Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Using Cloud-Init to Automate the Initialization of vSRX Virtual Firewall Instances in AWS

Starting in Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX Virtual Firewall for AWS image to help simplify configuring new vSRX Virtual Firewall instances operating on AWS according to a specified user-data file. Cloud-init is performed during the first-time boot of a vSRX Virtual Firewall instance.

Cloud-init is an open source application for automating the initialization of a cloud instance at boot-up. Cloud-init is designed to support multiple different cloud environments, such as Amazon EC2, so that the same virtual machine (VM) image can be directly used in multiple cloud instances without any modification. Cloud-init support in a VM instance runs at boot time (first-time boot) and initializes the VM instance according to the specified user-data file.

A user-data file is a special key in the metadata service that contains a file that cloud-aware applications in the VM instance can access upon a first-time boot. In this case, it is the validated Junos OS configuration file that you intend to upload to a vSRX Virtual Firewall instance as the active configuration. This file uses the standard Junos OS command syntax to define configuration details, such as root password, management IP address, default gateway, and other configuration statements.

When you create a vSRX Virtual Firewall instance, you can use cloud-init services on AWS to pass a valid Junos OS configuration file as user data to initialize new vSRX Virtual Firewall instances. The user-data file uses the standard Junos OS syntax to define all the configuration details for your vSRX Virtual Firewall instance. The default Junos OS configuration is replaced during the vSRX Virtual Firewall instance launch with a validated Junos OS configuration that you supply in the form of a user-data file.

Note:

The user-data file cannot exceed 16 KB. If your user-data file exceeds this limit, you must compress the file using gzip and use the compressed file. For example, the gzip junos.conf command results in the junos.conf.gz file.

The configuration must be validated and include details for the fxp0 interface, login, and authentication. It must also have a default route for traffic on fxp0. This information must match the details of the AWS VPC and subnet into which the instance is launched. If any of this information is missing or incorrect, the instance is inaccessible and you must launch a new one.

Warning:

Ensure that the user-data configuration file is not configured to perform autoinstallation on interfaces using Dynamic Host Configuration Protocol (DHCP) to assign an IP address to the vSRX Virtual Firewall. Autoinstallation with DHCP will result in a "commit fail" for the user-data configuration file.

To initiate the automatic setup of a vSRX Virtual Firewall instance from AWS:

  1. If you have not done so already, create a configuration file with the Junos OS command syntax and save the file. The configuration file can be plain text or MIME file type text/plain.

    The user-data configuration file must contain the full vSRX Virtual Firewall configuration that is to be used as the active configuration on each vSRX Virtual Firewall instance, and the string #junos-config must be the first line of the user-data configuration file before the Junos OS configuration.

    Note:

    The #junos-config string is mandatory in the user-data configuration file; if it is not included, the configuration will not be applied to the vSRX Virtual Firewall instance as the active configuration.

  2. Copy the Junos OS configuration file to an accessible location from where it can be retrieved to launch the vSRX Virtual Firewall instance.
  3. To specify the user-data file for configuring the vSRX Virtual Firewall instance, select As File in the User data section on the Configure Instance Details page and attach the file (as described in Launch a vSRX Instance on an Amazon Virtual Private Cloud). The selected configuration file is used for the initial launch of the vSRX Virtual Firewall instance. During the initial boot-up sequence, the vSRX Virtual Firewall instance processes the cloud-init request.
    Note:

    The boot time for the vSRX Virtual Firewall instance might increase with the use of the cloud-init package. This additional time in the initial boot sequence is due to the operations performed by the cloud-init package. During this operation, the cloud-init package halts the boot sequence and performs a lookup for the configuration data in each data source identified in the cloud.cfg. The time required to look up and populate the cloud data is directly proportional to the number of data sources defined. In the absence of a data source, the lookup process continues until it reaches a predefined timeout of 30 seconds for each data source.

  4. When the initial boot-up sequence resumes, the user-data file replaces the original factory-default Junos OS configuration loaded on the vSRX Virtual Firewall instance. If the commit succeeds, the factory-default configuration will be permanently replaced. If the configuration is not supported or cannot be applied to the vSRX Virtual Firewall instance, the vSRX Virtual Firewall will boot using the default Junos OS configuration.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting in Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX Virtual Firewall for AWS image to help simplify configuring new vSRX Virtual Firewall instances operating on AWS according to a specified user-data file. Cloud-init is performed during the first-time boot of a vSRX Virtual Firewall instance.