Requirements for vSRX on AWS
This section presents an overview of requirements for deploying a vSRX instance on Amazon Web Services (AWS).
Minimum System Requirements for AWS
Table 1 lists the minimum system requirements for vSRX instances to be deployed on AWS.
Component |
Specification and Details |
---|---|
Hypervisor support |
XEN-HVM |
Memory |
4 GB |
Disk space |
16 GB |
vCPUs |
2 |
vNICs |
3 |
vNIC type |
SR-IOV |
Interface Mapping for vSRX on AWS
vSRX on AWS supports up to a maximum of eight network interfaces, but the actual maximum number of interfaces that can be attached to a vSRX instance is dictated by the AWS instance type in which it is launched. For AWS instances that allow more than eight interfaces, vSRX will support up to a maximum of eight interfaces only.
For more information on maximum network interfaces by instance type, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html .
Table 2 shows a mapping between vSRX interface names and their corresponding AWS interface names for up to eight network interfaces. The first network interface is used for the out-of-band management (fxp0) for vSRX.
Interface Number |
vSRX Interface |
AWS Interface |
---|---|---|
1 |
fxp0 |
eth0 |
2 |
ge-0/0/0 |
eth1 |
3 |
ge-0/0/1 |
eth2 |
4 |
ge-0/0/2 |
eth3 |
5 |
ge-0/0/3 |
eth4 |
6 |
ge-0/0/4 |
eth5 |
7 |
ge-0/0/5 |
eth6 |
8 |
ge-0/0/6 |
eth7 |
We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric routing. Since fxp0 is part of the default (inet.0) routing table, there might be two default routes needed in the same routing instance: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access, resulting in asymmetric routing. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.
Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.
vSRX Default Settings on AWS
vSRX requires the following basic configuration settings:
Interfaces must be assigned IP addresses.
Interfaces must be bound to zones.
Policies must be configured between zones to permit or deny traffic.
The ENA driver-related component must be ready for vSRX.
Table 3 lists the factory-default settings for security policies on the vSRX.
Source Zone |
Destination Zone |
Policy Action |
---|---|---|
trust |
untrust |
permit |
trust |
trust |
permit |
Do not use the load factory-default
command on a
vSRX AWS instance. The factory-default configuration removes the AWS
preconfiguration. If you must revert to factory default, ensure that
you manually reconfigure AWS preconfiguration statements before you
commit the configuration; otherwise, you will lose access to the vSRX
instance. See Configure vSRX Using the
CLI for AWS preconfiguration details.
Best Practices for Improving vSRX Performance
Review the following deployment practices to improve vSRX performance:
Disable the source/destination check for all vSRX interfaces.
Limit public key access permissions to 400 for key pairs.
Ensure that there are no contradictions between AWS security groups and your vSRX configuration.
Use the c5n instance types on AWS for best throughput on the vSRX.
Ensure traffic flows through multiple interfaces of the vSRX for optimal usage of the vCPUs.
Use vSRX NAT to protect your Amazon EC2 instances from direct Internet traffic.