vSRX Deployment Guide for Microsoft Azure Cloud ·...

vSRXDeploymentGuide forMicrosoftAzureCloud

Modified: 2018-04-13

Copyright © 2018, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates inthe United States and other countries. All other trademarks may be property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

vSRX Deployment Guide for Microsoft Azure CloudCopyright © 2018 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of thatEULA.

Copyright © 2018, Juniper Networks, Inc.ii

https://www.juniper.net/support/eula/

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Understanding vSRX with Microsoft Azure Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . 17

vSRX Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

vSRX Benefits and Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

vSRX with Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Requirements for vSRX on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

System Requirements for vSRX on Microsoft Azure Cloud . . . . . . . . . . . . . . . 21

Network Requirements for vSRX on Microsoft Azure Cloud . . . . . . . . . . . . . . 23

Interface Mapping for vSRX on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . 23

vSRX Default Settings on Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Best Practices for Improving vSRX Performance . . . . . . . . . . . . . . . . . . . . . . . 24

Junos OS Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

SRX Series Features Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 2 Installing vSRX from the Azure Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Before You Deploy vSRX from the Azure Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Creating a Resource Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Creating a Storage Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Creating a Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Deploying the vSRX Using the Security Gateway Solution Template from Azure

Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Deploying the vSRX Using the Security Gateway Solution Template . . . . . . 46

Verifying Deployment of vSRX to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . 58

Logging In to a vSRX VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Deploying the vSRX Image from Azure Marketplace . . . . . . . . . . . . . . . . . . . . . . . 60

Deploying the vSRX Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Verifying Deployment of vSRX to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . 71

Logging In to a vSRX VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

iiiCopyright © 2018, Juniper Networks, Inc.

Chapter 3 Installing vSRX from the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Before You Deploy vSRX Using the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Deploying vSRX from the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Installing the Microsoft Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Downloading the vSRX Deployment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Changing Parameter Values in the vsrx.parameter.json File . . . . . . . . . . . . . . 80

Deploying the vSRX Using the Shell Script . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Verifying Deployment of vSRX to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . 84

Logging In to a vSRX Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

vSRX Configuration and Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Understanding the Junos OS CLI and Junos Scripts . . . . . . . . . . . . . . . . . . . . 89

Understanding the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Understanding Junos Space Security Director . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring vSRX Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Configuring vSRX Using the J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Accessing the J-Web Interface and Configuring vSRX . . . . . . . . . . . . . . . . . . 92

Applying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Adding vSRX Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Managing Security Policies for Virtual Machines Using Junos Space Security

Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Removing a vSRX Instance from Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 5 vSRX in Microsoft Azure Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Example: Configuring an IPsec VPN Between Two vSRX Instances . . . . . . . . . . . 97

Example: Configuring an IPsec VPN Between a vSRX and Virtual Network

Gateway in Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Chapter 6 vSRX Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vSRX Feature Licenses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vSRX License Procurement and Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vSRX Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Product Evaluation License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Advanced Security Features Evaluation License . . . . . . . . . . . . . . . . . . . 107

License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Throughput . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

License Duration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Individual (á la carte) Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Bundled Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Stacking Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

vSRX License Keys Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

License Management Fields Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Managing Licenses for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

vSRX Evaluation License Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . 113

Adding a New License Key with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Adding a New License Key from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Updating vSRX Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Deleting a License with J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Deleting a License with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Copyright © 2018, Juniper Networks, Inc.iv

vSRX Deployment Guide for Microsoft Azure Cloud

License Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

vSRX License Model Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Chapter 7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Finding the Software Serial Number for vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

vCopyright © 2018, Juniper Networks, Inc.

Table of Contents

List of Figures


Figure 1: vSRX Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 2: vSRX Deployed to Microsoft Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 Installing vSRX from the Azure Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 3: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 4: Resource Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 5: Creating a Resource Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


Figure 7: Azure Portal Storage Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Figure 8: Creating a Storage Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40


Figure 10: Azure Portal Virtual Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 11: Creating a Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 12: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 13: Locating the vSRX Security Gateway Solution Template in the Azure

Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 14: Creating vSRX VM Using Security Gateway Solution Template . . . . . . 48

Figure 15: Create vSRX Security Gateway - Basics . . . . . . . . . . . . . . . . . . . . . . . . . 49

Figure 16: Create vSRX VMGateway - Virtual Machine Settings - VM Size for

SSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Figure 17: Create vSRX VMGateway - Virtual Machine Settings - VM Size for

HDD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 18: Create vSRX VMGateway - Virtual Machine Settings - Create Storage

Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Figure 19: Create vSRX VMGateway - Network Settings - Create Virtual

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 20: Create vSRX VM Gateway - Network Settings - Subnets . . . . . . . . . . . 54

Figure 21: Create vSRX VM Gateway - Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Figure 22: Create vSRX VM Gateway - Purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 23: vSRX VM Deployment Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 24: Microsoft Azure Resource Groups Page . . . . . . . . . . . . . . . . . . . . . . . . . 58

Figure 25: Microsoft Azure Resource Groups VM Example . . . . . . . . . . . . . . . . . . . 59

Figure 26: Microsoft Azure Portal Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Figure 27: Locating the vSRX VM Image in the Azure Marketplace . . . . . . . . . . . . 62

Figure 28: Initiating vSRX VM Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Figure 29: Create Virtual Machine - Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Figure 30: Create Virtual Machine - Choose a Size . . . . . . . . . . . . . . . . . . . . . . . . . 66

Figure 31: Create Virtual Machine - Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Figure 32: Create Virtual Machine - Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Figure 33: Create Virtual Machine - Purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

viiCopyright © 2018, Juniper Networks, Inc.

Figure 34: Microsoft Azure Resource Groups VM Example . . . . . . . . . . . . . . . . . . . 72

Chapter 3 Installing vSRX from the Azure CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Figure 35: Microsoft Azure Resource Groups Page Example . . . . . . . . . . . . . . . . . 84

Figure 36: Microsoft Azure Resource Groups VM Example . . . . . . . . . . . . . . . . . . 85

Figure 37: Microsoft Azure Virtual Machines Page Example . . . . . . . . . . . . . . . . . . 85


Figure 38: Sample vSRX License SKU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Figure 39: J-Web Licenses Window Showing Installed Licenses . . . . . . . . . . . . . . 111

Figure 40: J-Web Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Figure 41: Add License Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Figure 42: License Details Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Figure 43: Deleting a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Figure 44: Delete Licenses Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 45: J-Web Dashboard for License Expiry Warning . . . . . . . . . . . . . . . . . . . . 119

Copyright © 2018, Juniper Networks, Inc.viii


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii


Table 3: System Requirements for vSRX in Microsoft Azure - Standard_DS3_v2

VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Table 4: System Requirements for vSRX in Microsoft Azure - Standard_D4_v2

VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Table 5: vSRX and Microsoft Azure Interface Names . . . . . . . . . . . . . . . . . . . . . . . 23

Table 6: Factory-Default Settings for Security Policies . . . . . . . . . . . . . . . . . . . . . 24

Table 7: vSRX Feature Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Table 8: SRX Series Features Not Supported on vSRX . . . . . . . . . . . . . . . . . . . . . 26

Chapter 4 Configuring and Managing vSRX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 9: Instance Name and User Account Information . . . . . . . . . . . . . . . . . . . . 93

Table 10: System Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93


Table 11: vSRX Evaluation License Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Table 12: Summary of License Management Fields . . . . . . . . . . . . . . . . . . . . . . . . 112

Table 13: vSRX Licensing Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

ixCopyright © 2018, Juniper Networks, Inc.

About the Documentation

• Documentation and Release Notes on page xi

• Supported Platforms on page xi

• Documentation Conventions on page xi

• Documentation Feedback on page xiii

• Requesting Technical Support on page xiv

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at https://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• vSRX

Documentation Conventions

Table 1 on page xii defines notice icons used in this guide.

xiCopyright © 2018, Juniper Networks, Inc.

https://www.juniper.net/documentation/

https://www.juniper.net/books

https://www.juniper.net/documentation/en_US/release-independent/vsrx/information-products/pathway-pages/index.html

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2018, Juniper Networks, Inc.xii


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site

at https://www.juniper.net/documentation/index.html, simply click the stars to rate the

content, anduse thepop-up formtoprovideuswith informationabout your experience.

Alternately, you can use the online feedback form at

https://www.juniper.net/documentation/feedback/.

xiiiCopyright © 2018, Juniper Networks, Inc.


https://www.juniper.net/documentation/index.html

https://www.juniper.net/documentation/feedback/

• E-mail—Sendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: https://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at https://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2018, Juniper Networks, Inc.xiv


mailto:[email protected]?subject=

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

https://www.juniper.net/support/warranty/

https://www.juniper.net/customers/support/

https://prsearch.juniper.net/

https://www.juniper.net/documentation/

https://kb.juniper.net/

https://www.juniper.net/customers/csc/software/

https://kb.juniper.net/InfoCenter/

https://www.juniper.net/company/communities/

https://www.juniper.net/cm/

https://entitlementsearch.juniper.net/entitlementsearch/

https://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

https://www.juniper.net/support/requesting-support.html.

xvCopyright © 2018, Juniper Networks, Inc.


https://www.juniper.net/support/requesting-support.html

CHAPTER 1

Overview

• Understanding vSRX with Microsoft Azure Cloud on page 17

• Requirements for vSRX on Microsoft Azure on page 21

• Junos OS Features Supported on vSRX on page 25

Understanding vSRXwithMicrosoft Azure Cloud

This section presents an overview of vSRX as deployed in the Microsoft Azure cloud.

• vSRX Overview on page 17

• vSRX Benefits and Use Cases on page 18

• vSRX with Microsoft Azure on page 19

vSRXOverview

vSRX is a virtual security appliance that provides security and networking services at the

perimeter or edge in virtualized private or public cloud environments. vSRX runs as a

virtual machine (VM) on a standard x86 server. vSRX is built on the Junos operating

system(JunosOS)anddeliversnetworkingandsecurity features similar to thoseavailable

on the software releases for the SRX Series Services Gateways.

The vSRX provides you with a complete Next-Generation Firewall (NGFW) solution,

including core firewall, VPN, NAT, advanced Layer 4 through Layer 7 security services

such asApplication Security, intrusion detection andprevention (IPS), andUTM features

including EnhancedWeb Filtering and Anti-Virus. Combined with Sky ATP, the vSRX

offers a cloud-based advanced anti-malware service with dynamic analysis to protect

against sophisticatedmalware, andprovidesbuilt-inmachine learning to improve verdict

efficacy and decrease time to remediation.

Figure 1 on page 18 shows the high-level architecture for vSRX.

17Copyright © 2018, Juniper Networks, Inc.

Figure 1: vSRX Architecture

HYPERVISORS/CLOUD ENVIRONMENTS

Physical x86

g004195

vSRX VM

StorageMemory

Junos Control PlaneJCP / vRE

RPDRouting Protocol

Daemon

MGDManagement

Daemon

Junos Kernel

QEMU/KVM

Juniper Linux (Guest OS)

Advanced Services

Flow Processing

Packet Forwarding(JEXEC)

DPDKData Plane Development Kit

MicrosoftHyper-V

VMware

KVMKernel-based

VirtualMachines

AWSAmazonWeb

Services

MicrosoftAzureCloud

DeploymentContrail CloudDeployment

vSRX Benefits and Use Cases

vSRX on standard x86 servers enables you to quickly introduce new services, deliver

customized services to customers, and scale security services based on dynamic needs.

vSRX is ideal for public, private, and hybrid cloud environments.

Some of the key benefits of vSRX in a virtualized private or public cloudmultitenant

environment include:

• Stateful firewall protection at the tenant edge

• Faster deployment of virtual firewalls into new sites

• Full routing, VPN, core security, and networking capabilities

• Application security features (including IPS and App-Secure)

• Content security features (including Anti Virus, Web Filtering, Anti Spam, and Content

Filtering)

• Centralizedmanagement with Junos Space Security Director and local management

with J-Web Interface

• Juniper Networks Sky Advanced Threat Prevention (Sky ATP) integration

Copyright © 2018, Juniper Networks, Inc.18


vSRXwithMicrosoft Azure

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1, you can deploy

thevSRX to theMicrosoftAzureCloud.MicrosoftAzure isMicrosoft's applicationplatform

for the public cloud. It is an open, flexible, enterprise-grade cloud computing platform

for building, deploying, andmanagingapplicationsandservices throughaglobal network

of Microsoft-managed data centers. It provides Software as a Service (SaaS), Platform

asaService (PaaS), and Infrastructure as aService (IaaS) services. Youplace your virtual

machines (VMs) onto Azure virtual networks, where the distributed and virtual networks

in Azure help ensure that your private network traffic is logically isolated from traffic on

other Azure virtual networks.

You can add a vSRX virtual security appliance to provide networking security features

as an application instance within an Azure virtual network. The vSRX protects the

workloads that run within the virtual network on the Microsoft Azure Cloud.

You can deploy the vSRX VM in Azure using the following deployment methods:

• Azure Marketplace—Deploy the vSRX VM from the Azure Marketplace. The Azure

Marketplace provides you with different methods to deploy a vSRX VM in your virtual

network. You can choose a customized solution template offered by Juniper Networks

to automate the vSRX VM deployment based on specific use cases (for example, a

security gateway). A solution template automates the dependencies associated with

specific deployment use cases, such as VM settings, virtual network settings (such as

multiple subsets for the management interface (fxp0) and two revenue (data)

interfaces), andsoon.Or, youcanselect thevSRXVM imageanddefine thedeployment

settings and dependencies based on your specific networking requirements. Starting

in JunosOSRelease 15.1X49-D91 for vSRX, you candeploy the vSRX toMicrosoft Azure

Cloud from the Azure Marketplace.

AzureMarketplacealsoenables you todiscoverandsubscribe tosoftware that supports

regulated workloads through Azure Marketplace for Azure Government Cloud (US).

• Azure CLI—Deploy the vSRX VM from the Azure CLI. You can customize the vSRX VM

deployment settings and dependencies based on your network requirements in

Microsoft Azure Cloud. To help automate and simplify the deployment of the vSRX

VM in theMicrosoft Azure virtual network, JuniperNetworks provides a series of scripts,

Azure ResourceManager (ARM) templates andparameter files, and configuration files

in a GitHub repository.

NOTE: Starting in Junos OS Release 15.1X49-D80 and Junos OS Release17.3R1, you can deploy the vSRX to Microsoft Azure Cloud from the AzureCLI.

In Microsoft Azure, you can host servers and services on the cloud as a pay-as-you-go

(PAYG) or bring-your-own-license (BYOL) service.


Chapter 1: Overview

NOTE: vSRX PAYG images do not require any Juniper Networks licenses.

Starting in Junos OSRelease 15.1X49-D120, vSRX onMicrosoft Azure Cloud supports the

vSRX Premium-Next Generation Firewall with Anti-Virus Protection bundle for PAYG,

available as 1-hour or 1-year subscriptions. This bundle includes:

• Standard (STD) features of core security, including core firewall, IPsec VPN, NAT, CoS,

and routing services.

• Advanced Layer 4 through 7 security services such as AppSecure features of AppID,

AppFW, AppQoS, and AppTrack, IPS and rich routing capabilities, including the UTM

antivirus feature.

Figure 2 on page 20 illustrates the deployment of a vSRX in Microsoft Azure.

In the Microsoft Azure, public subnets have access to the Internet gateway, but private

subnets do not. vSRX requires two public subnets and one or more private subnets for

each individual instance group. The public subnets consist of one for the management

interface (fxp0) and one for a revenue (data) interface. The private subnets, connected

to the other vSRX interfaces, ensure that all traffic between applications on the private

subnets and the Internet must pass through the vSRX instance.

Figure 2: vSRX Deployed to Microsoft Azure

Security Group

Management Subnet

fxp0

Security Group

Public Access Subnet

ge-0/0/0

Internet

InternetGateway

PrivateSubnet

vSRXge-0/0/1

Public IPPublic IP

Management:Allow - 443/22

Revenue:Allow All Traffic

MicrosoftAzure Cloud

One Private Subnetfor Each Private Network

g200045

For a glossary of Microsoft Azure terms seeMicrosoft Azure glossary.



https://docs.microsoft.com/en-us/azure/azure-glossary-cloud-terminology

Release History Table DescriptionRelease

Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy thevSRX to Microsoft Azure Cloud from the Azure Marketplace.

15.1X49-D91

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX to the Microsoft Azure Cloud.

15.1X49-D80

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX to Microsoft Azure Cloud from the Azure CLI.

15.1X49-D80

Starting in JunosOSRelease 15.1X49-D120, vSRXonMicrosoftAzureCloudsupports the vSRX Premium-Next Generation Firewall with Anti-VirusProtection bundle for PAYG, available as 1-hour or 1-year subscriptions.

15.1X49-D120

RelatedDocumentation

Microsoft Azure•

• Azure Virtual Networks

• Microsoft Azure portal overview

Requirements for vSRX onMicrosoft Azure

This section presents an overview of requirements for deploying a vSRX instance on

Microsoft Azure Cloud.

• System Requirements for vSRX on Microsoft Azure Cloud on page 21

• Network Requirements for vSRX on Microsoft Azure Cloud on page 23

• Interface Mapping for vSRX on Microsoft Azure on page 23

• vSRX Default Settings on Microsoft Azure on page 24

• Best Practices for Improving vSRX Performance on page 24

SystemRequirements for vSRX onMicrosoft Azure Cloud


the vSRX to the Microsoft Azure Cloud. Microsoft Azure supports a wide variety of sizes

and options for deployed Azure virtual machines (VMs).

For the vSRXdeployment inMicrosoft Azure, we recommendD-series VMs. TheD-series

VMs provided fromMicrosoft Azure are ideal for applications that demand faster CPUs

and better local disk performance, or have higher memory demands. Of the available

D-series VMs, we recommend that you select DS3_v2 Standard or D4_V2 Standard for

the vSRX VM deployment in Microsoft Azure.

There are twoperformance tiers for storage inMicrosoftAzureCloud that youcanchoose

fromwhen creating your disks -- Standard Storage and Premium Storage. Premium

Storage is backed by SSDs, and delivers high-performance, low-latency disk support for

VMs running I/O-intensive workloads. Standard Storage is backed by HDDs. and delivers


Chapter 1: Overview

https://docs.microsoft.com/en-us/azure/

https://docs.microsoft.com/en-us/azure/virtual-network/

https://docs.microsoft.com/en-us/azure/azure-portal-overview

cost-effective storage. For backgrounddetails, seeAbout disks storage forAzureWindows

VMs.

• For the SSD supported disk type, use DS3_v2 Standard for the vSRX VM deployment

in Microsoft Azure.

• For the HDD supported disk type, you can choose either DS3_v2 Standard or D4_V2

Standard for the vSRX VM deployment.

Table 3 on page 22 outlines the recommended system requirements for a vSRX instance,

Standard_DS3_v2 size VM.

Table 3: System Requirements for vSRX in Microsoft Azure - Standard_DS3_v2 VM

SpecificationComponent

Standard_DS3_v2Size

4CPU cores

14 GBMemory

8Maximum number of data disks

16,000/128 (172)Maximumcachedand localdisk storage throughput:IOPS/MBps (cache size in GB)

12,800/192Maximum uncached disk throughput: IOPS/MBps

4 highMaximum number of NICs/network bandwidth

Table 4 onpage 22 outlines the recommended system requirements for a vSRX instance,

Standard_D4_v2 size VM.

Table 4: System Requirements for vSRX in Microsoft Azure - Standard_D4_v2 VM

SpecificationComponent

Standard D4_v2Size

8CPU cores

28 GBMemory

16Maximum number of data disks

24000/375/187Maximumlocaldiskstorage throughput: IOPS/MBps

16/16x500Maximum data disk throughput: IOPS

8 highMaximum number of NICs/network bandwidth



https://docs.microsoft.com/en-us/azure/virtual-machines/windows/about-disks-and-vhds

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/about-disks-and-vhds

NOTE: ThevSRXdoesnotprovidesupport forahigh-availabilityconfigurationinMicrosoftAzure. Inaddition, thevSRXdoesnot support Layer2 transparentmode in Microsoft Azure.

Network Requirements for vSRX onMicrosoft Azure Cloud

When you deploy a vSRX VM in a Microsoft Azure virtual network, note the following

specifics of the deployment configuration:

• A dual public IP network configuration is a requirement for vSRX VM network

connectivity; thevSRXVMrequires twopublic subnetsandoneormoreprivatesubnets

for each instance group.

• Thepublic subnets required by the vSRXVMconsist of one subnet for the out-of-band

management interface (fxp0) formanagementaccessandanother for the two revenue

(data) interfaces. By default, one interface is assigned to the untrust security zone and

the other to the trust security zone on the vSRX VM.

• In theMicrosoftAzuredeploymentof thevSRXVM, thevSRXsupports themanagement

interface (fxp0) and the two revenue (data) interfaces (port ge-0/0/0 and ge-0/0/1),

which includes public IP addressmapping and data traffic forwarding to and from the

vSRX VM.

InterfaceMapping for vSRX onMicrosoft Azure

Table 5 on page 23 lists the vSRX andMicrosoft Azure interface names. The first network

interface is used for the out-of-bandmanagement (fxp0) for vSRX.

Table 5: vSRX andMicrosoft Azure Interface Names

Microsoft Azure InterfacevSRX InterfaceInterfaceNumber

eth0fxp01

eth1ge-0/0/02

eth2ge-0/0/13

eth3ge-0/0/24

We recommend putting revenue interfaces in routing instances as a best practice to

avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by

default. With fxp0 as part of the default routing table, there might be two default routes

needed: one for the fxp0 interface for external management access, and the other for

the revenue interfaces for traffic access. Putting the revenue interfaces in a separate

routing instance avoids this situation of two default routes in a single routing instance.

Ensure that interfaces belonging to the same security zone are in the same routing

instance.


Chapter 1: Overview


KB Article - Interfacemust be in the same routing instance as the other interfaces in the

zone

•

vSRX Default Settings onMicrosoft Azure

vSRX requires the following basic configuration settings:

• Interfaces must be assigned IP addresses.

• Interfaces must be bound to zones.

• Policies must be configured between zones to permit or deny traffic.

Table 6 on page 24 lists the factory-default settings for security policies on the vSRX

Table 6: Factory-Default Settings for Security Policies

Policy ActionDestination ZoneSource Zone

permituntrusttrust

permittrusttrust

CAUTION: Donotusethe loadfactory-defaultcommandonthevSRX instance

in Microsoft Azure. The factory-default configuration removes the “azureprovision”preconfiguration.This groupcontainscritical system-level settingsand route information for the vSRX. Amisconfiguration in the group“azure-provision”may result in thepossible lossof connectivity to vSRX fromMicrosoft Azure. If youmust revert to factory default, ensure that you firstmanually reconfigure theMicrosoftAzurepreconfigurationstatementsbeforeyou commit the configuration; otherwise, you will lose access to the vSRXinstance.

We strongly recommend that when you commit a configuration, perform anexplicit commit confirmed to avoid the possibility of losing connectivity to

vSRX. Once you have verified that the change works correctly, you can keepthe new configuration active by entering the commit commandwithin 10

minutes. Without the timely second confirm, configuration changes will berolled back. See “Configuring vSRX Using the CLI” on page 90 forpreconfiguration details.

Best Practices for Improving vSRX Performance

Review the following deployment practices to improve vSRX performance:

• Disable the source/destination check for all vSRX interfaces.

• Limit public key access permissions to 400 for key pairs.



https://kb.juniper.net/InfoCenter/index?page=content&id=KB26775&actp=search


• Ensure that there are no contradictions between Microsoft Azure security groups and

your vSRX configuration.

• Use vSRX NAT to protect your instances from direct Internet traffic.


Starting in Junos OS Release 15.1X49-D80 and Junos OS Release17.3R1, you can deploy the vSRX to the Microsoft Azure Cloud.

15.1X49-D80


Sizes forWindows Virtual Machines in Azure•

Junos OS Features Supported on vSRX

This section presents an overview of the Junos OS features on vSRX. It includes

• SRX Series Features Supported on vSRX on page 25

• SRX Series Features Not Supported on vSRX on page 26

SRX Series Features Supported on vSRX

vSRX inherits most of the branch SRX Series features with the following considerations

shown in Table 7 on page 25.

Todetermine the JunosOS features supportedonvSRX, use the JuniperNetworksFeature

Explorer, a Web-based application that helps you to explore and compare Junos OS

feature information to find the right software release and hardware platform for your

network. Find Feature Explorer here:

Feature Explorer: vSRX

Table 7: vSRX Feature Considerations

DescriptionFeature

Generally, onSRXSeries instances, the cluster ID andnode ID arewritten into EEPROM. For the vSRX VM, the IDs are saved inboot/loader.conf and read during initialization.

Chassis cluster


Chapter 1: Overview

https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-sizes

https://pathfinder.juniper.net/feature-explorer/select-software.html?swName=vSRX&typ=2

Table 7: vSRX Feature Considerations (continued)

DescriptionFeature

The IDP feature is subscription based andmust be purchased.After purchase, you can activate the IDP feature with the licensekey.

For SRX Series IDP configuration details, see:

Understanding Intrusion Detection and Prevention for SRXSeries

In J-Web, use the following steps to add or edit an IPS rule:

1. Click Security>IDP>Policy>Add.

2. In the Add IPS Rule window, select All instead of Any for theDirection field to list all the FTP attacks.

IDP

ISSU is not supported on vSRX.ISSU

The knownbehaviors for transparentmode support on vSRXare:

• The default MAC learning table size is restricted to 16,383entries.

• VMware vSwitch does not supportMAC learning. It also floodstraffic to the secondary node. The traffic is silently dropped bythe flow on the secondary node.

For information on configuring transparent mode vSRX, see:

Layer 2 Bridging and Transparent Mode Overview

Transparent mode

The UTM feature is subscription based andmust be purchased.After purchase, you canactivate theUTM featurewith the licensekey.

For SRX Series UTM configuration details, see:

Unified Threat Management Overview

For SRX Series UTM antispam configuration details, see:

Antispam Filtering Overview

UTM

SRX Series Features Not Supported on vSRX

vSRX inheritsmany features from the SRXSeries device product line. Table 8 on page 26

lists SRX Series features that are not applicable in a virtualized environment, that are

not currently supported, or that have qualified support on vSRX.

Table 8: SRX Series Features Not Supported on vSRX

vSRX NotesSRX Series Feature

Application Layer Gateways

Not supportedAvaya H.323



https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-idp-index.html

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-idp-index.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-layer2-bridging-transparent-mode-overview.html

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-utm-overview.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/utm-antispam-filter-overview.html

Table 8: SRX Series Features Not Supported on vSRX (continued)


Authentication with IC Series Devices

Not supported

NOTE: UAC-IDP and UAC-UTMalso are not supported.

Layer 2 enforcement in UACdeployments

Chassis Cluster Support

NOTE: Support for chassis clustering to provide network node redundancy is only available on avSRX deployment in VMware, KVM, andWindows Hyper-V Server 2016.

Only supported with KVM

NOTE: The link status of VirtIOinterfaces is always reported asUP, so a vSRX chassis clustercannot receive link up and linkdownmessages from VirtIOinterfaces.

Chassis cluster for VirtIOdriver

Not supportedDual control links

Not supportedIn-band and low-impactcluster upgrades

Not supportedLAG and LACP (Layer 2 andLayer 3)

Not supportedLayer 2 Ethernet switching

Not supportedLow-latency firewall

Not supportedPPPoE over redundantEthernet interface

NOTE: Starting in Junos OSRelease 15.1X49-D100 andJunos OSRelease 17.4R1, thevSRX supportsPoint-to-PointProtocolovera redundant Ethernetinterface (PPPoE).

Not supported (see the KnownBehavior section of the vSRXRelease Notes for moreinformation about SR-IOVlimitations).

SR-IOV interfaces

Class of Service

Not supportedHigh-priority queue on SPC


Chapter 1: Overview



Only GRE and IP-IP tunnelssupported

NOTE: A vSRX VM deployed onMicrosoft Azure Cloud does notsupport GRE and Multicast.

Tunnels

Data Plane Security LogMessages (StreamMode)

Not supportedTLS protocol

Diagnostics Tools

Not supportedFlowmonitoring cflowdversion 9

NOTE: Starting in Junos OSRelease 15.1X49-D80, thevSRX supports J-Flowversion9 flowmonitoring ona chassis cluster.

Not supportedPing Ethernet (CFM)

Not supportedTraceroute Ethernet (CFM)

DNS Proxy

Not supportedDynamic DNS

Ethernet Link Aggregation

Not supportedLACP in standalone orchassis cluster mode

Not supportedLayer 3 LAG on routed ports

Not supportedStatic LAG in standalone orchassis cluster mode

Ethernet Link Fault Management

Physical interface (encapsulations)

Not supportedethernet-cccethernet-tcc

Not supportedextended-vlan-cccextended-vlan-tcc

Interface family

Not supportedccc, tcc





Not supportedethernet-switching

Flow-Based and Packet-Based Processing

Not supportedEnd-to-end packetdebugging

Not supportedNetwork processor bundling

Not supportedServices offloading

Interfaces

Not supportedAggregated Ethernetinterface

Not supportedIEEE 802.1X dynamic VLANassignment

Not supportedIEEE 802.1X MAC bypass

Not supportedIEEE 802.1X port-basedauthentication control withmultisupplicant support

Not supportedInterleaving using MLFR

Not supportedPoE

Not supportedPPP interface

Not supportedPPPoE-basedradio-to-router protocol

Not supportedPPPoE interface

NOTE: Starting in Junos OSRelease 15.1X49-D100 andJunos OSRelease 17.4R1, thevSRX supportsPoint-to-PointProtocoloverEthernet (PPPoE) interface.

Only supported if enabled on thehypervisor

Promiscuous mode oninterfaces

IP Security and VPNs

Not supportedAcadia - Clientless VPN

Not supportedDVPN


Chapter 1: Overview



Not supportedHardware IPsec (bulkcrypto) Cavium/RMI

Supported on virtual router onlyIPsec tunnel termination inrouting instances

Not supportedMulticast for AutoVPN

IPv6 Support

Not supportedDS-Lite concentrator (akaAFTR)

Not supportedDS-Lite initiator (aka B4)

J-Web

Not supportedEnhanced routingconfiguration

Not supportedNew SetupWizard (for newconfigurations)

Not supportedPPPoEWizard

Not supportedRemote VPNWizard

Not supportedRescue link on dashboard

Not supportedUTM configuration forKaspersky antivirus and thedefault Web filtering profile

Log File Formats for System (Control Plane) Logs

Not supportedBinary format (binary)

Not supportedWELF

Miscellaneous

Not supportedGPRS

NOTE: Starting in Junos OSRelease 15.1X49-D70 andJunos OS Release 17.3R1, thevSRX supports GPRS.

Not supportedHardware acceleration

Not supportedLogical systems





Not supportedOutbound SSH

Not supportedRemote instance access

Not supportedUSBmodem

Not supportedWireless LAN

MPLS

Not supportedCCC and TCC

Only if promiscuous mode isenabled on the hypervisor

Layer 2 VPNs for Ethernetconnections

Network Address Translation

Not supportedMaximize persistent NATbindings

Packet Capture

Only supported on physicalinterfaces and tunnel interfaces,such as gr, ip, and st0. Packetcapture is not supported onredundant Ethernet interfaces(reth).

Packet capture

Routing

Not supportedBGP extensions for IPv6

Not supportedBGP Flowspec

Not supportedBGP route reflector

Not supportedBidirectional ForwardingDetection (BFD) for BGP

Not supportedCRTP

Switching

Not supportedLayer3Q-in-QVLANtagging

Transparent Mode

Not supportedUTM

Unified Threat Management

Not supportedExpress AV


Chapter 1: Overview



Not supportedKaspersky AV

Upgrading and Rebooting

Not supportedAutorecovery

Not supportedBoot instance configuration

Not supportedBoot instance recovery

Not supportedDual-root partitioning

Not supportedOS rollback

User Interfaces

Not supportedNSM

Not supportedSRC application

Only supported with VMwareJunos Space Virtual Director



CHAPTER 2

Installing vSRX from the Azure Portal

• Before You Deploy vSRX from the Azure Portal on page 33

• Creating a Resource Group on page 34

• Creating a Storage Account on page 38

• Creating a Virtual Network on page 41

• Deploying the vSRX Using the Security Gateway Solution Template from Azure

Marketplace on page 45

• Deploying the vSRX Image from Azure Marketplace on page 60

Before You Deploy vSRX from the Azure Portal

You can deploy a vSRX virtual security appliance and its advanced security features in

your virtual networkdirectly fromtheAzureportal. Thismethodprovidesabrowser-based

user interface for creating and configuring virtual machines and all related resources.

The Azure Marketplace provides you with different methods to deploy a vSRX virtual

machine (VM) in a virtual network. You can choose a customized solution template

offeredby JuniperNetworks in theAzureMarketplace to automate the vSRXdeployment

based on a specific use case (for example, a security gateway).

Solution templates allow the bundling of multiple Azure services and a software image

into a template that enables you to quickly deploy a preconfigured solution. You access

vSRX solution templates from the Azure Marketplace to simplify the end-to-end

configuration steps involved in deploying a vSRX VM in your Azure virtual network. A

solution template automates the dependencies associated with specific deployment

use cases, such as VM settings, virtual network settings (such asmultiple subsets for the

management interface (fxp0) and two revenue (data) interfaces), and so on.

A vSRX solution template is based on a customMicrosoft Azure Resource Manager

(ARM) template. The ARM template consists of JavaScript Object Notation (JSON)

expressions that construct specific values for your vSRX deployment. To integrate with

the Azure portal, each solution template usesmainTemplate.json and

createUiDefinition.json files todefine thecomponentsof thecustomizedsolution template

for vSRX VM deployment.

Youalsohave theoption to select thevSRX image fromAzureMarketplaceandcustomize

thevSRXVMdeploymentsettingsanddependenciesbasedonyournetwork requirements


inMicrosoftAzureCloud.Thisdeploymentapproachmightbe required if youhaveavSRX

VMdeployment scenario that is outside of the use cases offered in the vSRXVMsolution

templates available from Juniper Networks.

Before you deploy the vSRX virtual security appliance from the Azure Marketplace:

• Review the requirements for deploying a vSRX VM in Microsoft Azure Cloud in

“Requirements for vSRX on Microsoft Azure” on page 21.

• Obtain an account for and a subscription to Microsoft Azure (seeMicrosoft Azure).

• Use your Microsoft account username and password to log into theMicrosoft Azure

portal.

• Purchase a vSRX license or request an evaluation license. Licenses can be procured

from the Juniper Networks License Management System (LMS).

• Ensure that your Azure subscription includes the following for your vSRX VM:

• Resource group, as described in “Creating a Resource Group” on page 34.

• Storage account, as described in “Creating a Storage Account” on page 38.

• Virtual network, as described in “Creating a Virtual Network” on page 41.


Microsoft Azure portal•


Creating a Resource Group

A resource group contains the resources required to successfully deploy a vSRX VM in

Azure. It is a container that holds related resources for an Azure solution. In Azure, you

logically group related resources such as storage accounts, virtual networks, and virtual

machines (VMs) to deploy, manage, andmaintain them as a single entity.

If you do not have an existing resource group in your subscription, then follow the steps

outlined in this procedure.



https://azure.microsoft.com/

https://portal.azure.com


https://www.juniper.net/generate_license/

https://azure.microsoft.com/en-us/features/azure-portal/


To create a resource group in Azure:

1. Log in to theMicrosoft Azure portal using your Microsoft account username and

password. The Dashboard appears in the Azure portal (see Figure 3 on page 35). You

see aunified dashboard for all your assets inAzure. Verify that the dashboard includes

all subscriptions to which you currently have access, and all resource groups and

associated resources.

Figure 3: Microsoft Azure Portal Dashboard

2. ClickResourcegroups from themenuof services to access theResourceGroups blade

(see Figure 4 on page 36). You will see all the resource groups in your subscription

listed in the blade.


Chapter 2: Installing vSRX from the Azure Portal


Figure 4: Resource Groups

3. clickAdd(+) tocreateanewresourcegroup.TheCreateResourceGroupbladeappears

(see Figure 5 on page 37).



Figure 5: Creating a Resource Group

4. Provide the following information for the new resource group.

DescriptionParameter

Enter auniquename for your new resourcegroup.A resourcegroupnamecan includealphanumeric characters, periods (.), underscores (_), hyphens (-), and parenthesis(), but the name cannot end with a period.

Resource Group Name

Select your Microsoft Azure subscription.Subscription

Select the location of the Microsoft Azure data center fromwhich you intend todeploy the vSRX VM. Specify a location where the majority of your resources willreside. Typically, select the location that is closest to your physical location.

Resource Group Location

5. ClickCreate. The resourcegroupmight takea fewseconds to create.Once it is created,

you see the resource group on the Azure portal dashboard.




Azure Resource Manager overview•

• Deploy resources with Resource Manager templates and Azure portal

• Manage Azure resources through portal

Creating a Storage Account

An Azure storage account provides a unique namespace to store and access your Azure

storage data objects. All objects in a storage account are billed together as a group. By

default, the data in your account is available only to the account owner.

If you do not have an existing storage account in your subscription, follow the steps

outlined in this procedure.

To create a storage account in Azure:

1. Log in to theMicrosoft Azure portal using your Microsoft account username and


see aunified dashboard for all your assets inAzure. Verify that the dashboard includes

all subscriptions to which you currently have access, and all resource groups and

associated resources.


2. Click Storage Accounts from themenu of services to access the Storage Accounts

blade (see Figure 7 on page 39).



https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-portal

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-portal


Figure 7: Azure Portal Storage Accounts

3. Click Add (+) to create a new storage account. The Create Storage Account blade

appears (see Figure 8 on page 40).



Figure 8: Creating a Storage Account

4. Provide the following information for the new storage account.


Enter a unique name for your new storage account. A storage account name cancontain only lowercase letters and numbers, andmust be between 3 and 24characters.

Name

Select ResourceManager as the deployment model.Deployment Model

Select the type of storage account: General purpose or Blob storage. The default isGeneral purpose.

• If General Purpose was selected, then specify the performance tier: Standard orPremium. The default is Standard.

• If Blob storagewas selected, then specify the access tier:Hot or Cool. The defaultis Hot.

Account Kind




Select the type of performance: Standard or Premium. The default is Standard.Performance

Select the replication option for the storage account: Locally redundant storage(LRS),Geo-redundant storage (GRS), Read-access geo-redundant storage (RA-GRS),or Zone-redundant storage (ZRS). The default is RA-GRS.

Replication

Enable or disable this option to protect your data at rest. Azure Storage encryptsdata as written in an Azure datacenter, and decrypts that data once it is accessed.The default is Disabled.

Storage Service Encryption

Enable or disable this option to enhance the security of your storage account byallowing requests to the storage account by HTTPS only. The default is Disabled.

Secure Transfer Required


Select an existing resource group or create a new one (see “Creating a ResourceGroup” on page 34).

Resource Group

Select the Azure data center geographic region in which you are deploying the vSRXVM. Typically, select the location that is closest to your physical location.

Location

5. Click Create. The storage account might take a few seconds to create. Once it is

created, you see the storage account on the Azure portal dashboard.


Introduction to Microsoft Azure Storage•

• About Azure storage accounts

Creating a Virtual Network

The Azure Virtual Network service enables you to securely connect Azure resources to

eachotherwith virtual networks.A virtual network is a representationof yourownnetwork

in the cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. You

can also connect virtual networks to your on-premises network.

If you do not have an existing Azure virtual network, follow the steps outlined in this

procedure.



https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction

https://docs.microsoft.com/en-us/azure/storage/storage-create-storage-account

To create an Azure virtual network:

1. Log in to theMicrosoft Azure portal using your Microsoft account user name and


will see a unified dashboard for all your assets in Azure. Verify that the dashboard

includes all subscriptions to which you currently have access, and all resource groups

and associated resources.


2. ClickVirtualNetworks from themenuof services to access theVirtualNetworks blade





Figure 10: Azure Portal Virtual Networks

3. ClickAdd(+) tocreateanewvirtual network.TheCreateVirtualNetworkbladeappears




Figure 11: Creating a Virtual Network

4. Provide the following information for the new virtual network.


Enter a unique name for your new virtual network. The virtual network namemustbeginwith a letter or number, endwith a letter, number, or underscore, and the namemay contain only letters, numbers, underscore, periods, or hyphens.

Name

Enter the virtual network’s address range in CIDR notation. By default, the addressrange is 10.0.0.0/24.

NOTE: Ensure that the address space does not overlap with an existing network.

Address Space

Enter a unique name for the subnet of the Azure virtual network. The subnet namemust begin with a letter or number, end with a letter, number, or underscore, andthe namemay contain only letters, numbers, underscore, periods, or hyphens.

Subnet name




Enter a network subnet address range in CIDR notation. It must be contained by theaddress space of the virtual network, as defined in the Address Space field. Subnetaddress ranges cannot overlap one another. By default, the address range is10.0.0.0/24.

The subnet is a range of IP addresses in your virtual network to isolate VMs. Publicsubnets have access to the Internet gateway, but private subnets do not.

NOTE: The address range of a subnet that is already in use cannot be edited.

Subnet Address Range



Resource Group

Select the Azure data center geographic region in which you are deploying the vSRXVM. Typically, select the location that is closest to your physical location.

Location

5. ClickCreate. The virtual networkmight takea fewseconds tocreate.Once it is created,

you will see the virtual network on the Azure portal dashboard.


Virtual networks andWindows virtual machines in Azure•

• Create a virtual network

• Create, change, or delete network interfaces

• Create a VM (Classic) withmultiple NICs

Deploying the vSRXUsing the Security Gateway Solution Template fromAzureMarketplace

Starting in Junos OS Release 15.1X49-D100 for vSRX, you can deploy the vSRX virtual

security appliance in your Azure virtual network through theAzure portal using one of the

available solution templates offered from Juniper Networks.

You use the security gateway solution template offered by Juniper Networks in the Azure

Marketplace to automate the vSRX VM deployment. This solution template simplifies

the configuration details of the vSRX VM through a customized deployment use case.

The solution template defines subnets for the management network (fxp0), the trust

security zone (ge-0/0/1.0), and the untrust security zone (ge-0/0/0.0) on the vSRXVM.

NOTE: Besure youhaveanaccount for andasubscription toMicrosoftAzurebefore deploying the vSRX to Azure (seeMicrosoft Azure).

If you do not have an Azure subscription, then you can create a free accountbefore you begin. See theMicrosoft Azure website for more details.



https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-vnet-arm-pportal

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-multiple-nics


https://azure.microsoft.com/en-us/free/?WT.mc_id=A261C142F

Use the following procedures to deploy a vSRX VM using the Security Gateway solution

template:

• Deploying the vSRX Using the Security Gateway Solution Template on page 46

• Verifying Deployment of vSRX to Microsoft Azure on page 58

• Logging In to a vSRX VM on page 59

Deploying the vSRXUsing the Security Gateway Solution Template

To deploy a vSRX VM into an Azure virtual network using the Security Gateway solution

template from Azure Marketplace:







2. ClickMarketplace from the dashboard to access the Azure Marketplace, and then

click Everything (or clickNew>Everything). Enter vsrx to search for the vSRX Security

Gateway solution template in the Azure Marketplace (see Figure 13 on page 47). The

vSRX image isavailableasapay-as-you-go (PAYG)orbring-your-own-license (BYOL)

service.




Figure 13: Locating the vSRX Security Gateway Solution Template in the AzureMarketplace

3. Select the vSRX Security Gateway image from the list and then click Create to initiate

the vSRX VM deployment process (see Figure 14 on page 48).



Figure 14: Creating vSRX VMUsing Security Gateway Solution Template

4. From the Create vSRX Security Gateway blade, 1 Basics (see Figure 15 on page 49).

Enter initial VM setup information (such as VM login credentials, Azure subscription

plan, resource group, and geographic location), and then clickOK.



Figure 15: Create vSRX Security Gateway - Basics


Enter an administrator username to access the vSRX VM. The username cannotcontain uppercase characters, special characters, or start with a “$” or “-” character.

Admin Username

Select the required method of authentication to access the vSRX VM: Password orSSH public key. Select Password as type of authentication and then enter (andconfirm) your password.

NOTE: In JunosOSRelease 15.1X49-D91 for vSRX, SSHpublic key is not a supportedauthentication method. You will need to specify a password to log in to the vSRXVM.

Starting in Junos OS Release 15.1X49-D110 for vSRX, SSH public key is a supportedauthentication method.

Authentication type

Enter an appropriate root password used to access the vSRX VM. The passwordmust be between 12 and 72 characters.

Admin User Password


Select an existing resource group or create a new one (see “Creating a ResourceGroup” on page 34). Note that the resource groupmust be empty.

Resource Group

Select the Azure geographic region in which you are deploying the vSRX VM.Location



5. From the Create vSRX Security Gateway blade, 2 Virtual Machine Settings:

• Specify a vSRXVMname In the vSRXhost name field. The vSRXVMnamemust be

between 4 and 25 characters, and can only contain lowercase letters and numbers.

• Click VM size, and then click the right arrow to access the Choose a Size blade (see

Figure 16 on page 50).

NOTE: See “Requirements for vSRX onMicrosoft Azure” on page 21 forthe recommendedsystemrequirements foravSRX instance inMicrosoftAzure.

There are two performance tiers for storage in Microsoft Azure Cloud that you can

choose fromwhen creating your disks -- Standard Storage and Premium Storage.

Premium Storage is backed by SSDs, and delivers high-performance, low-latency

disk support for VMs running I/O-intensive workloads. Standard Storage is backed

by HDDs. and delivers cost-effective storage.

• For the SSD supported disk type, DS3_v2 Standard is used for the vSRX VM

deployment. Select DS3_v2 Standard as the vSRX VM size, and then click Select.

Figure 16: Create vSRX VMGateway - Virtual Machine Settings - VM Size for SSD

• For the HDD supported disk type, you can choose either DS3_v2 Standard or

D4_V2 Standard for the vSRX VM deployment. Choose the vSRX VM size, and

then click Select.



Figure 17: Create vSRX VMGateway - Virtual Machine Settings - VM Size for HDD



• ClickNewStorageAccountName, and then click the right arrow toaccess theCreate

Storage Account blade (see Figure 18 on page 52). Enter information for the new

vSRX storage account in your Azure subscription, and then clickOK.

Figure 18: Create vSRXVMGateway -VirtualMachineSettings - CreateStorageAccount


Enter a unique name for your new storage account. A storage account name cancontain only lowercase letters and numbers, andmust be between 3 and 24characters.

Name

Select the type of performance: Standard or Premium. The default is Standard.Performance

Select the replication option for the storage account: Locally redundant storage(LRS),Geo-redundant storage (GRS), Read-access geo-redundant storage (RA-GRS),or Zone-redundant storage (ZRS). The default is RA-GRS.

Replication

ClickOKwhen you complete selecting the vSRX VM size and, if necessary, a storage

account for your Azure subscription.

6. From the Create vSRX Security Gateway blade, 3 Network Settings:



• Click Virtual network, and then click the right arrow to access the Create Virtual

Networkblade (seeFigure 19onpage53). Enter information for thenewvSRXvirtual

network in your Azure subscription, and then clickOK.

Figure 19: Create vSRX VMGateway - Network Settings - Create Virtual Network


Enter a unique name for your new virtual network. The virtual network namemustbeginwith a letter or number, endwith a letter, number, or underscore, and the namemay contain only letters, numbers, underscore, periods, or hyphens.

Name

Enter the virtual network’s address range in CIDR notation. By default, the addressrange is 10.0.0.0/16.

NOTE: Ensure that the address space does not overlap with an existing network.

Address Space



• Click Subnets, and then click the right arrow to access the Subnets blade (see

Figure 20 on page 54). Enter information for the vSRX VM subnets, and then click

OK.

Figure 20: Create vSRX VMGateway - Network Settings - Subnets


Enter a unique name for the management subnet of the Azure virtual network. Themanagement subnet is used by the management interface (fxp0) of the vSRX VM.

Themanagement subnet namemust beginwith a letter or number, endwith a letter,number, orunderscore, and thenamemaycontainonly letters, numbers, underscore,periods, or hyphens.

Management Subnet Name

Themanagement subnet’s address range in CIDR notation. It must be contained bythe address space of the virtual network. Subnet address ranges cannot overlapone another. By default, the address range is 10.1.0.0/24.


Management Subnet Address Prefix

Enter a unique name for the untrust subnet (the public subnet) of the Azure virtualnetwork. The untrust subnet is used by the revenue (data) interface of the vSRXVMand connects to the Internet.

The untrust subnet namemust begin with a letter or number, end with a letter,number, orunderscore, and thenamemaycontainonly letters, numbers, underscore,periods, or hyphens.

Untrust Subnet Name




The untrust subnet’s address range in CIDR notation. It must be contained by theaddress space of the virtual network. Subnet address ranges cannot overlap oneanother. By default, the address range is 10.1.1.0/24.


Untrust Subnet Address Prefix

Enter a unique name for the trust subnet (the private subnet) of the Azure virtualnetwork. The trust subnet connects to a network segment that uses private IPaddresses.

The trust subnet namemust beginwith a letter or number, endwith a letter, number,or underscore, and thenamemaycontainonly letters, numbers, underscore, periods,or hyphens.

Trust Subnet Name

The trust subnet’s address range in CIDR notation. It must be contained by theaddress space of the virtual network. Subnet address ranges cannot overlap oneanother. By default, the address range is 10.1.2.0/24.


Trust Subnet Address Prefix

ClickOKwhen you complete specifying the information for the vSRXVMsubnets (the

management, trust, and untrust subnets), and if necessary, creating a virtual network

for your Azure subscription.

7. From the Create vSRX Security Gateway blade, 4 Summary, review the configuration

settings (see Figure 21 on page 56). If you are satisfiedwith the configuration settings,

clickOK.



Figure 21: Create vSRX VMGateway - Summary

8. From the Create Virtual Machine blade, 5 Buy, review the offer details and the terms

of use (see Figure 22 on page 57). If you are satisfied with the offer details and terms

of use, click Purchase.



Figure 22: Create vSRX VMGateway - Purchase

9. You return to theAzureportal dashboard, and thedashboarddisplays thedeployment

status of the vSRX VM (see Figure 23 on page 57).

Figure 23: vSRX VMDeployment Status



Verifying Deployment of vSRX toMicrosoft Azure

After the vSRX VM is created, the Azure portal dashboard lists the new vSRX VM under

Resource Groups. The corresponding cloud service and storage account also are created

and listed. Both the vSRX VM and the cloud service are started automatically and their

status is listed as Running

To verify the deployment of the vSRX instance to Microsoft Azure:

1. To view the vSRX resource group and its resources after deployment is completed,

from the right-handmenu, clickResourcegroups to access theResourceGroupspage.

Figure24onpage58showsanexampleof theResourcesGroupspage in theMicrosoft

Azure portal.

Figure 24: Microsoft Azure Resource Groups Page

2. To view details of the vSRX VM associated with the resource group, click the name

of the vSRX VM. Observe that the status is Running.

NOTE: You can stop, start, restart, and delete a vSRXVM from the VirtualMachine page in the Microsoft Azure portal.

Figure25onpage59showsanexampleofaResourcegroupsvSRXVM in theMicrosoft

Azure portal.



Figure 25: Microsoft Azure Resource Groups VM Example

Logging In to a vSRX VM

After vSRX deployment is completed, the vSRX VM is automatically powered on and

launched. At this point you can use an SSH client to log in to the vSRX VM.

NOTE: In Microsoft Azure, individuals and enterprises can host servers andservices on the cloud as a pay-as-you-go (PAYG) or bring-your-own-license(BYOL) service. For the vSRXonMicrosoft Azure deployment, only theBYOLmodel is supported.

To log in to the vSRX VM:

1. From the Azure portal, click Resource groups from themenu of services on the

dashboard, and then select the vSRX VM. Locate the public IP address of the vSRX

VM from the Settings blade.

2. Use an SSH client to log in to a vSRX VM.

3. At the prompt, enter the following login credentials:

NOTE: The vSRX instance is automatically configured for username andpassword authentication. To log in, use the login credentials that weredefined during the vSRX VM configuration. After initially logging in to thevSRX, you can configure SSH public and private key authentication.

# ssh <username@vsrx_vm_ipaddress>



The authenticity of host ’x.x.x.x (x.x.x.x)’ ...ECDSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXX.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ’x.x.x.x’ (ECDSA) to the list of known hosts.Password: xxxxxxxxusername@vsrx_vm_ipaddress>

4. Configure the basic settings for the vSRX VM (see “Configuring vSRX Using the CLI”

on page 90).


Starting in Junos OS Release 15.1X49-D100 for vSRX, you can deploy thevSRX virtual security appliance in your Azure virtual network through theAzure portal using one of the available solution templates offered fromJuniper Networks.

15.1X49-D100


How to Deploy in Microsoft Azure using Azure Portal and Template•


Deploying the vSRX Image fromAzureMarketplace

Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy the vSRX virtual

security appliance in your Azure virtual network by selecting the vSRX image from Azure

Marketplace and customizing the vSRX VM deployment settings and dependencies

based on your network requirements in Microsoft Azure Cloud.

This deployment approachmight beneeded if youhavea vSRXVMdeployment scenario

that is outside of the use cases offered in the vSRXVMsolution templates available from

Juniper Networks.



Use the following procedures to deploy and configure a vSRX VM into an Azure virtual

network from the Azure portal.

• Deploying the vSRX Image on page 61


• Logging In to a vSRX VM on page 72







Deploying the vSRX Image

To deploy and configure a vSRX VM into an Azure virtual network using the vSRX image

from Azure Marketplace:







2. ClickMarketplace from the dashboard to access the Azure Marketplace, and then

click Everything (or click New> Everything). Enter vsrx to search for the available

JuniperNetworksvSRXVMimages in theAzureMarketplace(seeFigure27onpage62).

The vSRX image is available as a pay-as-you-go (PAYG) or bring-your-own-license

(BYOL) service.




Figure 27: Locating the vSRX VM Image in the Azure Marketplace

3. Select the vSRX VM image from the list and then click Create to initiate the vSRX VM

deployment process (see Figure 28 on page 63).



Figure 28: Initiating vSRX VMDeployment

4. From the Create Virtual Machine blade, 1 Basics, configure the following parameters




Figure 29: Create Virtual Machine - Basics


Specify a name for your vSRX VM. Your vSRX VM name cannot contain non-ASCIIor special characters.

Name

Specify the disk type to use for the vSRX VM: SSD or HDD. The default is SSD.VM Disk Type

Enter a username to access the vSRXVM. The username cannot contain uppercasecharacters, special characters, or start with a “$” or “-” character.

User name




Select the required method of authentication to access the vSRX VM: Password orSSH public key. Select Password as type of authentication and then enter (andconfirm) your password.

NOTE: In JunosOSRelease 15.1X49-D91 for vSRX, SSHpublic key is not a supportedauthentication method. You will need to specify a password to log in to the vSRXVM.

Starting in Junos OS Release 15.1X49-D110 for vSRX, SSH public key is a supportedauthentication method.

Authentication type

Enter an appropriate root password used to access the vSRX VM.Password



Resource Group

Select the Azure geographic region in which you are deploying the vSRX VM.Location

ClickOK.

5. From the Create Virtual Machine blade, 2 Size, select DS3_v2 Standard as the vSRX

VM size (see Figure 30 on page 66). Click Select.

DS3_v2 Standard is used for a vSRXVMdeployment. See “Requirements for vSRX on

Microsoft Azure” on page 21 for the recommended system requirements for a vSRX

instance in Microsoft Azure.



Figure 30: Create Virtual Machine - Choose a Size

6. From theCreateVirtualMachine blade, 3Settings, configure the following parameters

to define the storage, networking, andmonitoring settings for the vSRX VM (see

Figure 31 on page 67). ClickOKwhen completed.



Figure 31: Create Virtual Machine - Settings


Storage

Specify whether you want Azure to automatically manage the availability of disksto provide data redundancy and fault tolerance without you creating andmanaginga storage account. Click No.

Used Managed Disks

If you need to change the storage account for the vSRX VM, click the right arrow toaccess the Choose Storage Account blade. Select an existing storage account forthe vSRX VM, or click Create new (+) to create a new one. See “Creating a StorageAccount” on page 38 for details about creating a new storage account.

Storage Account

Network

If you need to change the virtual network for the vSRX VM, click the right arrow toaccess the Choose Virtual Network blade. Select an existing virtual network for thevSRXVM,or clickCreatenew(+) tocreateanewone.See “CreatingaVirtualNetwork”on page 41 for details about creating a new virtual network.

Virtual Network




Enter a subnet, which is a range of IP addresses in your virtual network to isolateVMs. Public subnets have access to the Internet gateway, but private subnets donot.

A vSRX VM requires two public subnets and one or more private subnets for eachindividual instance group. The public subnets consist of one for the managementinterface (fxp0) and another for the two revenue (data) interfaces. The privatesubnets, connected to other vSRX interfaces, ensure that all traffic betweenapplications on the private subnets and the Internet must pass through the vSRXinstance.

Tomodify the subset for the virtual network, click the right arrow toaccess theCreateSubnet blade.

Configure the following parameters:

• Subnet name—A unique name for the subnet in the Azure virtual network.

• Subnet address range—The subnet’s address range in CIDR notation. It must becontained by the address space of the virtual network. Subnet address rangescannot overlap one another. By default, the address range is 10.0.0.0/24.


Subnet

Specify the public IP address that allows communication to the vSRX VM fromoutside the Azure virtual network. Tomodify the public IP address for the vSRX VM,click the right arrow to access the Choose Public IP Address blade. Select a publicIP address in your Azure subscription and location, or click Create new (+) to createa new one.


• Name—A unique name for the public IP address.

• Assignment—There are twomethods in which an IP address is allocated to apublic IP resource: dynamic or static. By default, public IP addresses are dynamic,where an IP address is not allocated at the time of its creation. Instead, the publicIP address is allocated when you start (or create) the resource. The IP addressassociated to themmay change when the vSRX VM is deleted.

To guarantee that the vSRX VM always uses the same public IP address, werecommend you assign a static public IP address.

Public IP address

Specify a network security group, which is a set of firewall rules that control traffictoand fromthevSRXVM.Eachnetwork security groupcancontainmultiple inboundandoutboundsecurity rules that enable you to filter traffic by sourceanddestinationIP address, port, and protocol. You can apply a network security group to each NICin the VM.

Tomodify the network security group for the vSRX VM to filter traffic, click the rightarrow to access theChooseNetwork Security blade. Select a network security groupin your Azure subscription and location, or click Create new (+) to create a new one.


• Name—A unique name for the network security group.

• Inbound rules—You can add one or more inbound security rules to allow or denytraffic to the vSRX VM.

• Outbound rules—You can add one or more outbound security rules to allow ordeny traffic originating from the vSRX VM.

Network security group




Extensions

No extensions are used for the vSRX VM.Extensions

High Availability

Confiigure two or more VMs in an availability set to provide redundancy to anapplication.

NOTE: Availability Set should be set toNone for the vSRXVM. Availablilty Set is notused for the vSRX VM in Azure because chassis clustering is not supported by thevSRX at this time.

Availability Set

Monitoring

Enables or disables the capturing of serial console output and screenshots of theVM running on the host to help diagnose start-up issues. The default is Enabled.

Boot Diagnostics

Enables or disables the ability to obtain metrics every minute for the VM. Choicesare: Disabled or Enabled. The default is Disabled.

Guest OS Diagnostics

Click the right arrow to view the details of the diagnostics storage account.Automatically fills in with the name of the diagnostics storage account fromwhichyou can analyze a set of metrics with your own tools.

Diagnostics Storage Account

7. From the Create Virtual Machine blade, 4Summary , review the configuration settings

(see Figure 32 on page 70). If you are satisfied with the configuration settings, click

OK.



Figure 32: Create Virtual Machine - Summary

8. From the Create Virtual Machine blade, 5 Buy review the offer details and the terms

of use (see Figure 22 on page 57). If you are satisfied with the offer details and terms

of use, click Purchase.



Figure 33: Create Virtual Machine - Purchase

You return to the Azure portal dashboard, and the dashboard displays the deployment

status of the vSRX VM.


After the vSRX VM is created, the Azure portal dashboard lists the new vSRX VM under

Resource Groups. The corresponding cloud service and storage account also are created

and listed. Both the vSRX VM and the cloud service are started automatically and their

status is listed as Running



from the right-handmenu, clickResourcegroups to access theResourceGroupspage.


of the vSRX VM. Observe that the status is Running.

NOTE: You can stop, start, restart, and delete a vSRXVM from the VirtualMachine page in the Microsoft Azure portal.

Figure25onpage59showsanexampleofaResourcegroupsvSRXVM in theMicrosoft

Azure portal.




Logging In to a vSRX VM

After vSRX deployment is completed, the vSRX VM is automatically powered on and

launched. At this point you can use an SSH client to log in to the vSRX VM.






2. Use an SSH client to log in to a vSRX VM.


NOTE: The vSRX instance is automatically configured for username andpassword authentication. To log in, use the login credentials that weredefined during the vSRX VM configuration (see “Deploying the vSRXImage”onpage61). After initially logging in to thevSRX, youcanconfigureSSH public and private key authentication.






on page 90).


Starting in Junos OS Release 15.1X49-D91 for vSRX, you can deploy the vSRXvirtual security appliance in your Azure virtual network by selecting the vSRXimage from Azure Marketplace and customizing the vSRX VM deploymentsettings and dependencies based on your network requirements in MicrosoftAzure Cloud.

15.1X49-D91


• How to Deploy in Microsoft Azure using Azure Portal and Template


• Virtual networks andWindows virtual machines in Azure

• Create, change, or delete network interfaces

• Create a VM (Classic) withmultiple NICs





https://docs.microsoft.com/en-us/azure/virtual-machines/windows/network-overview

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-multiple-nics

CHAPTER 3

Installing vSRX from the Azure CLI

• Before You Deploy vSRX Using the Azure CLI on page 75

• Deploying vSRX from the Azure CLI on page 77

Before You Deploy vSRXUsing the Azure CLI


the vSRX from the Azure CLI and customize the vSRX VM deployment settings and

dependencies based on your network requirements in Microsoft Azure Cloud.

To help automate and simplify the deployment of the vSRX in theMicrosoft Azure virtual

network, Juniper Networks provides a series of scripts, Azure Resource Manager (ARM)

templates and parameter files, and configuration files in the GitHub repository

https://github.com/Juniper/vSRX-Azure. TheARMtemplate includes resourceparameters

that enable you to customize your vSRX VM deployment, such as login credentials,

network interfaces, and storage container name. The template consists of JavaScript

Object Notation (JSON) expressions for your vSRX deployment.

The vSRX deployment files in the GitHub repository include:

• The deploy-azure-vsrx.sh shell script to automate the deployment and configuration

of the vSRX virtual machine (VM).

• The vsrx.json template file to define the components of the Azure resource group and

virtual hardware settings (VM size, interface number and network) of the vSRX VM.

• The vsrx.parameters.json parameter file to identify the network interface parameters

used to deploy the vSRX VMin Azure.

Before you deploy the vSRX virtual security appliance from the Azure CLI:

• Review the requirements for deploying a vSRX VM in Microsoft Azure Cloud in

“Requirements for vSRX on Microsoft Azure” on page 21.

• Obtain an account for and a subscription to Microsoft Azure (seeMicrosoft Azure).

• From the Azure portal, you must first manually deploy the vSRX image (only once) by

using either the vSRXNext Generation Firewall (BYOL) or the vSRXNext Generation

Firewall (PAYG) SKU to accept the EULA terms. This is a requirement before you can

deploy the vSRX image from the Azure CLI. By default, the Azure portal deployment


https://github.com/Juniper/vSRX-Azure


tool uses vSRXNext Generation Firewall (BYOL) SKU as the source image. Use your

Microsoft account username and password to log into theMicrosoft Azure portal.

NOTE: Youwill encounter aMarketplacePurchaseEligibilityFailed error if do

not first accept the EULA terms for the vSRX image in the Azure portalbefore attempting to deploy the vSRX image from the Azure CLI.

• Install Azure command line interface (Azure CLI) 1.0 and enable Azure Resource

Management (ARM)mode (see Install the Azure CLI).

NOTE: The vSRX for Azure deployment shell script deploy-azure-vsrx.sh is

written in shell and Azure CLI version 1.0 commands and does not supportAzure CLI version 2.0.

• Purchase a vSRX license or request an evaluation license. Licenses can be procured

from the Juniper Networks License Management System (LMS).

NOTE: Deployment of vSRX to Microsoft Azure does not support the use ofthe Azure CLI fromMicrosoftWindows. This is because thedeploy-azure-vsrx.sh shell script that is used as part of the deploymentprocedure can be run only from the Linux or Mac OS CLI.

When you deploy a vSRX VM in an Azure virtual network, note the following specifics of

the deployment configuration:

• Use your Microsoft account username and password to log into theMicrosoft Azure

portal.

• Ensure that your Azure subscription includes the following for your vSRX VM:

• Resource group, as described in “Creating a Resource Group” on page 34.

• Storage account, as described in “Creating a Storage Account” on page 38.

• Virtual network, as described in “Creating a Virtual Network” on page 41.

vSRX deployment from the Azure CLI is described in detail in “Deploying vSRX from the

Azure CLI” on page 77.




https://docs.microsoft.com/en-us/azure/cli-install-nodejs





Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX from the Azure CLI and customize the vSRX VMdeploymentsettingsanddependenciesbasedonyournetwork requirementsin Microsoft Azure Cloud.

15.1X49-D80


Azure Resource Manager overview•

• Deploy resources with Resource Manager templates and Azure CLI

Deploying vSRX from the Azure CLI


the vSRX from the Azure CLI and customize the vSRX VM deployment settings and

dependencies based on your network requirements in Microsoft Azure Cloud.

Use the following procedure to deploy and configure vSRX as a virtual security appliance

in a Microsoft Azure virtual network from the Azure CLI. In this procedure, you use the

Azure CLI running in Azure Resource Manager (ARM)mode.



NOTE: FromtheAzureportal, youmust firstmanuallydeploy thevSRX image(only once) by using either the vSRXNext Generation Firewall (BYOL) or the

vSRXNext Generation Firewall (PAYG) SKU to accept the EULA terms. This

is a requirement before you can deploy the vSRX image from the Azure CLI.By default, the Azure portal deployment tool uses vSRXNext Generation

Firewall (BYOL) SKU as the source image. Use your Microsoft account

username and password to log into theMicrosoft Azure portal.

You will encounter aMarketplacePurchaseEligibilityFailed error if do not first

accept the EULA terms for the vSRX image in the Azure portal beforeattempting to deploy the vSRX image from the Azure CLI.

• Installing the Microsoft Azure CLI on page 78

• Downloading the vSRX Deployment Tools on page 79

• Changing Parameter Values in the vsrx.parameter.json File on page 80

• Deploying the vSRX Using the Shell Script on page 82


Chapter 3: Installing vSRX from the Azure CLI

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#template-deployment

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-deploy-cli





• Logging In to a vSRX Instance on page 85

Installing theMicrosoft Azure CLI

To install and log in to the Microsoft Azure CLI:

1. Install the Microsoft Azure CLI 1.0 as outlined in Install the Azure CLI. You have several

options to install the Azure CLI package for either the Linux or Mac OS; be sure to

select the correct installation package.

NOTE: The vSRX for Azure deployment shell script deploy-azure-vsrx.sh

iswritten inshellandAzureCLIversion 1.0commandsanddoesnotsupportAzure CLI version 2.0.

NOTE: Deployment of vSRX toMicrosoft Azure does not support the useof the Azure CLI fromMicrosoftWindows. This is because thedeploy-azure-vsrx.sh shell script that is used as part of the deployment

procedure can be run only from the Linux or Mac OS CLI.

2. Log into the Azure CLI.

> azure login

3. At the prompt. copy the code that appears in the command output.

Executing command loginTo sign in, use a web browser to open the page http://aka.ms/devicelogin. Enter the codeXXXXXXXXX to authenticate

4. Open aWeb browser to http://aka.ms/devicelogin, enter the code, and then click

Continue. Enter your Microsoft Azure username and password credentials. When the

process completes, the command shell completes the login process.

Added subscription Microsoft Azure EnterpriseTo sign in, use a web browser to open the page http://aka.ms/deviceloginlogin command OK



https://docs.microsoft.com/en-us/azure/cli-install-nodejs

http://aka.ms/devicelogin

NOTE: If youhavemultipleAzuresubscriptions, connecting toAzuregrantsaccess to all subscriptions associated with your credentials. Onesubscription is selected as the default, and used by the Azure CLI whenperforming operations. You can view the subscriptions, including thecurrent default subscription, using the azure account list command.

5. Ensure that the Azure CLI is in Azure Resource Manager (ARM)mode.

> azure configmode arm

NOTE: When the Azure CLI is initially installed, the CLI is in ARMmode.

Downloading the vSRX Deployment Tools

Juniper Networks provides a set of scripts, templates, parameter files, and configuration

files in Juniper’s GitHub repository. These tools are intended to help simplify the

deployment of the vSRX to Azure when using the Azure CLI.

NOTE: For background information on the scripts, templates, parameterfiles, and configuration files, see “Before You Deploy vSRX Using the AzureCLI” on page 75.

To download the vSRX deployment tools:

1. Access GitHub by using the following link: https://github.com/Juniper/vSRX-Azure.

2. Click Clone or download to download to you computer the vSRX-Azure-master.zip file

from Github containing all files and directories from vSRX-Azure. The

vSRX-Azure-master directory includes the following directories and files:

vSRX-Azure-master README.md LICENSE sample-templates arm-templates-tool README.md deploy-azure-vsrx.sh templates app-vm vm.json vm.parameters.json vsrx-gateway vsrx.json vsrx.parameters.json utils decode_param_file.py



https://github.com/Juniper/vSRX-Azure

gen_param_file.py gen_template_file.py simple-vsrx-demo README.md vsrx.json vsrx.parameters.json marketplace-solution-templates vpn-gateway createUiDefinition.json mainTemplate.json vSRX-password.json vSRX-sshPublicKey.json

3. Extract the compressed vSRX-Azure-master.zip file to a location on your computer.

Changing Parameter Values in the vsrx.parameter.json File

In the vsrx.parameters.json file, you need to modify parameter values specific to your

vSRXdeployment inMicrosoftAzure. Theseparametersareusedaspart of theautomatic

deployment performed by the deploy-azure-vsrx.sh script.

Keep in mind that by default vSRX uses fxp0 as the egress interface to the Internet. For

features requiring Internet connections that use a revenue port (such as VPN, UTM, and

so on), routing instances are required to isolate the traffic between themanagement

network and the revenue network.

To change parameter values in the vsrx.parameters.json file:

1. Open the vsrx.parameters.json file with a text editor.

2. Modify the values in the vsrx.parameters.json file based on the specifics of your vSRX

deployment. As an example, the following table outlines the parameters in the

vsrx.parameters.json file found in

sample-templates\arm-templates-tool\templates\vsrx-gateway that might require

modification.

CAUTION: It is critical that you change the vsrx-username andvsrx-password logincredentials listed in thevsrx.parameters.json filebefore

you launch the vSRX instance and login for the first time. Note that youcannot reset login credentials for the vSRX using the Microsoft Azureportal or the Azure CLI.

CommentDefault ValueParameter

Must be unique for each deployment.juniperstore01storageAccountName

Name of the Microsoft Azure storagecontainer (VHDs).

vhdsstorageContainerName

Specifies the vSRX hostname.vsrx-gwvsrx-name




IP address of vSRX interface ge-0/0/0.0.192.168.10.20vsrx-addr-ge-0-0-0

IP address of vSRX interface ge-0/0/1.0.192.168.20.20vsrx-addr-ge-0-0-1

Change to an appropriate username forthe login credentials used to access thevSRX.

demovsrx-username

Change to an appropriate password forthe login credentials used to access thevSRX.

Demo123456vsrx-password

Specifies the root authenticationpassword for the vSRXVMby entering anSSH public key string ( RSA or DSA). Bydefault, the deploy-azure-vsrx.shdeployment script selects the passwordauthentication method, unless –p,followed by the SSH RSA public key file(id_rsa.pub by default), is specified.

NOTE: Starting in Junos OS Release15.1X49-D100 for vSRX, both passwordand SSH public key authentication aresupported, and password authenticationis chosen by default.

ssh-rsa placeholdervsrx-sshkey

The source image to create the vSRXinstance. By default, thedeploy-azure-vsrx.sh script uses thevSRXNext Generation Firewall (BYOL)SKU in the Azure Marketplace as thesource image to deploy vSRX instance,unless –i is used to explicitly specify thevSRX instance image location.

placeholdervsrx-disk

IP address prefix of the virtual network.192.168.0.0/16vnet-prefix

Name of management networkconnected to fxp0.

mgt-subnetvnet-mgt-subnet-basename

IPaddressprefixofmanagementnetworkconnected to fxp0.

192.168.0.0/24vnet-mgt-subnet-prefix

Name of network connected to trustsecurity zone: ge-0/0/1.0 on the vSRX.

trust-subnetvnet-trust-subnet-basename

IP address prefix of network connectedto trust security zone: ge-0/0/1.0 on thevSRX.

192.168.20.0/24vnet-trust-subnet-prefix

Name of network connected to untrustsecurity zone: ge-0/0/0.0 on the vSRX.

untrust-subnetvnet-untrust-subnet-basename




IP address prefix of network connectedto untrust security zone: ge-0/0/0.0 onthe vSRX.

192.168.10.0/24vnet-untrust-subnet-prefix

3. Save your changes to the vsrx.parameters.json file.

Deploying the vSRXUsing the Shell Script

The deploy-azure-vsrx.sh shell script deploys the vSRX virtual machine in a resource

group that is based on your Azure Cloud geographic location. The script uses the storage

account and network values defined in the vsrx.parameters.json file.

To deploy vSRX to the Azure virtual network:

1. At the bash prompt in the Azure CLI, run the deploy-azure-vsrx.sh script. By default,

the script deploys the vSRX VM using the vSRXNext Generation Firewall (BYOL) SKU

as the source image from the Azure Marketplace. The following information is read

from the vsrx.json file as part of the deployment:

• VM Size: Standard_D3_v2

• Publisher: Juniper Networks

• SKU: vsrx-byol-azure-image

• Offering: vsrx-next-generation-firewall

The following is an example of the command syntax. In this example, the script uses

the vSRX image to deploy the vSRX VM in resource group “example_rg” at the Azure

location “westus.” The storage account and network values are defined in the

vsrx.parameters.json file.

> ./deploy-azure-vsrx.sh -g example_rg -l westus -f

vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.json

-e

vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway/vsrx.parameters.json

NOTE: When you specify the vSRX source image URLwith the option -i,

the script copies the vSRX source image to create the virtual hardwaredisk file and to set the vsrx-disk parameter in vsrx.parameters.json to this

value.

The default parameter values in the command syntax include:

• example_rg is the resource group name (-g).

• westus is the Azure location (-l).



• vsrx.json in the folder

vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway is the

default Azure template file (-f).

• vsrx.parameters.json in the folder

vSRX-Azure/sample-templates/arm-templates-tool/templates/vsrx-gateway is the

default parameter file (-e).

2. Monitor the stages of deployment of vSRX toMicrosoft Azure as they occur on screen.

Deployment encompasses operations such as creating a resource group, storage

account, template group (including configuration parameters).

NOTE: Creation of the storage account can take approximately 3 to 5minutes on average. However, in some cases, it might take as long as 15to 20minutes.

arm-templates-tool ./deploy-azure-vsrx.shUse default resource group name 'vsrx'info: Executing command config modeinfo: New mode is arminfo: config mode command OKinfo: Executing command group create+ Getting resource group vsrx+ Creating resource group vsrxinfo: Created resource group vsrxdata: Id: /subscriptions/1c3367ba-71fc-48df-898a-d9eab4f1d673/resourceGroups/vsrxdata: Name: vsrxdata: Location: westusdata: Provisioning State: Succeededdata: Tags: nulldata:info: group create command OKinfo: Executing command storage account create…data: DeploymentName : deployvsrxdata: ResourceGroupName : vsrxdata: ProvisioningState : Succeededdata: Timestamp : Thu Jul 20 2017 12:31:45 GMT+0800 (CST)data: Mode : Incrementaldata: CorrelationId : a99b89f8-5919-4dbc-b8a5-6d76b30fcb67data: DeploymentParameters :data: Name Type Valuedata: ---------------------------- ------------ -------------------data: storageAccountName String jnprsa01data: storageContainerName String vhdsdata: vsrx-name String vsrx-test01data: vsrx-addr-ge-0-0-0 String 192.168.10.20data: vsrx-addr-ge-0-0-1 String 192.168.20.20data: vsrx-username String demodata: vsrx-password SecureString undefineddata: vsrx-sshkey String ssh-rsa placeholderdata: vsrx-disk String placeholderdata: vnet-prefix String 192.168.0.0/16data: vnet-mgt-subnet-basename String mgt-subnetdata: vnet-mgt-subnet-prefix String 192.168.0.0/24



data: vnet-trust-subnet-basename String trust-subnetdata: vnet-trust-subnet-prefix String 192.168.20.0/24data: vnet-untrust-subnet-basename String untrust-subnetdata: vnet-untrust-subnet-prefix String 192.168.10.0/24info: group deployment create command OK

When the deployment process completes, you will see the message “info: group

deployment create commandOk.



1. Open aWeb browser to https://portal.azure.com/ and login to the Microsoft Azure

portal using your login credentials. The Dashboard view appears in the Azure portal .

Youwill see a unified dashboard for all your assets in Azure. Verify that the Dashboard




fromthe right- handmenu, clickResourcegroups toaccess theResourceGroupspage.

Figure 24 on page 58 shows an example of the Resources group page in theMicrosoft

Azure portal.

Figure 35: Microsoft Azure Resource Groups Page Example


of the vSRX.

Figure 25 on page 59 shows an example of the Resource groups VM in the Microsoft

Azure portal.



https://portal.azure.com/


4. To see a summary view of the VMs in your subscription, including the newly deployed

vSRX, click the Virtual Machines icon in the left pane. On the Virtual machines page,

check the vSRX VM status after deployment is completed. Observe that the status is

Running.

NOTE: You can stop, start, restart, and delete a VM from the Virtualmachines page in the Microsoft Azure portal.

Figure 37 onpage85 showsanexample of theMicrosoft AzureVirtualmachinespage.

Figure 37: Microsoft Azure Virtual Machines Page Example

Logging In to a vSRX Instance

After vSRX deployment is completed, the vSRX instance is automatically powered on

and launched. At this point you can use an SSH client to log in to the vSRX instance.








2. Use an SSH client to log in to a vSRX instance.


NOTE: Starting in Junos OS Release 15.1X49-D80 and Junos OS Release17.3R1, only password authentication is supported. Starting in Junos OSRelease 15.1X49-D100 for vSRX, both password and SSH public keyauthentication are supported, and password authentication is chosen bydefault.

ThevSRX instance isautomaticallyconfiguredforusernameandpasswordauthentication. To log in, use the login credentials that were defined inthe vsrx.parameters.json file (see “Changing Parameter Values in the

vsrx.parameter.json File” on page 80). After initially logging to the vSRX,you can configure SSH public and private key authentication.




on page 90).




Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,you can deploy the vSRX from the Azure CLI and customize the vSRX VMdeployment settings and dependencies based on your networkrequirements in Microsoft Azure Cloud.

15.1X49-D80

Starting in Junos OS Release 15.1X49-D80 and Junos OS Release 17.3R1,only password authentication is supported.

15.1X49-D80

Starting in Junos OS Release 15.1X49-D100 for vSRX, both password andSSHpublic keyauthenticationare supported, andpasswordauthenticationis chosen by default.

15.1X49-D100

Starting in Junos OS Release 15.1X49-D100 for vSRX, both password andSSHpublic keyauthenticationare supported, andpasswordauthenticationis chosen by default.

15.1X49-D100


• Connect fromMicrosoft Azure CLI



https://docs.microsoft.com/en-us/azure/xplat-cli-connect

CHAPTER 4

Configuring and Managing vSRX

• vSRX Configuration and Management Tools on page 89

• Configuring vSRX Using the CLI on page 90

• Configuring vSRX Using the J-Web Interface on page 92

• Managing Security Policies for Virtual Machines Using Junos Space Security

Director on page 95

• Removing a vSRX Instance fromMicrosoft Azure on page 95

vSRX Configuration andManagement Tools

This chapter is an overview on the various tools available to configure andmanage a

vSRX VM once it has been successfully deployed.

• Understanding the Junos OS CLI and Junos Scripts on page 89

• Understanding the J-Web Interface on page 89

• Understanding Junos Space Security Director on page 90

Understanding the Junos OS CLI and Junos Scripts

The Junosoperating systemcommand-line interface (JunosOSCLI) is a JuniperNetworks

specific command shell that runs on top of a UNIX-based operating system kernel.

Built into Junos OS, Junos script automation is an onboard toolset available on all Junos

OS platforms, including routers, switches, and security devices running Junos OS (such

as a vSRX instance).

You can use Junos OS CLI and the Junos OS scripts to configure, manage, administer,

and troubleshoot vSRX.

Understanding the J-Web Interface

The J-Web interface allows you to monitor, configure, troubleshoot, andmanage vSRX

instances by means of aWeb browser. J-Web provides access to all the configuration

statements supported by the vSRX instance.

You can use J-Web to configure, manage, administer, and troubleshoot vSRX.


Understanding Junos Space Security Director

As one of the Junos Space Network Management Platform applications, Junos Space

Security Director helps organizations improve the reach, ease, and accuracy of security

policy administration with a scalable, GUI-basedmanagement tool. Security Director

automates security provisioning of a vSRX instance through one centralizedWeb-based

interface to help administrators manage all phases of security policy life cycle more

quickly and intuitively, from policy creation to remediation.


CLI User Interface Overview•

• J-Web Overview

• Security Director

• Mastering Junos Automation Programming

• Spotlight Secure Threat Intelligence

Configuring vSRXUsing the CLI

To configure the instance using the CLI:

1. Verify that the instance is powered on.

2. Log in using the username and password credentials for your vSRX VM deployment

in Microsoft Azure.

3. Start the CLI.

root#cliroot@>

4. Enter configuration mode.

configure[edit]root@#

5. Set the root authentication password by entering a cleartext password, an encrypted

password, or an SSH public key string (DSA or RSA).

[edit]root@# set system root-authentication plain-text-passwordNew password: passwordRetype new password: password

6. Configure the traffic interfaces.

[edit]root@# set interfaces ge-0/0/0 unit 0 family inet address assigned_ip/netmaskroot@# set interfaces ge-0/0/1 unit 0 family inet address assigned_ip/netmask



https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/junos-cli/junos-cli.html

https://www.juniper.net/documentation/en_US/junos15.1x49-d40/information-products/pathway-pages/jweb/jweb-srx-series.html

https://www.juniper.net/documentation/en_US/release-independent/junos-space-apps/junos-space-security-director.html

https://www.juniper.net/us/en/training/jnbooks/day-one/automation-series/mastering-junos-automation/

https://www.juniper.net/documentation/en_US/release-independent/spotlight-secure/information-products/pathway-pages/spotlight-secure/index.html

NOTE: Configuration of themanagement interface fxp0 for the vSRX isnot necessary because it is configured during vSRX VMdeployment fromAzure (Azure portal or Azure CLI deploymentmethods). Microsoft Azureperforms its own IP addressmapping for the VMmanagement interface.Donot change the configuration for interface fxp0and thedefault routingtable or you will lose connectivity.

7. Configure routing interfaces to isolate management network and traffic network.

[edit]root@# set routing-instances vsrx-vr1 instance-type virtual-routerroot@# set routing-instances vsrx-vr1 interface ge-0/0/0.0root@# set routing-instances vsrx-vr1 interface ge-0/0/1.0root@# set routing-instances vsrx-vr1 routing-options

8. Verify the configuration changes

[edit]root@# commit checkconfiguration check succeeds

9. Commit the current configuration to make it permanent and to avoid the possibility

of losing connectivity to the vSRX.

[edit]root@# commit confirmedcommit confirmedwill be automatically rolled back in 10minutes unless confirmedcommit complete# commit confirmedwill be rolled back in 10minutes

10. Commit the configuration to activate it on the instance.

[edit]root@# commitcommit complete

11. Optionally, use the show command to display the configuration to verify that it is

correct.


Chapter 4: Configuring and Managing vSRX

NOTE: Certain Junos OS software features require a license to activate thefeature. To enable a licensed feature, you need to purchase, install, manage,andverifya licensekey thatcorresponds toeach licensed feature.Toconformto software feature licensing requirements, youmust purchase one licenseper feature per instance. Thepresenceof the appropriate software unlockingkey on your virtual instance allows you to configure and use the licensedfeature.

See “Managing Licenses for vSRX” on page 113 for details.


Example: Configuring an IPsec VPN Between Two vSRX Instances on page 97•

• Example: Configuring an IPsec VPN Between a vSRX and Virtual Network Gateway in

Microsoft Azure on page 101

• Junos OS for SRX Series

• CLI User Guide

Configuring vSRXUsing the J-Web Interface

• Accessing the J-Web Interface and Configuring vSRX on page 92

• Applying the Configuration on page 94

• Adding vSRX Feature Licenses on page 95

Accessing the J-Web Interface and Configuring vSRX

Use the Junos OS CLI to configure, at a minimum, the following parameters before you

can access a vSRX VM using J-Web:

CAUTION: Do not change the configuration for interface fxp0 and defaultrouting table or you will lose connectivity to the vSRX in the Microsoft Azuredeployment.

To configure vSRX using the J-Web Interface:

1. Launch aWeb browser from themanagement instance.

2. Enter the vSRX fxp0 interface IP address in the Address box.

3. Specify the username and password.

4. Click Log In, and select the ConfigurationWizards tab from the left navigation panel.

The J-Web Setup wizard page opens.

5. Click Setup.

You can use the Setup wizard to configure the vSRX VM or edit an existing

configuration.



https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/srx-series/index.html

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/junos-cli/junos-cli.html

• Select Edit Existing Configuration if you have already configured the wizard using

the factory mode.

• Select Create NewConfiguration to configure the vSRX VM using the wizard.

The following configuration options are available in the guided setup:

• Basic

Select basic to configure the vSRX VM name and user account information as

shown in Table 9 on page 93.

• Instance name and user account information

Table 9: Instance Name and User Account Information

DescriptionField

Type the name of the instance. For example: vSRX.Instance name

Create a default root user password.Root password

Verify the default root user password.Verify password

Add an optional administrative account in addition to the root account.

User role options include:

Operator

• SuperUser: This user has full systemadministration rights andcanadd,modify, and delete settings and users.

• Operator: This user can perform system operations such as a systemreset but cannot change the configuration or add or modify users.

• Read only: This user can only access the system and view theconfiguration.

• Disabled: This user cannot access the system.

• Select either Time Server orManual. Table 10 on page 93 lists the system time

options.

Table 10: System Time Options

DescriptionField

Time Server

Type the hostname of the time server. For example:ntp.example.com.

Host Name

Type the IP address of the time server in the IP address entryfield. For example: 192.0.2.254.

IP

NOTE: You can enter either the hostname or the IP address.

Manual

Click the current date in the calendar.Date



Table 10: System Time Options (continued)

DescriptionField

Set the hour, minute, and seconds. Choose AM or PM.Time

Time Zone (mandatory)

Select the time zone from the list. For example: GMTGreenwichMean Time GMT.

Time Zone

• Expert

Select Expert to configure the basic options as well as the following advanced

options:

• Four or more internal zones

• Internal zone services

• Application of security policies between internal zones

Click the Need Help icon for detailed configuration information.

You see a success message after the basic configuration is complete.

Applying the Configuration

To apply the configuration settings for vSRX:

1. Review and ensure that the configuration settings are correct, and click Next. The

Commit Configuration page appears.

2. Click Apply Settings to apply the configuration changes to vSRX.

3. Check the connectivity to vSRX, as youmight lose connectivity if you have changed

themanagement zone IP. Click the URL for reconnection instructions on how to

reconnect to the instance.

4. Click Done to complete the setup.

After successful completion of the setup, you are redirected to the J-Web interface.

CAUTION: After youcomplete the initial setup, youcan relaunchthe J-WebSetup wizard by clicking Configuration>Setup. You can either edit an

existing configuration or create a new configuration. If you create a newconfiguration, the current configuration in vSRXwill be deleted.



Adding vSRX Feature Licenses

Certain Junos OS software features require a license to activate the feature. To enable

a licensed feature, you need to purchase, install, manage, and verify a license key that

corresponds to each licensed feature. To conform to software feature licensing

requirements, youmust purchase one license per feature per instance. The presence of

the appropriate software unlocking key on your virtual instance allows you to configure

and use the licensed feature.

See “Managing Licenses for vSRX” on page 113 for details.

Managing Security Policies for Virtual Machines Using Junos Space Security Director

Security Director is a Junos Spacemanagement application designed to enable quick,

consistent, and accurate creation, maintenance, and application of network security

policies for your security devices, including vSRX instances. With Security Director, you

canconfigure security-relatedpolicymanagement including IPsecVPNs, firewall policies,

NAT policies, IPS policies, andUTMpolicies. and push the configurations to your security

devices. These configurations use objects such as addresses, services, NAT pools,

application signatures, policy profiles, VPN profiles, template definitions, and templates.

These objects can be shared acrossmultiple security configurations; shared objects can

be created and used across many security policies and devices. You can create these

objects prior to creating security configurations.

When you finish creating and verifying your security configurations fromSecurityDirector,

you can publish these configurations and keep them ready to be pushed to all security

devices, including vSRX instances, from a single interface.

The Configure tab is the workspace where all of the security configuration happens. You

can configure firewall, IPS, NAT, and UTM policies, assign policies to devices, create and

apply policy schedules, create andmanage VPNs, and create andmanage all of the

shared objects needed for managing your network security.


Security Director•

Removing a vSRX Instance fromMicrosoft Azure

To remove a vSRX instance fromMicrosoft Azure:

1. Log in to the Azure Portal.

2. In the left pane of the Azure Portal, click the Virtual Machines icon.

3. In the right pane, select the vSRX instance you want to remove, then click Delete to

delete it.



https://www.juniper.net/documentation/en_US/release-independent/junos-space-apps/junos-space-security-director.html

NOTE: You can delete a VMwhile it is running. If desired, you can stop thevSRX instance before deleting it

4. To delete the disks attached to the deleted vSRX virtual machine, click Delete and

then select Delete the Associated VHD.

5. To delete the related cloud service for the deleted vSRX virtual machine, access the

Cloud Service tab and click Delete to remove the related cloud services.



CHAPTER 5

vSRX in Microsoft Azure Use Cases

• Example: Configuring an IPsec VPN Between Two vSRX Instances on page 97

• Example: Configuring an IPsec VPN Between a vSRX and Virtual Network Gateway in

Microsoft Azure on page 101

Example: Configuring an IPsec VPN Between Two vSRX Instances

This example shows how to configure an IPsec VPN between two instances of vSRX in

Microsoft Azure.

• Before You Begin on page 97

• Overview on page 97

• vSRX IPsec VPN Configuration on page 97

• Verification on page 100

Before You Begin

Ensure that you have installed and launched a vSRX instance in Microsoft Azure virtual

network.

See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel

that is down or not active for additional information.

Overview

You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure using

two vSRX instances.

vSRX IPsec VPN Configuration

vSRX1 VPN Configuration

Step-by-StepProcedure

To configure IPsec VPN on vSRX1:

1. Log in to the vSRX1 in configuration edit mode (see “Configuring vSRX Using the

CLI” on page 90).

2. Set the IP addresses for vSRX1 interfaces.


https://www.juniper.net/support/tools/vpnconfig/



set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24set interfaces st0 unit 1 family inet address 10.0.250.10/24

3. Set up the untrust security zone.

set security zones security-zone untrust screen untrust-screenset security zones security-zone untrust host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces ge-0/0/0.0set security zones security-zone untrust interfaces st0.1

4. Set up the trust security zone.

set security zone trust host-inbound-traffic system-services httpsset security zone trust host-inbound-traffic system-services sshset security zone trust host-inbound-traffic system-services pingset security security-zone trust interfaces ge-0/0/1.0

5. Configure IKE.

set security ike proposal ike-phase1-proposalA authentication-methodpre-shared-keys

set security ike proposal ike-phase1-proposalA dh-group group2set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbcset security ike proposal ike-phase1-proposalA lifetime-seconds 1800set security ike policy ike-phase1-policyAmode aggressiveset security ike policy ike-phase1-policyA proposals ike-phase1-proposalAsetsecurity ikepolicy ike-phase1-policyApre-shared-keyascii-text<preshared-key>set security ike gateway gw-siteB ike-policy ike-phase1-policyAset security ike gateway gw-siteB address 198.51.100.10set security ike gateway gw-siteB local-identity user-at-hostname"[email protected]"

set security ike gateway gw-siteB remote-identity user-at-hostname"[email protected]"

set security ike gateway gw-siteB external-interface ge-0/0/0.0

NOTE: Be sure to replace 198.51.100.10 in this example with the correct

public IP address.

6. Configure IPsec.

set security ipsec proposal ipsec-proposalA protocol espsetsecurity ipsecproposal ipsec-proposalAauthentication-algorithmhmac-sha1-96set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbcset security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately



7. Configure routing.

set routing-instances siteA-vr1 instance-type virtual-routerset routing-instances siteA-vr1 interface ge-0/0/0.0set routing-instances siteA-vr1 interface ge-0/0/1.0set routing-instances siteA-vr1 interface st0.1set routing-instances siteA-vr1 routing-options static route 0.0.0.0/0 next-hop10.0.0.1

set routing-instances siteA-vr1 routing-options static route 10.20.20.0/24next-hopst0.1

commit

vSRX2 VPNConfiguration


To configure IPsec VPN on vSRX2:

1. Log in to the vSRX2 in configuration edit mode (See “Configuring vSRX Using the

CLI” on page 90.

2. Set the IP addresses for the vSRX2 interfaces.





set security zones security-zone trust host-inbound-traffic system-services httpsset security zones security-zone trust host-inbound-traffic system-services sshset security zones security-zone trust host-inbound-traffic system-services pingset security zones security-zone trust interfaces ge-0/0/1.0

5. Configure IKE.


set security ike proposal ike-phase1-proposalA dh-group group2set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbcset security ike proposal ike-phase1-proposalA lifetime-seconds 1800set security ike policy ike-phase1-policyAmode aggressiveset security ike policy ike-phase1-policyA proposals ike-phase1-proposalAset security ike policy ike-phase1-policyA pre-shared-key ascii-text preshared-keyset security ike gateway gw-siteB ike-policy ike-phase1-policyAset security ike gateway gw-siteB address 203.0.113.10


Chapter 5: vSRX in Microsoft Azure Use Cases

set security ike gateway gw-siteB local-identity user-at-hostname"[email protected]"

set security ike gateway gw-siteB remote-identity user-at-hostname"[email protected]"

set security ike gateway gw-siteB external-interface ge-0/0/0.0


public IP address. Also note that the SiteB local-identity andremote-identity should be in contrast with the SiteA local-identity andremote-identity.

6. Configure IPsec.

set security ipsec proposal ipsec-proposalA protocol espsetsecurity ipsecproposal ipsec-proposalAauthentication-algorithmhmac-sha1-96set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbcset security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately




commit

Verification

Verify Active VPN Tunnels

Purpose Verify that the tunnel is up on both vSRX instances.



Action root@> show security ipsec security-associationsTotal active tunnels: 1ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway<131074 ESP:aes- cbc- 256/sha1 de836105 1504/ unlim - root 4500 52.200.89.XXX>131074 ESP:aes- cbc- 256/sha1 b349bc84 1504/ unlim - root 4500 52.200.89.XXX


IPsec VPNOverview•

• Application Firewall Overview

Example: Configuring an IPsec VPN Between a vSRX and Virtual Network Gateway inMicrosoft Azure

This example shows how to configure an IPsec VPN between a vSRX instance and a

virtual network gateway in Microsoft Azure.

• Before You Begin on page 101

• Overview on page 101

• vSRX IPsec VPN Configuration on page 101

• Microsoft Azure Virtual Network Gateway Configuration on page 103

• Verification on page 103

Before You Begin

Ensure that you have installed and launched a vSRX instance in Microsoft Azure virtual

network.

See SRX Site-to-Site VPN Configuration Generator and How to troubleshoot a VPN tunnel

that is down or not active for additional information.

Overview

You can use an IPsec VPN to secure traffic between two VNETs in Microsoft Azure, with

one vSRX protecting one VNet and the Azure virtual network gateway protecting the

other VNet.

vSRX IPsec VPN Configuration


To configure IPsec VPN on vSRX:

1. Log in to the vSRX in configuration editmode (see “Configuring vSRXUsing theCLI”

on page 90).

2. Set the IP addresses for vSRX interfaces.




https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-vpn-ipsec.html

/documentation/en_US/junos15.1x49-d60/topics/concept/application-firewall-overview.html

https://www.juniper.net/support/tools/vpnconfig/






set security zone trust host-inbound-traffic system-services httpsset security zone trust host-inbound-traffic system-services sshset security zone trust host-inbound-traffic system-services pingset security security-zone trust interfaces ge-0/0/1.0

5. Configure IKE.


set security ike proposal ike-phase1-proposalA dh-group group2set security ike proposal ike-phase1-proposalA authentication-algorithm sha-256set security ike proposal ike-phase1-proposalA encryption-algorithm aes-256-cbcset security ike policy ike-phase1-policyAmodemainset security ike policy ike-phase1-policyA proposals ike-phase1-proposalAsetsecurity ikepolicy ike-phase1-policyApre-shared-keyascii-text<preshared-key>set security ike gateway gw-siteB ike-policy ike-phase1-policyAset security ike gateway gw-siteB address 52.175.210.65set security ike gateway gw-siteB version v2-onlyset security ike gateway gw-siteB external-interface ge-0/0/0.0


public IP address.

6. Configure IPsec.

The following example illustrates a vSRX IPsec configuration using the CBC

encryption algorithm:

set security ipsec proposal ipsec-proposalA protocol espsetsecurity ipsecproposal ipsec-proposalAauthentication-algorithmhmac-sha1-96set security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-cbcset security ipsec proposal ipsec-proposalA lifetime-seconds 7200set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately

If required, you can use AES-GCM as the encryption algorithm in the vSRX IPsec

configuration instead of CBC:

set security ipsec proposal ipsec-proposalA protocol espset security ipsec proposal ipsec-proposalA encryption-algorithm aes-256-gcm



set security ipsec proposal ipsec-proposalA lifetime-seconds 7200set security ipsec proposal ipsec-proposalA lifetime-kilobytes 102400000set security ipsec policy ipsec-policy-siteB proposals ipsec-proposalAset security ipsec vpn ike-vpn-siteB bind-interface st0.1set security ipsec vpn ike-vpn-siteB ike gateway gw-siteBset security ipsec vpn ike-vpn-siteB ike ipsec-policy ike-phase1-policyAset security ipsec vpn ike-vpn-siteB establish-tunnels immediately




commit

Microsoft Azure Virtual Network Gateway Configuration


To configure theMicrosoft Azure virtual network gateway, refer to the followingMicrosoft

Azure procedure:

Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections

Ensure the IPSec IKE parameters in Microsoft Azure virtual network gatewaymatch the

vSRX IPSec IKE parameters when the site-to-site VPN connection is formed.

Verification

Verify Active VPN Tunnels

Purpose Verify that the tunnel is up between the vSRX instance and the Azure virtual network

gateway.



https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

Action root@> show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address8290401 UP b1adf15fc3dfe0b0 89cc2a12cb7e3cd7 IKEv2 52.175.210.65

root@> show security ipsec security-associationsTotal active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-gcm-256/None c0e154e2 5567/ 102399997 - root 4500 52.175.210.65

>131073 ESP:aes-gcm-256/None 383bd606 5567/ 102399997 - root 4500 52.175.210.65


• IPsec VPNOverview

• Application Firewall Overview



https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-vpn-ipsec.html

/documentation/en_US/junos15.1x49-d60/topics/concept/application-firewall-overview.html

CHAPTER 6

vSRX Licensing

• vSRX Feature Licenses Overview on page 105

• Managing Licenses for vSRX on page 113

• vSRX License Model Numbers on page 119

vSRX Feature Licenses Overview

Some Junos OS software features require a license to activate the feature.

To enable a licensed feature, you need to purchase, install, manage, and verify a license

key that corresponds to each licensed feature. To conform to software feature licensing

requirements, youmust purchase one license per feature per instance. The presence of

the appropriate software unlocking key on your virtual instance allows you to configure

and use the licensed feature.

NOTE: If applicable for your vSRXdeployment, vSRXpay-as-you-go imagesdo not require any separate licenses.

• vSRX License Procurement and Renewal on page 105

• vSRX Evaluation License on page 106

• License Types on page 108

• Throughput on page 109

• License Duration on page 109

• Individual (á la carte) Feature Licenses on page 110

• Bundled Licenses on page 110

• Stacking Licenses on page 110

• vSRX License Keys Components on page 110

• License Management Fields Summary on page 111

vSRX License Procurement and Renewal

Licenses are usually ordered when the software application is purchased, and this

information isbound toacustomer ID. If youdidnotorder the licenseswhenyoupurchased


your software application, contact your account team or Juniper Networks Customer

Care for assistance.

Licenses can be procured from the Juniper Networks LicenseManagement System (LMS).

For license renewal, use the show system license command to find the Juniper vSRX

software serial number that you use to renew a license.

vsrx> show system licenseLicense usage: Licenses Licenses Licenses Expiry Feature name used installed needed Virtual Appliance 1 1 0 58 days

Licenses installed: License identifier: E420588955 License version: 4 Software Serial Number: 20150625 Customer ID: vSRX-JuniperEval Features: Virtual Appliance - Virtual Appliance count-down, Original validity: 60 days

License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent

NOTE: Do not use the show chassis hardware command to get the serial

number on vSRX, because that command is only appropriate for thephysicalSRXSeries devices. Also, the license for advanced security features availableon the physical SRX Series devices cannot be usedwith vSRX deployments.

NOTE: If you are performing a software downgrade with licenses installed,youwill seeanerrormessage in theCLIwhenyou try toconfigure the licensedfeatures or run the show system license status command.

We recommend deleting existing licenses before performing a softwaredowngrade.

vSRX Evaluation License

To speed deployment of licensed features, the vSRX software image provides you with

a 60-day product evaluation license and a 30-day advanced security features license,

both of which allow you to use vSRX and licensed features for a specified periodwithout

having to install a license key.

Table 11 on page 107 lists vSRX evaluation license types.




Table 11: vSRX Evaluation License Type

License ModelNumberPeriodTypeLicense Package

-60 daysProduct evaluation–BasicTrial license(temporary forevaluation only) -30 daysProductevaluation–Advanced

features

Product Evaluation License

ThevSRXsoftware image includesa60-day trial license.Whenyoudownloadand install

the vSRX image, you are entitled to use this trial license for 60 days. It is intended as an

evaluation license for using vSRX. This product-unlocking license is required to use the

basic functions of the vSRX, such as networking, routing, and basic security features

(such as stateful firewall).

NOTE: The use of the 60-day trial license does not include vSRX supportunless you already have a pre-existing vSRX support contract. If you requiresupport during this 60-day evaluation period, please work with your JuniperAccount team or go to the J-Net Community forum(https://forums.juniper.net/) and view the Support topics under the vSRX

category.

Within 30 days of the license expiration date, a license expiration warning appears each

time you log in to the vSRX instance. After the product evaluation license expires, you

will not be able to use the vSRX; it will be disabled and flow configuration options will

notwork (thevSRXwill stop forwarding traffic). At thispoint, onlymanagement interfaces

and CLI configurations are preserved.

Advanced Security Features Evaluation License

The advanced security features license is a 30-day trial license for vSRX that is required

for advanced security features such as UTM, IDP, and AppSecure. You can download the

trial license for advanced security features from the vSRX Free Trial License Page.

The 30-day trial license period begins on the day you enable the enhanced security

features after you install the 60-day product evaluation license for vSRX. To continue

using vSRX features after the 30-day license period expires, youmust purchase and

install the license; otherwise, the featuresaredisabled. If the license for advancedsecurity

features expireswhile the evaluation license (product unlocking license) is still valid, only

the advanced security features that require a license are disabled.


Chapter 6: vSRX Licensing

https://forums.juniper.net/

https://www.juniper.net/us/en/dm/free-vsrx-trial/

NOTE: The UTM advanced features have a slightly different trial licensestrategy. UTM does not requires 30-day trial license but only a 30-day graceperiod. Once the 30-day advanced security features trial license expires,Juniper Networks supports a 30-day grace period for you to continue usingUTM features. The 30-day grace period goes into effect after the 30-triallicense expires.

There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention

(ATP). This is a second license that you can apply for a 30-day period in addition to the

advanced security features license for vSRX to enable the Sky ATP features. You can

download the Sky ATP trial license from the vSRX Free Trial License Page.

License Types

Juniper Networks provides a variety of licenses for both basic firewall features and

advanced security features for different throughputs and durations.

If you want to use vSRX to provide basic firewall features, you can use standard (basic)

licenses. However, to use some of the more advanced security features, such as

AppSecure, IDP, and UTM, youmight need to purchase advanced features licenses.

The high-level categories for licenses are:

• Throughput–All licenses have an associated throughput. Throughput rates include 1

Gbps, 2 Gbps, and 4 Gbps onmost platforms.

• Features–Licenses are available for different combinations of feature sets, from

standard (STD) through Content Security Bundle (CS-B).

• Individual or bundled–Licenses can be individual (á la carte) licenses for a set of

features, or can be bundled together to provide a broad range of features in one easy

license to maintain.

• Duration–All licenseshaveanassociated timeduration.Youcanpurchasebasic licenses

as perpetual (never expire) or subscription based (1-year or 3-year duration). All vSRX

licenses are subscription based.

• New or renewal–All subscription licenses are either new (first-time purchase) or

renewals (extending the license duration when the initial new subscription license is

about to expire).

Figure 38 on page 109 shows a sample license SKU and identifies how each field maps

to these categories.




Figure 38: Sample vSRX License SKU

g043428

Product

Throughput

Duration

VSRX-10M-ASECB-3-RFeature set

New orrenewal

Bundled orindividual

These categories of licenses can also be combined, or stacked, to providemore flexibility

for your vSRX use cases.

Throughput

Bandwidth or throughput license types allow you to use a single instance of the software

for up to the maximum throughput specified in the license entitlement. Throughput can

be combined on a single instance of the software so that the maximum throughput for

that instance is the aggregate of all the throughput licenses assigned to that instance.

A throughput license cannot be split across multiple instances. Throughput is identified

in the license entitlement inmegabits per second (Mbps), or gigabits per second (Gbps).

For example, if youwant3Gbpsof throughput for a vSRX instanceusing theSTD features,

youwould purchase a 1G STD license and a 2GSTD license and install both on the vSRX.

If you wanted 2 Gbps of throughput on two vSRX instances acting as a chassis cluster,

you could not use the same 2 Gbps license on both vSRX instances. You would need to

purchase one set of licenses for each vSRX instance in the cluster.

License Duration

All licenses can be perpetual or subscription based.

• Perpetual license–A perpetual license allows you to use the licensed software

indefinitely. Perpetual licenses do not require renewals. Perpetual licenses do not

includemaintenance and upgrade support. Youmust purchase that separately, vSRX

software releases such as vSRX for AWS do not support perpetual licenses.

• Subscription license–A subscription license is an annual license that allows you to use

the licensed software feature for the matching duration. Subscriptions might involve

periodic downloads of content (such as for IDP threat signature files). Subscription

licenses start when you retrieve the license key or 30 days after purchase if you have

not retrieved the license key. At the end of the license period, you need to renew the

license to continue using it.

NOTE: All subscription licenses are renewable. To renew a subscriptionlicense, purchase a new subscription of the same license. For moreinformation, see Subscription - Register and Install.



https://kb.juniper.net/InfoCenter/index?page=content&id=KB9731&actp=METADATA

Individual (á la carte) Feature Licenses

Every vSRX instance requires at least one standard license to support the desired

throughput rate. Beyond that, you can select from a range of individual feature licenses

thatprovideadditional security feature sets. The feature licensemustmatch the standard

license rate.

NOTE: AWS does not support individual licenses.

Forexample, if youneedAppSecureandSophosantivirus featuresat 1Gbpsof throughput

for a year, you could purchase the following individual licenses:

• VSRX-STD-1G-1—Provides the standard feature set and 1 Gbps of throughput.

• VSRX-CS-1G-1—Provides the advanced features.

Bundled Licenses

Bundled licenses simplify the licensemanagement by combining one or more individual

licenses into a single bundled license. Instead of installing andmanaging a standard

throughput licenseandoneormore individualadvanced feature licenses, youcanpurchase

one of the bundle license options andmanage one license instead.

For example, if youneedAppSecureandSophosantivirus featuresat 1Gbpsof throughput

forayear, youcouldpurchase thesinglebundledVSRX-CS-B-1G-1 license,which includes

the STD throughput license. This means you only need to manage one license instead

of two individual licenses.

Stacking Licenses

You can combine individual or bundled licenses to combine features or build up the

overall supplied throughput for the vSRX instance.

For example, you can combine a 1-Gbps license and a 2-Gbps license to have 3 Gbps of

throughput for the vSRX instance. You can also combine individual licenses, such as

Sophos antivirus (SAV) andWebsense EnhancedWeb Filtering (EWF) to get both sets

of security features.

NOTE: Individual licenses require a STD license with the same throughputrate.

vSRX License Keys Components

A license key consists of two parts:

• License ID—Alphanumeric string thatuniquely identifies the licensekey.Whena license

is generated, it is given a license ID.

• License data—Block of binary data that defines and stores all license key objects.



For example, in the following typical license key, the string E413XXXX57 is the license ID,

and the trailing block of data is the license data:

E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff

The license data conveys the customer ID and the software serial number (Juniper

Networks support reference number) to the vSRX instance.

LicenseManagement Fields Summary

The Licenses window displays a summary of licensed features that are configured on

the vSRX instance and a list of licenses that are installed on the vSRX instance.

To view the license details, selectMaintain>Licenses in the J-Web user interface. The

Licenses window appears as shown in Figure 39 on page 111.

Figure 39: J-Web LicensesWindow Showing Installed Licenses

You can also view the details of a license in the CLI using the show system license

command. The following sample shows details of an evaluation license in the CLI:

License usage: Licenses Licenses Licenses Expiry Feature name used installed needed anti_spam_key_sbl 0 1 0 2016-04-15 08:00:00 CST idp-sig 0 1 0 2016-04-15 08:00:00 CST appid-sig 0 1 0 2016-04-15 08:00:00 CST av_key_sophos_engine 0 3 0 2016-07-29



08:00:00 CST wf_key_websense_ewf 0 1 0 2016-04-15 08:00:00 CST Virtual Appliance 1 1 0 2016-04-25 08:00:00 CST


The information on the licensemanagement page is summarized in Table 12 on page 112.

Table 12: Summary of License Management Fields

DefinitionField Name

Feature Summary

Name of the licensed feature:

• Features—Software feature licenses.

• All features—All-inclusive licenses.

Feature

Number of licenses currently being used on the vSRX instance. Usageis determined by the configuration. If a feature license exists and thatfeature is configured, the license is considered used.

Licenses Used

Number of licenses installed on the vSRX instance for the particularfeature.

Licenses Installed

Number of licenses required for legal use of the feature. Usage isdetermined by the configuration on the vSRX instance: If a feature isconfigured and the license for that feature is not installed, a licenseis needed.

Licenses Needed

Date the license expires.Licenses expires on

Installed Licenses

Unique alphanumeric ID of the license.ID

Valid—The installed license key is valid.

Invalid—The installed license key is not valid.

State

Numeric version number of the license key.Version

If the license defines a group license, this field displays the groupdefinition.

NOTE: Because group licenses are currently unsupported, this fieldis always blank.

Group



Table 12: Summary of License Management Fields (continued)

DefinitionField Name

Name of the feature that is enabled with the particular license.Enabled Features

Date the license expires.Expiration

The serial number is a unique 14-digit number that Juniper Networksuses to identify your particular software installation. You can find thesoftware serial number in the Software Serial Number Certificateattached to the e-mail that was sent when you ordered your JuniperNetworks softwareor license.Youcanalsouse the showsystemlicensecommand to find the software serial number.

Software serial number

ID that identifies the registered user.Customer ID

Managing Licenses for vSRX

Before you begin, ensure that you have retrieved the license key from the Juniper License

Management System (LMS).

This section includes the following topics:

• vSRX Evaluation License Installation Process on page 113

• Adding a New License Key with J-Web on page 114

• Adding a New License Key from the CLI on page 115

• Updating vSRX Licenses on page 116

• Deleting a License with J-Web on page 117

• Deleting a License with the CLI on page 118

• LicenseWarning Messages on page 118

vSRX Evaluation License Installation Process

JuniperNetworksprovidesa60-dayevaluation license for vSRXstandard features.When

you download and install the vSRX image, you are entitled to use this evaluation license

for 60 days as a trial. In addition to the 60-day vSRX evaluation license, there is a 30-day

advanced security features trial license for vSRX that is required for advanced security

features such as UTM, IDP, and AppSecure.

You can download the 30-day advanced security feature trial license from the vSRX Free

Trial License Page.

There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention

(ATP). This is a second license that you can apply for a 30-day period in addition to the

advanced security features license for vSRX to enable the Sky ATP features. You can

download the Sky ATP trial license from the vSRX Free Trial License Page






Installation of the advanced security feature trial license is similar to the regular license

installation performed from the CLI (see “Adding a New License Key from the CLI” on

page 115).

Within 30 days of the license expiration date, a license expiration warning appears each

time you log in to the vSRX instance. After the product evaluation license expires, you

will not be able to use the vSRX; it will be disabled and flow configuration options will

notwork (thevSRXwill stop forwarding traffic). At thispoint, onlymanagement interfaces

and CLI configurations are preserved.

NOTE: The 30-day evaluation license period begins on the day you enableenhanced security features after installing evaluation licenses.

To continue using vSRX features after an optional 30-day evaluation period,youmust purchase and install the license. Otherwise, the features aredisabled.

For details about the 60- and 30-day license evaluation periods for the vSRX see “vSRX

Feature Licenses Overview” on page 105 .

Adding a New License Key with J-Web

To install a license using the J-Web interface:

1. SelectMaintain>Licenses on the J-Web user interface. The Licenses window is

displayed as shown in Figure 40 on page 114.

Figure 40: J-Web LicensesWindow

2. Under Installed Licenses, click Add. The Add License window is displayed as shown

in Figure 41 on page 115.



Figure 41: Add LicenseWindow

3. Do one of the following, using a blank line to separate multiple license keys:

• Enter the full URL to the destination file containing the license key in the License

File URL box.

• Paste the license key text, in plaintext format, in the License Key Text box.

4. ClickOK to add the license key. The License Details window is displayed as shown in

Figure 42 on page 115.

Figure 42: License DetailsWindow

The license key is installed and activated on the vSRX instance.

Adding a New License Key from the CLI

You can add a license key from a local file, from a remote URL, or from the terminal.

To install a license from the CLI:

1. Use the request system license add operational mode command to either add the

license from a local file or remote URL that contains the license key, or to manually

paste the license key in the terminal.

user@vsrx> request system license add terminal

[Type ^D at a new line to end input,



enter blank line between each license key]

E413XXXX57 aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff aaaaaa aaaaaa bbbbbb cccccc dddddd eeeeee ffffff cccccc bbbbbb dddddd aaaaaa ffffff

E413XXXX57: successfully added add license complete (no errors)

NOTE: You can save the license key to a file and upload the file to thevSRX file system through FTP or Secure Copy (SCP), and then use therequest system license add file-name command to install the license.

2. Optionally, use the show system license command to view details of the licenses.

root@host> show system license

License usage: Licenses Licenses Licenses Expiry Feature name used installed neededwf key websense ewf 1 0 1 invalid

Licenses installed: none

The license key is installed and activated on the vSRX instance.

Updating vSRX Licenses

You can update the vSRX licenses using either of the following twomethods:

• Automatic license update using the CLI

• Manual license update using the CLI

As a prerequisite, youmust install at least one valid license key on your vSRX instance

for required features. Automatic license updates as well as manual license updates are

performed based on a valid software serial number and customer ID embedded in the

license key.

To enable automatic license updates from the CLI:

1. Contact your account team or Juniper Networks Customer Care to extend the validity

period of existing license keys and obtain the URL for a valid update server.

2. Once you have successfully extended your license key and received the update server

URL, configure the auto-update parameter:

user@host> set system license autoupdate url https://ae1.juniper.net/

3. Configure renew options (if required). The following sample allows vSRX to contact

the license server 30 days before the current license expires and sends an automatic

update request every 6 hours.



user@host> set system license renew before-expiration 30user@host> set system license renew interval 6

Tomanually update the licenses from the CLI:

1. Use the following command to update the license keys manually:

user@host> request system license update <url.of.license.server>

This command sends a license update request to the license server immediately.

NOTE: The request system license update commandwill always use the

default Juniper license server: https://ae1.juniper.net

2. Check the status of the license by entering the show system license command.

Deleting a License with J-Web

To delete a license using the J-Web interface:

1. SelectMaintain>Licenses.

2. Select the check box of the license or licenses you want to delete as shown in

Figure 43 on page 117.

Figure 43: Deleting a License

3. Click Delete.

4. ClickOK to confirm your deletion as shown in Figure 44 on page 118.



https://ae1.juniper.net

Figure 44: Delete LicensesWindow

The license you deleted is removed.

Deleting a License with the CLI

To delete a license using the CLI:

1. From operational mode, for each license, enter the following command and specify

the license ID. You can delete only one license at a time.

user@host> request system license delete <license-key-identifier>

Or you can use the following command to delete all installed licenses.

user@host> request system license delete all

2. Type yeswhen you are prompted to confirm the deletion.

Delete license JUNOS606279 ? [yes,no] (no)

The license you deleted is removed.

LicenseWarningMessages

Youmust purchase a new license or renew your existing subscription-based license to

have a seamless transition from the old license to the new one.

The following conditions occur when a license expires on vSRX:

• Evaluation license for thecoreexpires—Packet forwardingonvSRX isdisabled.However,

you canmanage vSRX through the fxp0management interface, and the CLI

configuration is preserved.

• Subscription-based licenses for advanced security features expire but

subscription-based licenses for core servicesareactive—A30-daygraceperiodbegins,

allowing the user to continue using advanced security features. After the grace period,

advanced security features are disabled. Basic features are always available in the

vSRX. After subscription-based licenses for core services expire, a warning message

is displayed to notify the user, but basic features will remain preserved for the user.

• Subscription-based license for core features expires but subscription-based license

for advanced security features is active—Awarning message is displayed to notify the

user. However, you can continue to use the basic features on the vSRX. Advanced

security features are disabled when the subscription-based license for advanced

security features expires, but basic features will remain preserved for the user.



NOTE: All subscription licenses are renewable. To renew a subscriptionlicense, purchase a new subscription of the same license. For moreinformation, see Subscription - Register and Install .

To use features that require a license, youmust install and configure a license. After the

license expires, warning messages are displayed in the system log and on the J-Web

dashboard.

When a license expires, the System Alarms section of the J-Web dashboard displays a

message stating that the license has expired as shown in Figure 45 on page 119.

Figure 45: J-Web Dashboard for License ExpiryWarning

When a license expires, the following message appears when you log in:

Virtual Appliance License is invalid

vSRX LicenseModel Numbers

The licenses used by all Juniper Networks instances are based on SKUs, which represent

lists of features. Each license includes a list of features that the license enables along

with information about those features.

For information about purchasing software licenses, contact your JuniperNetworks sales

representative at https://www.juniper.net/in/en/contact-us/.

vSRX licenses are based on application packages and processing capacity.

vSRX provides bandwidth in the following capacities (throughput per instance): 1 Gbps,

2Gbps, and4Gbps. Eachof thesebandwidth tiers isofferedwith threedifferentpackages.

Table 13 on page 120 describes the features available with the various license packages.



https://kb.juniper.net/InfoCenter/index?page=content&id=KB9731&actp=METADATA

https://www.juniper.net/in/en/contact-us/

Table 13: vSRX Licensing Package Types

License Model NumberDescriptionLicenseType

These Standard (STD) bandwidth SKUs areavailable for vSRX:

• VSRX-1G-STD-CLD-1: 1-Gbps throughput (1-yearsubscription)

• VSRX-1G-STD-CLD-3: 1-Gbpsthroughput(3-yearsubscription)

• VSRX-2G-STD-CLD-1:2-Gbpsthroughput(1-yearsubscription)

• VSRX-2G-STD-CLD-3: 2-Gbps throughput(3-year subscription)



Includes the following features:

• Core security—firewall, ALG,screens, user firewall

• IPsec VPN (site-to-site VPN)

• NAT

• CoS

• Routingservices—BGP,OSPF,DHCP, J-Flow, IPv4

• Foundation—Static routing,management (J-Web, CLI,and NETCONF), on-boxlogging, diagnostics

STD

TheseAppSecurityBundled(ASB)bandwidthSKUsare available for vSRX:

• VSRX-1G-ASB-CLD-1: 1-Gbps throughput (1-yearsubscription)

• VSRX-1G-ASB-CLD-3: 1-Gbpsthroughput(3-yearsubscription)

• VSRX-2G-ASB-CLD-1:2-Gbpsthroughput(1-yearsubscription)

• VSRX-2G-ASB-CLD-3: 2-Gbps throughput(3-year subscription)



Includes all STD featuresbundledwith IPSandAppsecuresignatures, along with thefollowing features:

• AppID

• AppFW

• AppQoS

• AppTrack

ASCB

These Content Security bundled (CSB) bandwidthSKUs are available for vSRX:

• VSRX-1G-CSB-CLD-1: 1-Gbps throughput (1-yearsubscription)

• VSRX-1G-CSB-CLD-3: 1-Gbpsthroughput(3-yearsubscription)

• VSRX-2G-CSB-CLD-1:2-Gbpsthroughput(1-yearsubscription)

• VSRX-2G-CSB-CLD-3: 2-Gbps throughput(3-year subscription)



Includes all STD features, alongwith the features bundled withASCB, including the addition ofthe following UTM features:

• Antivirus

• Content filtering

• Web filtering

CSB



NOTE: License stacking is allowed. So, for example, to license 3 Gbps ofthroughput for the standard (STD) feature set for 1 year, use aVSRX-1G-STD-CLD-1 license and a VSRX-2G-STD-CLD-1.



CHAPTER 7

Troubleshooting

• Finding the Software Serial Number for vSRX on page 123

Finding the Software Serial Number for vSRX

You need the software serial number to open a support case or to renew a vSRX license.

1. Use the show system license command to find the vSRX software serial number.

vsrx> show system licenseLicense usage: Licenses Licenses Licenses Expiry Feature name used installed needed Virtual Appliance 1 1 0 58 days


License identifier: JUNOS657051 License version: 4 Software Serial Number: 9XXXXAXXXXXXX9 Customer ID: MyCompany Features: Virtual Appliance - Virtual Appliance permanent


vSRX Deployment Guide for Microsoft Azure Cloud ·...

Documents

Transcript of vSRX Deployment Guide for Microsoft Azure Cloud ·...