/1

eth2

4

ge-0/0/2

eth3

5

ge-0/0/3

eth4

6

ge-0/0/4

eth5

7

ge-0/0/5

eth6

8

ge-0/0/6

eth7

We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric routing. Since fxp0 is part of the default (inet.0) routing table, there might be two default routes needed in the same routing instance: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access, resulting in asymmetric routing. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.

Note:

Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.

vSRX Default Settings on AWS

vSRX requires the following basic configuration settings:

  • Interfaces must be assigned IP addresses.

  • Interfaces must be bound to zones.

  • Policies must be configured between zones to permit or deny traffic.

  • The ENA driver-related component must be ready for vSRX.

Table 3 lists the factory-default settings for security policies on the vSRX.

Table 3: Factory-Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit

CAUTION:

Do not use the load factory-default command on a vSRX AWS instance. The factory-default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance. See Configure vSRX Using the CLI for AWS preconfiguration details.

Best Practices for Improving vSRX Performance

Review the following deployment practices to improve vSRX performance:

  • Disable the source/destination check for all vSRX interfaces.

  • Limit public key access permissions to 400 for key pairs.

  • Ensure that there are no contradictions between AWS security groups and your vSRX configuration.

  • Use the c5n instance types on AWS for best throughput on the vSRX.

  • Ensure traffic flows through multiple interfaces of the vSRX for optimal usage of the vCPUs.

  • Use vSRX NAT to protect your Amazon EC2 instances from direct Internet traffic.