ON THIS PAGE
System Requirements for vSRX Virtual Firewall on Microsoft Azure Cloud
Network Requirements for vSRX Virtual Firewall on Microsoft Azure Cloud
Microsoft Azure Instances and vSRX Virtual Firewall Instance Types
Interface Mapping for vSRX Virtual Firewall on Microsoft Azure
Best Practices for Improving vSRX Virtual Firewall Performance
Requirements for vSRX Virtual Firewall on Microsoft Azure
This section presents an overview of requirements for deploying a vSRX Virtual Firewall instance on Microsoft Azure Cloud.
System Requirements for vSRX Virtual Firewall on Microsoft Azure Cloud
Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy the vSRX Virtual Firewall to the Microsoft Azure Cloud. Microsoft Azure supports a wide variety of sizes and options for deployed Azure virtual machines (VMs).
For the vSRX Virtual Firewall deployment in Microsoft Azure, we recommend DSv2-series VMs. The DSv2-series VMs provided from Microsoft Azure use Premium Storage(SSD) and are ideal for applications that demand faster CPUs and better local disk performance, or have higher memory demands. Of the available DSv2-series VMs, we recommend that you select Standard_DS3_v2, Standard_DS4_v2, or Standard_DS5_v2 for the vSRX Virtual Firewall VM deployment in Microsoft Azure. For more details, see DSv2-series.
Table 1 lists the properties of the Standard_DS3_v2 VM available in Microsoft Azure.
Component |
Specification |
|---|---|
Size |
Standard_DS3_v2 |
CPU cores |
4 |
Memory |
14 GiB |
Maximum number of data disks |
16 |
Maximum cached and local disk storage throughput: IOPS/MBps (cache size in GB) |
16,000/128 (172) |
Maximum uncached disk throughput: IOPS/MBps |
12,800/192 |
Max NICs/Expected network bandwidth (Mbps) |
4/3000 |
Table 2 lists the properties of the Standard_DS4_v2 VM available in Microsoft Azure.
Component |
Specification |
|---|---|
Size |
Standard DS4_v2 |
CPU cores |
8 |
Memory |
28 GiB |
Maximum number of data disks |
32 |
Temp storage (SSD) GiB |
56 |
Max cached and temp storage throughput: IOPS/MBps (cache size in GiB) |
32000/256 (344) |
Max uncached disk throughput: IOPS/MBps |
25600/384 |
Max NICs/Expected network bandwidth (Mbps) |
8/6000 |
The vSRX Virtual Firewall does not provide support for a high availability configuration in Microsoft Azure. In addition, the vSRX Virtual Firewall does not support Layer 2 transparent mode in Microsoft Azure.
Table 3 lists the properties of the Standard_DS5_v2 VM available in Microsoft Azure.
Component |
Specification |
|---|---|
Size |
Standard DS5_v2 |
CPU cores |
16 |
Memory |
56 GiB |
Maximum number of data disks |
64 |
Temp storage (SSD) GiB |
112 |
Max cached and temp storage throughput: IOPS/MBps (cache size in GiB) |
64000/512 (688) |
Max uncached disk throughput: IOPS/MBps |
51200/768 |
Max NICs/Expected network bandwidth (Mbps) |
8/12000 |
Network Requirements for vSRX Virtual Firewall on Microsoft Azure Cloud
When you deploy a vSRX Virtual Firewall VM in a Microsoft Azure virtual network, note the following specifics of the deployment configuration:
A dual public IP network configuration is a requirement for vSRX Virtual Firewall VM network connectivity; the vSRX Virtual Firewall VM requires two public subnets and one or more private subnets for each instance group.
The public subnets required by the vSRX Virtual Firewall VM consist of one subnet for the out-of-band management interface (fxp0) for management access and another for the two revenue (data) interfaces. By default, one interface is assigned to the untrust security zone and the other to the trust security zone on the vSRX Virtual Firewall VM.
In the Microsoft Azure deployment of the vSRX Virtual Firewall VM, the vSRX Virtual Firewall supports the management interface (fxp0) and the two revenue (data) interfaces (port ge-0/0/0 and ge-0/0/1), which includes public IP address mapping and data traffic forwarding to and from the vSRX Virtual Firewall VM.
Microsoft Azure Instances and vSRX Virtual Firewall Instance Types
Microsoft Azure instance types supported for vSRX Virtual Firewall are listed in Table 4.
Instance Type |
vSRX Virtual Firewall Type |
vCPUs |
Memory in Instance Type (GB) |
RSS Type |
|---|---|---|---|---|
Standard_DS3_v2 |
vSRX Virtual Firewall-4CPU-14G memory |
4 |
14 |
HWRSS |
Standard_DS4_v2 |
vSRX Virtual Firewall-8CPU-28G memory |
8 |
28 |
HWRSS |
Standard_DS5_v2 |
vSRX Virtual Firewall-16CPU-56G memory |
16 |
56 |
HWRSS |
Interface Mapping for vSRX Virtual Firewall on Microsoft Azure
Table 5 lists the vSRX Virtual Firewall and Microsoft Azure interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX Virtual Firewall.
|
InterfaceNumber |
vSRX Virtual Firewall Interface |
Microsoft Azure Interface |
|---|---|---|
|
1 |
fxp0 |
eth0 |
|
2 |
ge-0/0/0 |
eth1 |
|
3 |
ge-0/0/1 |
eth2 |
|
4 |
ge-0/0/2 |
eth3 |
|
5 |
ge-0/0/3 |
eth4 |
|
6 |
ge-0/0/4 |
eth5 |
|
7 |
ge-0/0/5 |
eth6 |
|
8 |
ge-0/0/6 |
eth7 |
Refer Dv2 and DSv2-series for information on maximum number of NICs supported per Azure instance type.
We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance. Ensure that interfaces belonging to the same security zone are in the same routing instance.
vSRX Virtual Firewall Default Settings on Microsoft Azure
vSRX Virtual Firewall requires the following basic configuration settings:
Interfaces must be assigned IP addresses.
Interfaces must be bound to zones.
Policies must be configured between zones to permit or deny traffic.
Table 6 lists the factory-default settings for security policies on the vSRX Virtual Firewall
Source Zone |
Destination Zone |
Policy Action |
|---|---|---|
trust |
untrust |
permit |
trust |
trust |
permit |
Do not use the load factory-default command on the vSRX Virtual Firewall
instance in Microsoft Azure. The factory-default configuration removes the
“azure provision” preconfiguration. This group contains critical system-level
settings and route information for the vSRX Virtual Firewall. A misconfiguration
in the group “azure-provision” may result in the possible loss of connectivity
to vSRX Virtual Firewall from Microsoft Azure. If you must revert to factory
default, ensure that you first manually reconfigure the Microsoft Azure
preconfiguration statements before you commit the configuration; otherwise, you
will lose access to the vSRX Virtual Firewall instance.
We strongly recommend that when you commit a configuration, perform an explicit commit
confirmed to avoid the possibility of losing connectivity to vSRX
Virtual Firewall. Once you have verified that the change works correctly, you
can keep the new configuration active by entering the commit
command within 10 minutes. Without the timely second confirm, configuration
changes will be rolled back. See Configure vSRX Using
the CLI for preconfiguration details.
Best Practices for Improving vSRX Virtual Firewall Performance
Review the following deployment practices to improve vSRX Virtual Firewall performance:
Disable the source/destination check for all vSRX Virtual Firewall interfaces.
Limit public key access permissions to 400 for key pairs.
Ensure that there are no contradictions between Microsoft Azure security groups and your vSRX Virtual Firewall configuration.
Use vSRX Virtual Firewall NAT to protect your instances from direct Internet traffic.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.