Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Launch a vSRX Virtual Firewall Instance on an Amazon Virtual Private Cloud

The following procedures describe how to launch and configure a vSRX Virtual Firewall instance in the Amazon Virtual Private Cloud (Amazon VPC):

Step 1: Create an SSH Key Pair

An SSH key pair is required to remotely access a vSRX Virtual Firewall instance on AWS. You can create a new key pair in the Amazon EC2 Dashboard or import a key pair created by another tool.

To create an SSH key pair:

  1. Log in to the AWS Management Console and select Services > Compute > EC2.
  2. In the Amazon EC2 Dashboard, select Key Pairs in the left pane. Verify that the region name shown in the toolbar is the same as the region where you created the Amazon Virtual Private Cloud (Amazon VPC).
    Figure 1: Verify RegionVerify Region
  3. Click Create Key Pair, specify a key pair name, and click Create.
  4. The private key file (.pem) is automatically downloaded to your computer. Move the downloaded private key file to a secure location.

  5. To use an SSH client on a Mac or Linux computer to connect to the vSRX Virtual Firewall instance, use the following command to set the permissions of the private key file so that only you can read it:

  6. To access the vSRX Virtual Firewall instance from a shell prompt, use the ssh -i <full path to your keyfile.pem>/<ssh-key-pair-name>.pem ec2-user@<public-ip-of-vsrx> command. If the key file is in your current directory, then you can use the file name instead of the full path as ssh -i <keyfile.pem>/<ssh-key-pair-name>.pem ec2-user@<public-ip-of-vsrx>.
Note:

Alternately, use Import Key Pair to import a different key pair you generated with a third-party tool.

For more information on key rotation, see https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html.

Step 2: Launch a vSRX Virtual Firewall Instance

The AWS instance types supported for vSRX Virtual Firewall are listed in Table 1.

vSRX Virtual Firewall does not support M and C3 instances types. If you have spun your vSRX Virtual Firewall using any of these instances types, then you must change the instance type to either C4 or C5 instances type.

Table 1: Supported AWS Instance Types for vSRX Virtual Firewall

Instance Type

vSRX Virtual Firewall Type

vCPUs

Memory (GB)

RSS Type

c5.large

vSRX Virtual Firewall-2CPU-3G memory

2

4

HW RSS

c5.xlarge

vSRX Virtual Firewall-4CPU-3G memory

4

8

HW RSS

c5.2xlarge

vSRX Virtual Firewall-8CPU-15G memory

8

16

HW RSS

c5.4xlarge

vSRX Virtual Firewall-16CPU-31G memory

16

32

SW RSS

c5.9xlarge

vSRX Virtual Firewall-36CPU-93G memory

36

96

SW RSS

c5n.2xlarge

vSRX Virtual Firewall-8CPU-20G memory

8

21

HW RSS

c5n.4xlarge

vSRX Virtual Firewall-16CPU-41G memory

16

42

HW RSS

c5n.9xlarge

vSRX Virtual Firewall-36CPU-93G memory

36

96

HW RSS

vSRX Virtual Firewall on AWS supports up to a maximum of eight network interfaces, but the actual maximum number of interfaces that can be attached to a vSRX Virtual Firewall instance is dictated by the AWS instance type in which it is launched. For AWS instances that allow more than eight interfaces, vSRX Virtual Firewall will support up to a maximum of eight interfaces only.

The following are the supported C5 instance types :

  • c5.large

  • c5.xlarge

  • c5.2xlarge

  • c5.4xlarge

  • c5.9xlarge

  • c5n.2xlarge

  • c5n.4xlarge

  • c5n.9xlarge

The following are the supported AMD-based AWS instances:

  • C5a.16xlarge

  • C5a.8xlarge

  • C5a.4xlarge

  • C5a.2xlarge

  • C5a.xlarge

For more information on instance details such as vCPUs, memory and so on, see Pricing Information

For more information on maximum network interfaces by instance type, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html .

Best Practice:

Instance Type Selection—Based on the changes that your require for your network, you might find that your instance is overutilized, (such as the instance type is too small) or underutilized, (such as the instance type is too large). If this is the case, you can change the size of your instance. For example, if your instance is too small for its workload, you can change it to another instance type that is appropriate for the workload. You might also want to migrate from a previous generation instance type to a current generation instance type to take advantage of some features; for example, support for IPv6. Consider change of instances for better performance and throughputs.

Starting with Junos OS Release 18.4R1, c5.large vSRX Virtual Firewall instances are supported. These are cost effective and provide better performance and throughput.

To launch a vSRX Virtual Firewall instance in the Amazon VPC:

  1. Log in to your AWS account.
  2. Navigate to Amazon Market Place > Manage subscriptions, and search for vSRX Virtual Firewall.
  3. Select vSRX Next Generation Firewall.
    The vSRX Virtual Firewall Next Generation Firewall Amazon Machine Image page appears.
  4. Click Launch New Instance.
  5. Select the delivery method, software version, and region for deployment. Click Continue to launch through EC2.
  6. Select a supported instance type. See Table 1 for details.
  7. Click Next: Configure Instance Details, and specify the fields in Table 2. Expand Advanced Details to see all settings.
    Table 2: AWS Instance Details

    Field

    Setting

    Network

    Select the Amazon VPC configured for vSRX Virtual Firewall.

    Subnet

    Select the public subnet for the vSRX Virtual Firewall management interface (fxp0).

    Auto-assign Public IP

    Select Disable (you will assign an Elastic IP address later).

    Placement group

    Use the default.

    Shutdown behavior

    Select Stop (the default).

    • Enable terminal protection

    • Monitoring

    Use your IT policy.

    Network Interfaces

    Use the default or assign a public IP address for the Primary IP field.

    User data

    Starting in Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX Virtual Firewall for AWS image to help simplify configuring new vSRX Virtual Firewall instances operating on AWS according to a specified user-data file.

    In the User data section on the Configure Instance Details page, select As File and attach the user-data file. The selected file is used for the initial launch of the instance. During the initial boot-up sequence, the vSRX Virtual Firewall instance processes the cloud-init request. See Using Cloud-Init to Automate the Initialization of vSRX Instances in AWS for information about how to create the user-data file.

    Note:

    The Junos OS configuration that is passed as user data is only imported at initial launch. If the instance is stopped and restarted, the user-data file is not imported again.

  8. Click Next: Add Storage, and use the default settings or change the Volume Type and IOPS as needed.
  9. Click Next: Tag Instance, and specify a name for the vSRX Virtual Firewall instance.
  10. Click Next: Configure Security Group, select Select an existing security group, and select the security group created for the vSRX Virtual Firewall management interface (fxp0).
  11. Click Review and Launch, review the settings for the vSRX Virtual Firewall instance, and click Launch.
  12. Select the SSH key pair you created, select the acknowledgment check box, and click Launch Instance.
  13. Click View Instances to display the Instances list in the Amazon EC2 Dashboard. It might take several minutes to launch a vSRX Virtual Firewall instance.

Step 3: View the AWS System Logs

To debug launch time errors, you can view the AWS system logs, as follows:

  1. In the Amazon EC2 Dashboard, select Instances.
  2. Select the vSRX Virtual Firewall instance, and select Actions > Instance Settings > Get System Logs.

Step 4: Add Network Interfaces for vSRX Virtual Firewall

AWS supports up to eight interfaces for an instance, depending on the AWS instance type selected. Use the following procedure for each of the revenue interfaces you want to add to vSRX Virtual Firewall (up to seven). The first revenue interface is ge-0/0/0, the second is ge-0/0/1, and so on (see Requirements for vSRX on AWS).

To add a vSRX Virtual Firewall revenue interface:

  1. In the Amazon EC2 Dashboard, select Network Interfaces in the left pane, and click Create Network Interface.
  2. Specify the interface settings as shown in Table 3, and click Yes, Create.
    Table 3: Network Interface Settings

    Field

    Setting

    Description

    Enter an interface description for each of the revenue interfaces.

    Subnet

    Select the public subnet created for the first revenue interface (ge-0/0/0) or the private subnet created for all the other revenue interfaces.

    Private IP

    Enter an IP address from the selected subnet or allow the address to be assigned automatically.

    Security Groups

    Select the security group created for the vSRX Virtual Firewall revenue interfaces.

  3. Select the new interface, select Actions > Change Source/Dest. Check, select Disabled, and click Save.
    Figure 2: Disable Source/Dest. CheckDisable Source/Dest. Check
  4. Select the new interface, select Attach, select the vSRX Virtual Firewall instance, and click Attach.
  5. Click the pencil icon in the new interface Name column and give the interface a name (for example, ix-fxp0.0).
Note:

For a private revenue interface (ge-0/0/1 through ge-0/0/7), make a note of the network name you created or the network interface ID. You will add the name or interface ID later to the route table created for the private subnet.

Step 5: Allocate Elastic IP Addresses

For public interfaces, AWS does a NAT translation of the public IP address to a private IP address. The public IP address is called an Elastic IP address. We recommend that you assign an Elastic IP address to the public vSRX Virtual Firewall interfaces (fxp0 and ge-0/0/0). Note that when a vSRX Virtual Firewall instance is restarted, the Elastic IPs are retained, but public subnet IPs are released.

To create and allocate Elastic IPs:

  1. In the Amazon EC2 Dashboard, select Elastic IPs in the left pane, click Allocate New Address, and click Yes, Allocate. (If your account supports EC2-Classic, you must first select EC2-VPC from the Network platform list.)
  2. Select the new Elastic IP address, and select Actions > Associate Address.
  3. Specify the settings in Table 4, and click Allocate.
    Table 4: Elastic IP Settings

    Field

    Setting

    Network Interface

    Select the vSRX Virtual Firewall management interface (fxp0) or the first revenue interface (ge-0/0/0).

    Private IP Address

    Enter the private IP address to be associated with the Elastic IP address.

Step 6: Add the vSRX Virtual Firewall Private Interfaces to the Route Tables

For each private revenue interface you created for vSRX Virtual Firewall, you must add the interface ID to the route table you created for the associated private subnet.

To add a private interface ID to a route table:

  1. In the VPC Dashboard, select Route Tables in the left pane.
  2. Select the route table you created for the private subnet.
  3. Select the Routes tab below the list of route tables.
  4. Click Edit and click Add another route.
  5. Specify the settings in Table 5, and click Save.
    Table 5: Private Route Settings

    Field

    Setting

    Destination

    Enter 0.0.0.0/0 for Internet traffic.

    Target

    Type the network name or the network interface ID for the associated private subnet. The network interface must be in the private subnet shown in the Subnet Associations tab.

    Note:

    Do not select the Internet gateway (igw-nnnnnnnn).

Repeat this procedure for each private network interface. You must reboot the vSRX Virtual Firewall instance to complete this configuration.

Step 7: Reboot the vSRX Virtual Firewall Instance

To incorporate the interface changes and complete the Amazon EC2 configuration, you must reboot the vSRX Virtual Firewall instance. Interfaces attached while the vSRX Virtual Firewall instance is running do not take effect until the instance is rebooted.

Note:

Always use AWS to reboot the vSRX Virtual Firewall instance. Do not use the vSRX Virtual Firewall CLI to reboot.

To reboot a vSRX Virtual Firewall instance:

  1. In the Amazon EC2 Dashboard, select Instances in the left pane.
  2. Select the vSRX Virtual Firewall instance, and select Actions > Instance State > Reboot.

It might take several minutes to reboot a vSRX Virtual Firewall instance.

Step 8: Log in to a vSRX Virtual Firewall Instance

In AWS deployments, vSRX Virtual Firewall instances provide the following capabilities by default to enhance security:

  • Allows you to login only through SSH.

  • cloud-init is used to setup SSH key login.

  • SSH password login is disabled for root account.

vSRX Virtual Firewall instances launched on Amazon’s AWS cloud infrastructure uses the cloud-init services provided by Amazon to copy the SSH public-key associated with your account that is used to launch the instance. You will then be able to login to the instance using the corresponding private-key.

Note:

Root login using SSH password is be disabled by default.

Use an SSH client to log in to a vSRX Virtual Firewall instance for the first time. To log in, specify the location where you saved the SSH key pair .pem file for the user account, and the Elastic IP address assigned to the vSRX Virtual Firewall management interface (fxp0).

Note:

Starting in Junos OS Release 17.4R1, the default user name has changed from root@ to ec2-user@.

Note:

Root login using a Junos OS password is disabled by default. You can configure other users after the initial Junos OS setup phase.

If you do not have the key pair filename and Elastic IP address, use these steps to view the key pair name and Elastic IP for a vSRX Virtual Firewall instance:

  1. In the Amazon EC2 Dashboard, select Instances.
  2. Select the vSRX Virtual Firewall instance, and select eth0 in the Description tab to view the Elastic IP address for the fxp0 management interface.
  3. Click Connect above the list of instances to view the SSH key pair filename.

To configure the basic settings for the vSRX Virtual Firewall instance, see Configure vSRX Using the CLI.

Note:

vSRX Virtual Firewall pay-as-you-go images do not require any separate licenses.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting in Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX Virtual Firewall for AWS image to help simplify configuring new vSRX Virtual Firewall instances operating on AWS according to a specified user-data file.