Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Launch a vSRX Instance on an Amazon Virtual Private Cloud

The following procedures describe how to launch and configure a vSRX instance in the Amazon Virtual Private Cloud (Amazon VPC):

Step 1: Create an SSH Key Pair

An SSH key pair is required to remotely access a vSRX instance on AWS. You can create a new key pair in the Amazon EC2 Dashboard or import a key pair created by another tool.

To create an SSH key pair:

  1. Log in to the AWS Management Console and select Services > Compute > EC2.
  2. In the Amazon EC2 Dashboard, select Key Pairs in the left pane. Verify that the region name shown in the toolbar is the same as the region where you created the Amazon Virtual Private Cloud (Amazon VPC).
    Figure 1: Verify RegionVerify Region
  3. Click Create Key Pair, specify a key pair name, and click Create.
  4. The private key file (.pem) is automatically downloaded to your computer. Move the downloaded private key file to a secure location.

  5. To use an SSH client on a Mac or Linux computer to connect to the vSRX instance, use the following command to set the permissions of the private key file so that only you can read it:

  6. To access the vSRX instance from a shell prompt, use the ssh -i <full path to your keyfile.pem>/<ssh-key-pair-name>.pem ec2-user@<public-ip-of-vsrx> command. If the key file is in your current directory, then you can use the file name instead of the full path as ssh -i <keyfile.pem>/<ssh-key-pair-name>.pem ec2-user@<public-ip-of-vsrx>.
Note:

Alternately, use Import Key Pair to import a different key pair you generated with a third-party tool.

For more information on key rotation, see https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html.

Step 2: Launch a vSRX Instance

The AWS instance types supported for vSRX are listed in Table 1.

vSRX does not support M and C3 instances types. If you have spun your vSRX using any of these instances types, then you must change the instance type to either C4 or C5 instances type.

Table 1: Supported AWS Instance Types for vSRX

Instance Type

vSRX Type

vCPUs

Memory (GB)

RSS Type

c4.xlarge

VSRX-4CPU-7G memory

4

7.5

SW RSS

c4.2xlarge

VSRX-8CPU-15G memory

8

15

SW RSS

c4.4xlarge

VSRX-16CPU-30G memory

16

30

SW RSS

c4.8xlarge

VSRX-36CPU-60G memory

36

60

SW RSS

c5.large

VSRX-2CPU-3G memory

2

4

HW RSS

c5.2xlarge

VSRX-8CPU-15G memory

8

16

HW RSS

c5.4xlarge

VSRX-16CPU-31G memory

16

32

SW RSS

c5n.2xlarge

VSRX-8CPU-20G memory

8

21

HW RSS

c5n.4xlarge

VSRX-16CPU-41G memory

16

42

HW RSS

c5n.9xlarge

VSRX-36CPU-93G memory

36

96

HW RSS
Best Practice:

Instance Type Selection—Based on the changes that your require for your network, you might find that your instance is overutilized, (such as the instance type is too small) or underutilized, (such as the instance type is too large). If this is the case, you can change the size of your instance. For example, if your instance is too small for its workload, you can change it to another instance type that is appropriate for the workload. You might also want to migrate from a previous generation instance type to a current generation instance type to take advantage of some features; for example, support for IPv6. Consider change of instances for better performance and throughputs.

Starting with Junos OS Release 18.4R1, c5.large vSRX instances are supported. These are cost effective and provide better performance and throughput.

To launch a vSRX instance in the Amazon VPC:

  1. Log in to your AWS account.
  2. Navigate to Amazon Market Place > Manage subscriptions, and search for vSRX.
  3. Select vSRX Next Generation Firewall.
    The vSRX Next Generation Firewall Amazon Machine Image page appears.
  4. Click Launch New Instance.
  5. Select the delivery method, software version, and region for deployment. Click Continue to launch through EC2.
  6. Select a supported instance type. See Table 1 for details.
  7. Click Next: Configure Instance Details, and specify the fields in Table 2. Expand Advanced Details to see all settings.
    Table 2: AWS Instance Details

    Field

    Setting

    Network

    Select the Amazon VPC configured for vSRX.

    Subnet

    Select the public subnet for the vSRX management interface (fxp0).

    Auto-assign Public IP

    Select Disable (you will assign an Elastic IP address later).

    Placement group

    Use the default.

    Shutdown behavior

    Select Stop (the default).

    • Enable terminal protection

    • Monitoring

    Use your IT policy.

    Network Interfaces

    Use the default or assign a public IP address for the Primary IP field.

    User data

    Starting in Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX for AWS image to help simplify configuring new vSRX instances operating on AWS according to a specified user-data file.

    In the User data section on the Configure Instance Details page, select As File and attach the user-data file. The selected file is used for the initial launch of the instance. During the initial boot-up sequence, the vSRX instance processes the cloud-init request. See Using Cloud-Init to Automate the Initialization of vSRX Instances in AWS for information about how to create the user-data file.

    Note:

    The Junos OS configuration that is passed as user data is only imported at initial launch. If the instance is stopped and restarted, the user-data file is not imported again.
  8. Click Next: Add Storage, and use the default settings or change the Volume Type and IOPS as needed.
  9. Click Next: Tag Instance, and specify a name for the vSRX instance.
  10. Click Next: Configure Security Group, select Select an existing security group, and select the security group created for the vSRX management interface (fxp0).
  11. Click Review and Launch, review the settings for the vSRX instance, and click Launch.
  12. Select the SSH key pair you created, select the acknowledgment check box, and click Launch Instance.
  13. Click View Instances to display the Instances list in the Amazon EC2 Dashboard. It might take several minutes to launch a vSRX instance.

Step 3: View the AWS System Logs

To debug launch time errors, you can view the AWS system logs, as follows:

  1. In the Amazon EC2 Dashboard, select Instances.
  2. Select the vSRX instance, and select Actions > Instance Settings > Get System Logs.

Step 4: Add Network Interfaces for vSRX

AWS supports up to eight interfaces for an instance, depending on the AWS instance type selected. Use the following procedure for each of the revenue interfaces you want to add to vSRX (up to seven). The first revenue interface is ge-0/0/0, the second is ge-0/0/1, and so on (see Requirements for vSRX on AWS).

To add a vSRX revenue interface:

  1. In the Amazon EC2 Dashboard, select Network Interfaces in the left pane, and click Create Network Interface.
  2. Specify the interface settings as shown in Table 3, and click Yes, Create.
    Table 3: Network Interface Settings

    Field

    Setting

    Description

    Enter an interface description for each of the revenue interfaces.

    Subnet

    Select the public subnet created for the first revenue interface (ge-0/0/0) or the private subnet created for all the other revenue interfaces.

    Private IP

    Enter an IP address from the selected subnet or allow the address to be assigned automatically.

    Security Groups

    Select the security group created for the vSRX revenue interfaces.
  3. Select the new interface, select Actions > Change Source/Dest. Check, select Disabled, and click Save.
    Figure 2: Disable Source/Dest. CheckDisable Source/Dest. Check
  4. Select the new interface, select Attach, select the vSRX instance, and click Attach.
  5. Click the pencil icon in the new interface Name column and give the interface a name (for example, ix-fxp0.0).
Note:

For a private revenue interface (ge-0/0/1 through ge-0/0/7), make a note of the network name you created or the network interface ID. You will add the name or interface ID later to the route table created for the private subnet.

Step 5: Allocate Elastic IP Addresses

For public interfaces, AWS does a NAT translation of the public IP address to a private IP address. The public IP address is called an Elastic IP address. We recommend that you assign an Elastic IP address to the public vSRX interfaces (fxp0 and ge-0/0/0). Note that when a vSRX instance is restarted, the Elastic IPs are retained, but public subnet IPs are released.

To create and allocate Elastic IPs:

  1. In the Amazon EC2 Dashboard, select Elastic IPs in the left pane, click Allocate New Address, and click Yes, Allocate. (If your account supports EC2-Classic, you must first select EC2-VPC from the Network platform list.)
  2. Select the new Elastic IP address, and select Actions > Associate Address.
  3. Specify the settings in Table 4, and click Allocate.
    Table 4: Elastic IP Settings

    Field

    Setting

    Network Interface

    Select the vSRX management interface (fxp0) or the first revenue interface (ge-0/0/0).

    Private IP Address

    Enter the private IP address to be associated with the Elastic IP address.

Step 6: Add the vSRX Private Interfaces to the Route Tables

For each private revenue interface you created for vSRX, you must add the interface ID to the route table you created for the associated private subnet.

To add a private interface ID to a route table:

  1. In the VPC Dashboard, select Route Tables in the left pane.
  2. Select the route table you created for the private subnet.
  3. Select the Routes tab below the list of route tables.
  4. Click Edit and click Add another route.
  5. Specify the settings in Table 5, and click Save.
    Table 5: Private Route Settings

    Field

    Setting

    Destination

    Enter 0.0.0.0/0 for Internet traffic.

    Target

    Type the network name or the network interface ID for the associated private subnet. The network interface must be in the private subnet shown in the Subnet Associations tab.

    Note:

    Do not select the Internet gateway (igw-nnnnnnnn).

Repeat this procedure for each private network interface. You must reboot the vSRX instance to complete this configuration.

Step 7: Reboot the vSRX Instance

To incorporate the interface changes and complete the Amazon EC2 configuration, you must reboot the vSRX instance. Interfaces attached while the vSRX instance is running do not take effect until the instance is rebooted.

Note:

Always use AWS to reboot the vSRX instance. Do not use the vSRX CLI to reboot.

To reboot a vSRX instance:

  1. In the Amazon EC2 Dashboard, select Instances in the left pane.
  2. Select the vSRX instance, and select Actions > Instance State > Reboot.

It might take several minutes to reboot a vSRX instance.

Step 8: Log in to a vSRX Instance

In AWS deployments, vSRX instances provide the following capabilities by default to enhance security:

  • Allows you to login only through SSH.

  • cloud-init is used to setup SSH key login.

  • SSH password login is disabled for root account.

vSRX instances launched on Amazon’s AWS cloud infrastructure uses the cloud-init services provided by Amazon to copy the SSH public-key associated with your account that is used to launch the instance. You will then be able to login to the instance using the corresponding private-key.

Note:

Root login using SSH password is be disabled by default.

Use an SSH client to log in to a vSRX instance for the first time. To log in, specify the location where you saved the SSH key pair .pem file for the user account, and the Elastic IP address assigned to the vSRX management interface (fxp0).

Note:

Starting in Junos OS Release 17.4R1, the default user name has changed from root@ to ec2-user@.

Note:

Root login using a Junos OS password is disabled by default. You can configure other users after the initial Junos OS setup phase.

If you do not have the key pair filename and Elastic IP address, use these steps to view the key pair name and Elastic IP for a vSRX instance:

  1. In the Amazon EC2 Dashboard, select Instances.
  2. Select the vSRX instance, and select eth0 in the Description tab to view the Elastic IP address for the fxp0 management interface.
  3. Click Connect above the list of instances to view the SSH key pair filename.

To configure the basic settings for the vSRX instance, see Configure vSRX Using the CLI.

Note:

vSRX pay-as-you-go images do not require any separate licenses.

Related Documentation

Release History Table
Release
Description
17.4R1
Starting in Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX for AWS image to help simplify configuring new vSRX instances operating on AWS according to a specified user-data file.