Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Requirements for vSRX on Microsoft Azure

This section presents an overview of requirements for deploying a vSRX instance on Microsoft Azure Cloud.

System Requirements for vSRX on Microsoft Azure Cloud

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX to the Microsoft Azure Cloud. Microsoft Azure supports a wide variety of sizes and options for deployed Azure virtual machines (VMs).

For the vSRX deployment in Microsoft Azure, we recommend DSv2-series VMs. The DSv2-series VMs provided from Microsoft Azure use Premium Storage(SSD) and are ideal for applications that demand faster CPUs and better local disk performance, or have higher memory demands. Of the available DSv2-series VMs, we recommend that you select Standard_DS3_v2, Standard_DS4_v2, or Standard_DS5_v2 for the vSRX VM deployment in Microsoft Azure. For more details, see DSv2-series.

Table 1 lists the properties of the Standard_DS3_v2 VM available in Microsoft Azure.

Table 1: Properties of the Standard_DS3_v2 VM in Microsoft Azure

Component

Specification

Size

Standard_DS3_v2

CPU cores

4

Memory

14 GiB

Maximum number of data disks

16

Maximum cached and local disk storage throughput: IOPS/MBps (cache size in GB)

16,000/128 (172)

Maximum uncached disk throughput: IOPS/MBps

12,800/192

Max NICs/Expected network bandwidth (Mbps)

4/3000

Table 2 lists the properties of the Standard_DS4_v2 VM available in Microsoft Azure.

Table 2: Properties of the Standard_DS4_v2 VM in Microsoft Azure

Component

Specification

Size

Standard DS4_v2

CPU cores

8

Memory

28 GiB

Maximum number of data disks

32

Temp storage (SSD) GiB

56

Max cached and temp storage throughput: IOPS/MBps (cache size in GiB)

32000/256 (344)

Max uncached disk throughput: IOPS/MBps

25600/384

Max NICs/Expected network bandwidth (Mbps)

8/6000

Note:

The vSRX does not provide support for a high availability configuration in Microsoft Azure. In addition, the vSRX does not support Layer 2 transparent mode in Microsoft Azure.

Table 3 lists the properties of the Standard_DS5_v2 VM available in Microsoft Azure.

Table 3: Properties of the Standard_DS5_v2 VM in Microsoft Azure

Component

Specification

Size

Standard DS5_v2

CPU cores

16

Memory

56 GiB

Maximum number of data disks

64

Temp storage (SSD) GiB

112

Max cached and temp storage throughput: IOPS/MBps (cache size in GiB)

64000/512 (688)

Max uncached disk throughput: IOPS/MBps

51200/768

Max NICs/Expected network bandwidth (Mbps)

8/12000

Network Requirements for vSRX on Microsoft Azure Cloud

When you deploy a vSRX VM in a Microsoft Azure virtual network, note the following specifics of the deployment configuration:

  • A dual public IP network configuration is a requirement for vSRX VM network connectivity; the vSRX VM requires two public subnets and one or more private subnets for each instance group.

  • The public subnets required by the vSRX VM consist of one subnet for the out-of-band management interface (fxp0) for management access and another for the two revenue (data) interfaces. By default, one interface is assigned to the untrust security zone and the other to the trust security zone on the vSRX VM.

  • In the Microsoft Azure deployment of the vSRX VM, the vSRX supports the management interface (fxp0) and the two revenue (data) interfaces (port ge-0/0/0 and ge-0/0/1), which includes public IP address mapping and data traffic forwarding to and from the vSRX VM.

Microsoft Azure Instances and vSRX Instance Types

Microsoft Azure instance types supported for vSRX are listed in Table 4.

Table 4: Supported Microsoft Azure Instance Types for vSRX

Instance Type

vSRX Type

vCPUs

Memory in Instance Type (GB)

RSS Type

Standard_DS3_v2

VSRX-4CPU-14G memory

4

14

HWRSS

Standard_DS4_v2

VSRX-8CPU-28G memory

8

28

HWRSS

Standard_DS5_v2

VSRX-16CPU-56G memory

16

56

HWRSS

Interface Mapping for vSRX on Microsoft Azure

Table 5 lists the vSRX and Microsoft Azure interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX.

Table 5: vSRX and Microsoft Azure Interface Names

Interface

Number

vSRX Interface

Microsoft Azure Interface

1

fxp0

eth0

2

ge-0/0/0

eth1

3

ge-0/0/1

eth2

4

ge-0/0/2

eth3

5

ge-0/0/3

eth4

6

ge-0/0/4

eth5

7

ge-0/0/5

eth6

8

ge-0/0/6

eth7

Note:

Refer Dv2 and DSv2-series for information on maximum number of NICs supported per Azure instance type.

We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance. Ensure that interfaces belonging to the same security zone are in the same routing instance.

vSRX Default Settings on Microsoft Azure

vSRX requires the following basic configuration settings:

  • Interfaces must be assigned IP addresses.

  • Interfaces must be bound to zones.

  • Policies must be configured between zones to permit or deny traffic.

Table 6 lists the factory-default settings for security policies on the vSRX

Table 6: Factory-Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit

CAUTION:

Do not use the load factory-default command on the vSRX instance in Microsoft Azure. The factory-default configuration removes the “azure provision” preconfiguration. This group contains critical system-level settings and route information for the vSRX. A misconfiguration in the group “azure-provision” may result in the possible loss of connectivity to vSRX from Microsoft Azure. If you must revert to factory default, ensure that you first manually reconfigure the Microsoft Azure preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX instance.

We strongly recommend that when you commit a configuration, perform an explicit commit confirmed to avoid the possibility of losing connectivity to vSRX. Once you have verified that the change works correctly, you can keep the new configuration active by entering the commit command within 10 minutes. Without the timely second confirm, configuration changes will be rolled back. See Configure vSRX Using the CLI for preconfiguration details.

Best Practices for Improving vSRX Performance

Review the following deployment practices to improve vSRX performance:

  • Disable the source/destination check for all vSRX interfaces.

  • Limit public key access permissions to 400 for key pairs.

  • Ensure that there are no contradictions between Microsoft Azure security groups and your vSRX configuration.

  • Use vSRX NAT to protect your instances from direct Internet traffic.

Release History Table
Release
Description
15.1X49-D80
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX to the Microsoft Azure Cloud.