ON THIS PAGE
Launch a vSRX Instance on an Amazon Virtual Private Cloud
The following procedures describe how to launch and configure a vSRX instance in the Amazon Virtual Private Cloud (Amazon VPC):
Step 1: Create an SSH Key Pair
An SSH key pair is required to remotely access a vSRX instance on AWS. You can create a new key pair in the Amazon EC2 Dashboard or import a key pair created by another tool.
To create an SSH key pair:
Alternately, use Import Key Pair to import a different key pair you generated with a third-party tool.
For more information on key rotation, see https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html.
Step 2: Launch a vSRX Instance
The AWS instance types supported for vSRX are listed in Table 1.
vSRX does not support M and C3 instances types. If you have spun your vSRX using any of these instances types, then you must change the instance type to either C4 or C5 instances type.
Instance Type |
vSRX Type |
vCPUs |
Memory (GB) |
RSS Type |
---|---|---|---|---|
c4.xlarge |
VSRX-4CPU-7G memory |
4 |
7.5 |
SW RSS |
c4.2xlarge |
VSRX-8CPU-15G memory |
8 |
15 |
SW RSS |
c4.4xlarge |
VSRX-16CPU-30G memory |
16 |
30 |
SW RSS |
c4.8xlarge |
VSRX-36CPU-60G memory |
36 |
60 |
SW RSS |
c5.large |
VSRX-2CPU-3G memory |
2 |
4 |
HW RSS |
c5.2xlarge |
VSRX-8CPU-15G memory |
8 |
16 |
HW RSS |
c5.4xlarge |
VSRX-16CPU-31G memory |
16 |
32 |
SW RSS |
c5n.2xlarge |
VSRX-8CPU-20G memory |
8 |
21 |
HW RSS |
c5n.4xlarge |
VSRX-16CPU-41G memory |
16 |
42 |
HW RSS |
c5n.9xlarge |
VSRX-36CPU-93G memory |
36 |
96 |
HW RSS |
Instance Type Selection—Based on the changes that your require for your network, you might find that your instance is overutilized, (such as the instance type is too small) or underutilized, (such as the instance type is too large). If this is the case, you can change the size of your instance. For example, if your instance is too small for its workload, you can change it to another instance type that is appropriate for the workload. You might also want to migrate from a previous generation instance type to a current generation instance type to take advantage of some features; for example, support for IPv6. Consider change of instances for better performance and throughputs.
Starting with Junos OS Release 18.4R1, c5.large vSRX instances are supported. These are cost effective and provide better performance and throughput.
To launch a vSRX instance in the Amazon VPC:
Step 3: View the AWS System Logs
To debug launch time errors, you can view the AWS system logs, as follows:
- In the Amazon EC2 Dashboard, select Instances.
- Select the vSRX instance, and select Actions > Instance Settings > Get System Logs.
Step 4: Add Network Interfaces for vSRX
AWS supports up to eight interfaces for an instance, depending on the AWS instance type selected. Use the following procedure for each of the revenue interfaces you want to add to vSRX (up to seven). The first revenue interface is ge-0/0/0, the second is ge-0/0/1, and so on (see Requirements for vSRX on AWS).
To add a vSRX revenue interface:
For a private revenue interface (ge-0/0/1 through ge-0/0/7), make a note of the network name you created or the network interface ID. You will add the name or interface ID later to the route table created for the private subnet.
Step 5: Allocate Elastic IP Addresses
For public interfaces, AWS does a NAT translation of the public IP address to a private IP address. The public IP address is called an Elastic IP address. We recommend that you assign an Elastic IP address to the public vSRX interfaces (fxp0 and ge-0/0/0). Note that when a vSRX instance is restarted, the Elastic IPs are retained, but public subnet IPs are released.
To create and allocate Elastic IPs:
Step 6: Add the vSRX Private Interfaces to the Route Tables
For each private revenue interface you created for vSRX, you must add the interface ID to the route table you created for the associated private subnet.
To add a private interface ID to a route table:
Repeat this procedure for each private network interface. You must reboot the vSRX instance to complete this configuration.
Step 7: Reboot the vSRX Instance
To incorporate the interface changes and complete the Amazon EC2 configuration, you must reboot the vSRX instance. Interfaces attached while the vSRX instance is running do not take effect until the instance is rebooted.
Always use AWS to reboot the vSRX instance. Do not use the vSRX CLI to reboot.
To reboot a vSRX instance:
- In the Amazon EC2 Dashboard, select Instances in the left pane.
- Select the vSRX instance, and select Actions > Instance State > Reboot.
It might take several minutes to reboot a vSRX instance.
Step 8: Log in to a vSRX Instance
In AWS deployments, vSRX instances provide the following capabilities by default to enhance security:
Allows you to login only through SSH.
cloud-init is used to setup SSH key login.
SSH password login is disabled for root account.
vSRX instances launched on Amazon’s AWS cloud infrastructure uses the cloud-init services provided by Amazon to copy the SSH public-key associated with your account that is used to launch the instance. You will then be able to login to the instance using the corresponding private-key.
Root login using SSH password is be disabled by default.
Use an SSH client to log in to a vSRX instance for the first time. To log in, specify the location where you saved the SSH key pair .pem file for the user account, and the Elastic IP address assigned to the vSRX management interface (fxp0).
Starting in Junos OS Release 17.4R1, the default user
name has changed from root@
to ec2-user@
.
ssh -i <path>/<ssh-key-pair-name>.pem ec2-user@<fxpo-elastic-IP-address>
Root login using a Junos OS password is disabled by default. You can configure other users after the initial Junos OS setup phase.
If you do not have the key pair filename and Elastic IP address, use these steps to view the key pair name and Elastic IP for a vSRX instance:
- In the Amazon EC2 Dashboard, select Instances.
- Select the vSRX instance, and select eth0 in the Description tab to view the Elastic IP address for the fxp0 management interface.
- Click Connect above the list of instances to view the SSH key pair filename.
To configure the basic settings for the vSRX instance, see Configure vSRX Using the CLI.
vSRX pay-as-you-go images do not require any separate licenses.