Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understand vSRX with VMware

This section presents an overview of vSRX on VMware

vSRX Overview

vSRX is a virtual security appliance that provides security and networking services at the perimeter or edge in virtualized private or public cloud environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is built on the Junos operating system (Junos OS) and delivers networking and security features similar to those available on the software releases for the SRX Series Services Gateways.

The vSRX provides you with a complete Next-Generation Firewall (NGFW) solution, including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services such as Application Security, intrusion detection and prevention (IPS), and UTM features including Enhanced Web Filtering and Anti-Virus. Combined with Sky ATP, the vSRX offers a cloud-based advanced anti-malware service with dynamic analysis to protect against sophisticated malware, and provides built-in machine learning to improve verdict efficacy and decrease time to remediation.

Figure 1 shows the high-level architecture.

Figure 1: vSRX Architecture vSRX Architecture

vSRX includes the Junos control plane (JCP) and the packet forwarding engine (PFE) components that make up the data plane. vSRX uses one virtual CPU (vCPU) for the JCP and at least one vCPU for the PFE. Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, multi-core vSRX supports scaling vCPUs and GB virtual RAM (vRAM). Additional vCPUs are applied to the data plane to increase performance.

Junos OS Release 18.4R1 supports a new software architecture vSRX 3.0 that removes dual OS and nested virtualization requirement of existing vSRX architecture.

In vSRX 3.0 architecture, FreeBSD 11.x is used as the guest OS and the Routing Engine and Packet Forwarding Engine runs on FreeBSD 11.x as single virtual machine for improved performance and scalability. vSRX 3.0 uses DPDK to process the data packets in the data plane. A direct Junos upgrade from vSRX to vSRX 3.0 software is not supported.

vSRX 3.0 has the following enhancements compared to vSRX:

  • Removed the restriction of requiring nested VM support in hypervisors.

  • Removed the restriction of requiring ports connected to control plane to have Promiscuous mode enabled.

  • Improved boot time and enhanced responsiveness of the control plane during management operations.

  • Improved live migration.

Figure 2 shows the high-level software architecture for vSRX 3.0

Figure 2: vSRX 3.0 ArchitecturevSRX 3.0 Architecture

vSRX Benefits and Use Cases

vSRX on standard x86 servers enables you to quickly introduce new services, deliver customized services to customers, and scale security services based on dynamic needs. vSRX is ideal for public, private, and hybrid cloud environments.

Some of the key benefits of vSRX in a virtualized private or public cloud multitenant environment include:

  • Stateful firewall protection at the tenant edge

  • Faster deployment of virtual firewalls into new sites

  • Ability to run on top of various hypervisors and public cloud infrastructures

  • Full routing, VPN, core security, and networking capabilities

  • Application security features (including IPS and App-Secure)

  • Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content Filtering)

  • Centralized management with Junos Space Security Director and local management with J-Web Interface

  • Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration

vSRX on VMWare ESXi deployment

VMware vSphere is a virtualization environment for systems supporting the x86 architecture. VMware ESXi® is the hypervisor used to create and run virtual machines (VMs) and virtual appliances on a host machine. The VMware vCenter Server® is a service that manages the resources of multiple ESXi hosts.

The VMware vSphere Web Client is used to deploy the vSRX VM.

Figure 3 shows an example of how vSRX can be deployed to provide security for applications running on one or more virtual machines. The vSRX virtual switch has a connection to a physical adapter (the uplink) so that all application traffic flows through the vSRX VM to the external network.

Figure 3: Example of vSRX DeploymentExample of vSRX Deployment

vSRX Scale Up Performance

Table 1 shows the vSRX scale up performance based on the number of vCPUs and vRAM applied to a vSRX VM. The table outlines the Junos OS release in which a particular software specification for deploying vSRX on VMware was introduced. You will need to download a specific Junos OS release to take advantage of certain scale up performance features.

Table 1: vSRX Scale Up Performance

vCPUs

vRAM

NICs

Junos OS Release Introduced

2 vCPUs

4 GB

  • SR-IOV (Intel 82599, X520/X540)

  • VMNET3

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1

5 vCPUs

8 GB

  • SR-IOV (Intel 82599, X520/X540)

  • VMNET3

Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1

9 vCPUs

16 GB

  • SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN)

Note:

SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you intend to scale the performance and capacity of a vSRX to 9 vCPUs and 16 GB vRAM.

Junos OS Release 18.4R1

17 vCPUs

32 GB

  • SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN)

Note:

SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you intend to scale the performance and capacity of a vSRX to 17 vCPUs and 32 GB vRAM.

Junos OS Release 18.4R1

You can scale the performance and capacity of a vSRX instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX. The multi-core vSRX automatically selects the appropriate vCPUs and vRAM values at boot time, as well as the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU and vRAM settings allocated to a vSRX VM do not match what is currently available, the vSRX scales down to the closest supported value for the instance. For example, if a vSRX VM has 3 vCPUs and 8 GB of vRAM, vSRX boots to the smaller vCPU size, which requires a minimum of 2 vCPUs. You can scale up a vSRX instance to a higher number of vCPUs and amount of vRAM, but you cannot scale down an existing vSRX instance to a smaller setting.

Note:

The number of RSS queues typically matches with the number of data plane vCPUs of a vSRX instance. For example, a vSRX with 4 data plane vCPUs should have 4 RSS queues.

vSRX Session Capacity Increase

vSRX solution is optimized to increase the session numbers by increasing the memory.

With the ability to increase the session numbers by increasing the memory, you can enable vSRX to:

  • Provide highly scalable, flexible and high-performance security at strategic locations in the mobile network.

  • Deliver the performance that service providers require to scale and protect their networks.

Run the show security flow session summary | grep maximum command to view the maximum number of sessions.

Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX instance is increased based on the vRAM size used.

Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX 3.0 instance is increased based on the vRAM size used.

Table 2 lists the flow session capacity.

Table 2: vSRX and vSRX 3.0 Flow Session Capacity Details

vCPUs

Memory

Flow Session Capacity

2

4 GB

0.5 M

2

6 GB

1 M

2/5

8 GB

2 M

2/5

10 GB

2 M

2/5

12 GB

2.5 M

2/5

14 GB

3 M

2/5/9

16 GB

4 M

2/5/9

20 GB

6 M

2/5/9

24 GB

8 M

2/5/9

28 GB

10 M

2/5/9/17

32 GB

12 M

2/5/9/17

40 GB

16 M

2/5/9/17

48 GB

20 M

2/5/9/17

56 GB

24 M

2/5/9/17

64 GB

28 M

Release History Table
Release
Description
19.2R1
Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX 3.0 instance is increased based on the vRAM size used.
18.4R1
Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX instance is increased based on the vRAM size used.
15.1X49-D70
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, multi-core vSRX supports scaling vCPUs and GB virtual RAM (vRAM). Additional vCPUs are applied to the data plane to increase performance.