Requirements for vSRX Virtual Firewall on Oracle Cloud Infrastructure
This topic provides the requirements for deploying vSRX Virtual Firewall instances on Oracle Cloud Infrastructure (OCI).
Minimum System Requirements for OCI
Table 1 lists the minimum system requirements for vSRX Virtual Firewall instances to be deployed on OCI.
Component |
Specification and Details |
---|---|
Memory |
4 GB |
Disk space |
16 GB |
Oracle pre-defined VM shapes that vSRX Virtual Firewall support are listed below. If you need any other VM shapes, then please contact your Juniper sales representive.
Shape | OCPU | Memory (GB) | Local Disk (TB) | Network Bandwidth | Max VNICs Total: Linux |
---|---|---|---|---|---|
VM.Standard2.4 | 4 | 60 | Block Storage only | 4.1 Gbps | 4 |
VM.Standard2.8 | 8 | 120 | Block Storage only | 8.2 Gbps | 8 |
Interface Mapping for vSRX Virtual Firewall on OCI: The first network interface is used for the out-of-band management (fxp0) for vSRX Virtual Firewall.
We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.
Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.
vSRX Virtual Firewall Default Settings with OCI
Do not use the load
factory-default
command on a vSRX Virtual Firewall OCI instance. The
factory-default configuration removes the OCI preconfiguration. If you must revert to
factory default, ensure that you manually reconfigure preconfiguration statements before you
commit the configuration; otherwise, you will lose access to the vSRX Virtual Firewall
instance. See Configure vSRX Using
the CLI for preconfiguration details.
Best Practices for Deploying vSRX Virtual Firewall
Refer the following best practices for deploying vSRX Virtual Firewall:
Disable the source/destination check for all vSRX Virtual Firewall interfaces.
Limit public key access permissions to 400 for key pairs.
Ensure that there are no contradictions between OCI security groups and your vSRX Virtual Firewall configuration.