Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall

Before you begin, you need an Amazon Web Services (AWS) account and an Identity and Access Management (IAM) role, with all required permissions to access, create, modify, and delete Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (Amazon VPC) objects. You should also create access keys and corresponding secret access keys, X.509 certificates, and account identifiers. For better understanding of AWS terminologies and their use in vSRX Virtual Firewall AWS deployments, see Understand vSRX with AWS.

Figure 1 shows an example of how you can deploy vSRX Virtual Firewall to provide security for applications running in a private subnet of an Amazon VPC.

Figure 1: Example of vSRX Virtual Firewall in AWS DeploymentExample of vSRX Virtual Firewall in AWS Deployment

The following procedures outline how to create and prepare an Amazon VPC for vSRX Virtual Firewall. The procedures describe how to set up an Amazon VPC with its associated Internet gateway, subnets, route table, and security groups.

Step 1: Create an Amazon VPC and Internet Gateway

Use the following procedure to create an Amazon VPC and an Internet gateway. If you have already have a VPC and an Internet gateway, go to Step 2: Add Subnets for vSRX Virtual Firewall.

  1. Log in to the AWS Management Console and select Services > Networking > VPC.
  2. In the VPC Dashboard, select Your VPCs in the left pane, and click Create VPC.
  3. Specify a VPC name and a range of private IP addresses in Classless Interdomain Routing (CIDR) format. Leave Default as the Tenancy.
  4. Click Yes, Create.
  5. Select Internet Gateways in the left pane, and click Create Internet Gateway.
  6. Specify a gateway name and click Yes, Create.
  7. Select the gateway you just created and click Attach to VPC.
  8. Select the new Amazon VPC, and click Yes, Attach.

Step 2: Add Subnets for vSRX Virtual Firewall

In the Amazon VPC, public subnets have access to the Internet gateway, but private subnets do not. vSRX Virtual Firewall requires two public subnets and one or more private subnets for each individual instance group. The public subnets consist of one for the management interface (fxp0) and one for a revenue (data) interface. The private subnets, connected to the other vSRX Virtual Firewall interfaces, ensure that all traffic between applications on the private subnets and the Internet must pass through the vSRX Virtual Firewall instance.

To create each vSRX Virtual Firewall subnet:

  1. In the VPC Dashboard, select Subnets in the left pane, and click Create Subnet.
  2. Specify a subnet name, select the Amazon VPC and availability zone, and specify the range of subnet IP addresses in CIDR format.
    Tip:

    As a naming convention best practice for subnets, we recommend including private or public in the name to make it easier to know which subnet is public or private.

    Note:

    All subnets for a vSRX Virtual Firewall instance must be in the same availability zone. Do not use No Preference for the availability zone.

  3. Click Yes, Create.

Repeat these steps for each subnet you want to create and attach to the vSRX Virtual Firewall instance.

Step 3: Attach an interface to a Subnet

To attach an interface to a subnet:

  1. Create a network interface from the Amazon EC2 home page.

    Click the Network Interface option on the EC2 home page and the Create Network Interface page opens.

  2. Click the Create Network Interface option, fill in the required information in the fields, and then click Create.
  3. Find and select your newly created interface.

    If this interface is the revenue interface, then select Change Source/Dest.Check from the Action menu, choose Disabled, and click Save. If this interface is your fxp0 interface then skip this disabling step.

  4. Click Attach from the menu on top of the screen, choose the Instance ID of your vSRX Virtual Firewall instance, and click Attach.
  5. vSRX Virtual Firewall does not support interface hot plug-in. So, when you are done adding the interfaces, reboot the vSRX Virtual Firewall instances on which the interfaces were added, to apply the changes to take effect.

Step 4: Add Route Tables for vSRX Virtual Firewall

A main route table is created for each Amazon VPC by default. We recommend that you create a custom route table for the public subnets and a separate route table for each private subnet. All subnets that are not associated with a custom route table are associated with the main route table.

To create the route tables:

  1. In the VPC Dashboard, select Route Tables in the left pane, and click Create Route Table.
  2. Specify a route table name, select the VPC, and click Yes, Create.
    Tip:

    As a naming convention best practice for route tables, we recommend including private or public in the name to make it easier to know which route table is public or private.

  3. Repeat steps 1 and 2 to create all the route tables.
  4. Select the route table you created for the public subnets and do the following:
    1. Select the Routes tab below the list of route tables.
    2. Click Edit and click Add another route.
    3. Enter 0.0.0.0/0 as the destination, select your VPC internet gateway as the target, and click Save.
    4. Select the Subnet Associations tab, and click Edit.
    5. Select the check boxes for the public subnets, and click Save.
  5. Select each route table you created for a private subnet and do the following:
    1. Select the Subnet Associations tab, and click Edit.
    2. Select the check box for one private subnet, and click Save.

Step 5: Add Security Groups for vSRX Virtual Firewall

A default security group is created for each Amazon VPC. We recommend that you create a separate security group for the vSRX Virtual Firewall management interface (fxp0) and another security group for all other vSRX Virtual Firewall interfaces. The security groups are assigned when a vSRX Virtual Firewall instance is launched in the Amazon EC2 Dashboard, where you can also add and manage security groups.

To create the security groups:

  1. In the VPC Dashboard, select Security Groups in the left pane, and click Create Security Group.
  2. For the vSRX Virtual Firewall management interface, specify a security group name in the Name Tag field, edit the Group Name field (optional), enter a description of the group, and select the VPC.
  3. Click Yes, Create.
  4. Repeat Steps 1 through 3 to create a security group for the vSRX Virtual Firewall revenue interfaces.
  5. Select the security group you created for the management interface and do the following:
    1. Select the Inbound Rules tab below the list of security groups.
    2. Click Edit and click Add another rule to create the following inbound rules:

      Type

      Protocol

      Port

      Source

      Custom TCP rule

      Default

      20-21

      Enter CIDR address format for each rule (0.0.0.0/0 allows any source).

      SSH (22)

      Default

      Default

      HTTP (80)

      Default

      Default

      HTTPS (443)

      Default

      Default

    3. Click Save.
    4. Select the Outbound Rules tab to view the default rule that allows all outbound traffic. Use the default rule unless you need to restrict the outbound traffic.
  6. Select the security group you created for all other vSRX Virtual Firewall interfaces and do the following:
    Note:

    The inbound and outbound rules should allow all traffic to avoid conflicts with the security settings on vSRX Virtual Firewall.

    1. Select the Inbound Rules tab below the list of security groups.
    2. Click Edit and create the following inbound rule:

      Type

      Protocol

      Port

      Source

      All Traffic

      All

      All

      • For webservers, enter 0.0.0.0/0

      • For VPNs, enter a range of IPv4 addresses in the form of a Classless Inter-Domain Routing (CIDR) block (for example, 10.0.0.0/16).

    3. Click Save.
    4. Keep the default rule in the Outbound Rules tab. The default rule allows all outbound traffic.