Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

vSRX Virtual Firewall Deployment in Oracle Cloud Infrastructure

The topics in this section help you launch vSRX Virtual Firewall instances in Oracle Cloud Infrastructure.

Overview

This topic provides you an overview and pre-requisites to deploy vSRX Virtual Firewall virtual Firewall in Oracle Cloud Infrastructure. vSRX Virtual Firewall provides security and networking services for virtualized private or public Oracle Cloud environments.

Starting in Junos OS Release 20.4R2, vSRX Virtual Firewall 3.0 is available for OCI deployments.

Note:

vSRX Virtual Firewall 3.0 image is not available in the OCI Marketplace. You must download the vSRX Virtual Firewall 3.0 software from Juniper Support Downloads and upload into an OCI compartment.​

Pre-Requisites​

  • Ensure you have proper accounts and permissions before you attempt to deploy the vSRX Virtual Firewall in OCI​.

  • Copy the .oci image to an object storage compartment in your OCI account.

    An example file name is junos-vsrx3-x86-64-xxxx.oci. After you purchase the vSRX Virtual Firewall 3.0 software you can downloaded the software from: Juniper Support page.

    Note:

    .oci image extensions are built for the vSRX Virtual Firewall images to be deployed in OCI. This is because on OCI, when the qcow2 images are deployed, the default emulation selected for the vNIC is e-1000. ​The .oci images of the vSRX Virtual Firewall pass the metadata needed for the emulation type to be set to virtIO upon deployment of the vSRX Virtual Firewall which ensure a better throughput.

  • Create Virtual Network subnets for your deployment​.

For better understanding of Oracle terminologies and their use in vSRX Virtual Firewall 3.0 deployments, see Understanding vSRX Virtual Firewall Deployment in Oracle Cloud Infrastructure.

Example Topology

A common cloud configuration includes hosts that you want to grant access to the Internet, but you do not want anyone from outside your cloud to get access to your hosts. You can use vSRX Virtual Firewall in the OCI to NAT traffic inside the OCI from the public Internet.

The diagram shows an example VCN with three subnets:

  • Public (10.0.1.0/24), for management interfaces with access to the internet through an internet gateway

  • Public (10.0.2.0/24), for revenue (data) interfaces with access to the internet through an internet gateway

  • Private (10.0.3.0/24), a private subnet with no access to the internet

The following topology is used as an example for this deployment.

Figure 1: Example VCN for vSRX Virtual Firewall Deployment in OCI Oracle Cloud Infrastructure network diagram with a Virtual Cloud Network showing two public subnets 10.0.1.0/24 and 10.0.2.0/24, one private subnet 10.0.3.0/24, a vSRX Firewall with three VNICs, private instances, an Internet Gateway, a Dynamic Routing Gateway, and security lists represented by shield icons.

Launch vSRX Virtual Firewall Instances in the OCI

This topic provides details on how you can launch vSRX Virtual Firewall instances in the OCI.

  1. Log in to the OCI Management Console. The Console is an intuitive, graphical interface that lets you create and manage your instances, cloud networks, and storage volumes, as well as your users and permissions. After you sign in, the console home page is displayed.
  2. Choose a compartment for your resources.

    Compartments help you organize and control access to your resources. A compartment is a collection of related resources (such as cloud networks, compute instances, or block volumes) that can be accessed only by those groups that have been given permission by an administrator in your organization. For example, one compartment could contain all the servers and storage volumes that make up the production version of your company's Human Resources system. Only users with permission to that compartment can manage those servers and volumes.

    • Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    • Select the Sandbox compartment (or the compartment designated by your administrator) from the list on the left. If the Sandbox compartment does not exist, you can create. For more information, see Creating a Compartment.

  3. Load the .oci onto OCI platform.

    1. From the main menu click Object Storage.

      Figure 2: Object Storage Oracle Cloud interface with navigation menu showing options like Dashboards and Object Storage. Account Center displays $10.86 billing info and all systems operational status.

    2. Select the compartment in which you want to create the bucket. If you have a bucket already, click the name of “your bucket”. Or create a bucket.

      Figure 3: Create Bucket
      Oracle Cloud Object Storage interface showing Buckets page. Features userbucket with Standard tier, Private visibility, created on Aug 7, 2019.Screenshot of Oracle Cloud Infrastructure bucket userbucket with private visibility, 3 objects, 2.8 GiB size, standard storage tier, created on Aug 7, 2019.

    3. Then Click Upload Objects.

      Provide the required information when a pop-up window appears.

      Figure 4: Upload Objects User interface for uploading files with options to specify object name prefix, drag and drop files, or select files. Includes link for help.

      View Object Details: After the .oci image is loaded, choose the object right click the object and select View Object Details.

      Figure 5: View Object Details
      User interface for managing objects in cloud storage, showing object list, upload option, and actions like View Details, Download, Copy, and Delete.
      Note:

      There will be an URL path for this object as OCI ID, which can be used in the during importing images.

  4. Create a virtual cloud network (VCN) with subnets. Multiple subnets within a single VCN network is possible.

    You will then launch your instance into one of the subnets of your VCN and connect to it.

    Note:

    Ensure that the Sandbox compartment (or the compartment designated for you) is selected in the Compartment list on the left.

    1. Open the Navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    2. Click Create VCN and enter the data for VCN Name, Compartment, select an IPv4 VCN CIDR Block, Public Subnet CIDR Block. Accept the defaults for any other fields and click Create VCN.

    Oracle Cloud interface showing Networking section with navigation options for services and Virtual Cloud Networks management panel.
    Figure 6: Create Virtual Cloud Network Configuration page for creating a Virtual Cloud Network in Oracle Cloud Infrastructure with fields for compartment selection, VCN name, CIDR block, DNS options, and tagging.
    Figure 7: CIDR Block Screenshot of Oracle Cloud Infrastructure showing Virtual Cloud Network details for a VCN named uservcn, created on Aug 5, 2019, with a CIDR block of 30.0.0.0/16.

    The cloud network created will have resources such as Internet and NAT gateway, Service gateway with access to the Oracle Services Network, A regional public subnet with access to the internet gateway, and A regional private subnet with access to the NAT gateway and service gateway.

  5. Create Subnets for the vSRX Virtual Firewall VCN created.

    vSRX Virtual Firewall requires two public subnets and one or more private subnets for each individual instance group. One public subnet is for the management interface (fxp0), and the other is for a revenue (data) interface. The private subnets, connected to the other vSRX Virtual Firewall interfaces, ensure that all traffic between applications on the private subnets and the internet must pass through the vSRX Virtual Firewall instance.

    1. Configure the Public Subnet (Management Interface)

      To create this public subnet, click Create Subnet and define a route rule for the route table Default Route Table in which the internet gateway is configured as the route target for all traffic (0.0.0.0/0) as shown below.

      Figure 8: Route Rules Configuration screen for Route Rules in cloud networking, showing one rule with destination CIDR block 0.0.0.0/0, target type Internet Gateway, and edit option.

      For details about how to create subnets, see VCNs and Subnets.

      For the subnet's security list Default Security List, create an egress rule to allow traffic to all destinations. Create ingress rules that allow access on TCP port 22 from the public internet and on TCP port 80/443 for accessing the web application from the public internet as shown below.

      Figure 9: Stateful Rules (Default Security List) Stateful rules table for network security group: Rule 1 allows TCP traffic on port 22 from any IP. Rule 2 allows ICMP traffic type 3 code 4 from any IP. Rule 3 allows ICMP type 3 traffic from IP range 10.0.0.0/16. Rule 4 allows TCP traffic on port 443 from any IP.
    2. Configure the Public Subnet (Revenue Interface)

      Create this public subnet, and define a route rule for the route table Public RT in which the internet gateway is configured as the route target for all traffic (0.0.0.0/0).

      For the subnet's security list Public Subnet SL, create an egress rule to allow traffic to all destinations. Create ingress rules that allow access on TCP port 80/443 for accessing the web application from the public internet and on ICMP if needed to check the connectivity as shown below.

      Figure 10: Stateful Rules (Public Subnet Security List) Table of stateful rules: Rule 1 allows ICMP traffic from any IP. Rule 2 allows TCP traffic to port 443 from any IP.
    3. Configure the Private Subnet

      Create this private subnet, and define a route rule for the route table Private RT in which the vSRX Virtual Firewall second vNIC’s private IP address (10.0.3.3) is configured as the route target for all traffic 0.0.0.0/0.

      Note:

      Configure the route rule after you create and attach the secondary VNICs.
  6. Create Internet Gateway. To create internet gateway click Internet Gateways, set an internet gateway for the vSRX Virtual Firewall to be reachable from outside.
    Figure 11: Internet Gateway Virtual Cloud Network configuration page showing VCN uservcn details and resources like Subnets, CIDR Blocks, and Internet Gateways.
  7. Security list information to enable the SSH option. Select the default security list and the Ingress Rules like ICMP rule to allow ping from traffic by setting source CIDR of any any.
    Figure 12: Security List Information Default Security List for VCN uservcn in Oracle Cloud Infrastructure. Shows security list info, ingress rules, and status as AVAILABLE. Default Security List configuration for VCN uservcn in OCI; available status with egress rules allowing all outbound traffic.
  8. Create your vSRX Virtual Firewall instance in the VNC created.

    1. Open the navigation menu. Under Core Infrastructure, select Compute and click Instances, and then click on Create Instance.

    2. Figure 13: Create Compute Instance User interface for creating a compute instance in Oracle Cloud Infrastructure. Left section: Creating jayinstance-dec2020 in compartment j40, availability domain AD 1, with Oracle Linux 7.9, shape VM.Standard2.1. Right section: Browsing custom images, selected user-dec2020-2020.12.10-R1.7. Screenshot of a web interface for creating a compute instance. Name: user/instance-dec2020. Compartment: j-40. Availability domain: AD 1 nyTO:US-ASHBURN-AD-1. Image: user-dec2020-20.4R1.7. Shape: VM.Standard2.4 with 4 core OCPU, 60 GB memory, 1.4 Gbps bandwidth. Screenshot of a cloud instance setup page with options for configuring networking and adding SSH keys.

    3. On the Create Instance page, enter the name of your instance.

    4. Choose an operating system or image source: Click Change Image and then click Image Source to select the image that you want to use. Select Custom Images and choose the image from the compartment. OCI vSRX Virtual Firewall image you want and then click Select Image.

      .

      Instance type – Virtual Machine.

    5. Choose Instance Shape: Click Change Shape to select the standard predefined OCI shape. Select the VM standard 2.4 which has 4 NICs and 4 OCPUs and click Selcect Shape.

      Note:

      vSRX Virtual Firewall needs a minimum of 2 vCPUs to launch.

      Cloud service interface for selecting compute instance shapes. Virtual Machine type selected with Intel Skylake series. VM.Standard2.4 shape chosen: 4 OCPUs, 60 GB memory, block storage, 4.1 Gbps bandwidth, 4 VNICs.

    6. Under Networking tab select the virtual cloud network compartment, virtual cloud network, subnet compartments, subnet.

    7. To create a public IP address for the instance, select the Assign a public IPv4 address option.

      Note:

      Accept default options for Availability Domain, Instance Type, and Instance Shape.

    8. Add SSH keys: Under Add SSH keys tab, you can paste a public key by selecting the Paste public keys option and paste the public SSH key that was generated or you can create a new SSH key to access the vSRX Virtual Firewall and then click Create.

    After a few minutes, we can ssh the instance using the public IP allocated for the instance (this would be displayed on the instance). Reboot the instance after adding interfaces.

    The instance is displayed in the Console in a provisioning state. Expect provisioning to take several minutes before the status updates to Running. Do not refresh the page. After the instance is running, allow another few minutes for the operating system to boot before you attempt to connect. When you are ready to connect to the instance, make a note of both the public IP address and the initial password.

    After the instance is provisioned, details about it appear in the instance list as shown below.

    Figure 14: vSRX Virtual Firewall Instance Launched in OCI Cloud computing interface showing virtual machine instance vSRX running with details like availability domain eu-FRUS-ASHBURN-AD-3, compartment Salman-Demo, and private IP address 10.0.1.4.
    Note:

    The default user-name for the vSRX Virtual Firewall instance is oci-user. For example, to login to the vSRX Virtual Firewall using SSH:
  9. Adding interfaces for traffic.

    Network interfaces need to be added after the instance has been created.

    1. Click Attached VNICs and select Create VNIC (ge000 -public and ge001-private). Select the subnet that was created and click Save Changes to add VNICs to the instance.

      Note:

      Order of attaching network interfaces is important. You must map the first network interface to fxp0, then the second interface to ge-0/0/0, then to ge-0/0/1 and so on.
      Figure 15: Attached VNICs Screenshot of OCI console Attached VNICs section showing VNIC details like name, subnet, state, VLAN tag, and MAC address. User interface for managing VNICs shows a Create VNIC button at top left, a table listing VNICs with columns for Name, Subnet or VLAN, State, FQDN, VLAN Tag, and MAC Address. The first VNIC is primary and on a public subnet; others are on private subnets. Pagination shows 3 items.
  10. Connect to the launched vSRX Virtual Firewall instance. Open your SSH client to access the launched vSRX Virtual Firewall instance. At first boot you can only SSH the vSRX Virtual Firewall. vSRX Virtual Firewall boots up with the default OCI configuration. Use your private key to SSH the vSRX Virtual Firewall instance.