Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS
This topic also exists in the following guides:
Interfaces for EX Series SwitchesInterfaces for EX Series SwitchesNetwork Interfaces for EX4300 SwitchesNetwork Interfaces for EX4300 Switches
Interfaces for EX Series Switches

keyboard_arrow_up
{ "lCode": "en_US", "lName": "English", "folder": "en_US" }
English
 

Creating Cloud Spoke Sites for SD-WAN Deployment

date_range 10-Jun-18

A cloud spoke represents an automation endpoint (virtual machine (VM) or an EC2 Instance) running with Juniper Networks vSRX image in the Amazon Web Services(AWS) virtual private cloud (VPC). The cloud spoke sites are connected with the hub sites using the overlay connections. You create a cloud spoke site from the Sites page. This topic describes how to create a cloud site for a tenant.

To create a cloud spoke site:

  1. Select Sites > Site Management.

    The Sites page appears.

  2. Click Add and select Cloud Spoke.

    The Add Site for Tenant Name page appears.

  3. Complete the configuration settings in the Site Information, Configuration, and Service Attachment Points sections according to the guidelines provided in Table 1.

    Table 1: Fields on the Add Cloud Spoke Site Page

    Field

    Description

    Site Information

    Site Name

    Enter a unique name for the site. Enter a unique string of alphanumeric characters and special character (-). The maximum length is 15 characters.

    Example: aws-cloud-spoke

    Site Type

    Displays the site type as Spoke. This field cannot be modified.

    Tenant Topology

    Displays the topology of the tenant that was selected during the creation of the tenant. This field cannot be modified.

    Note: Only hub-and-spoke topology is supported.

    Site Group

    (Optional) Select a site group to which you want to assign the site.

    Example: cloud-spoke

    Cloud Information

    Region

    Select the region to which the site belongs. The regions in CSO are mapped to the regions in the AWS account.

    Example: Ohio

    VPC ID

    Enter the VPC ID from the AWS account. Ensure that the VPC is attached to the Internet gateway.

    To obtain VPC ID:

    1. Log in to AWS account.
    2. Search for VPC service.
    3. Click the VPC dashboard.
    4. Select a VPC ID.

    Ensure that the VPC is attached to the Internet gateway.

    To check whether VPC is attached:

    1. Log in to AWS account.
    2. Search for VPC service.
    3. Click the Internet Gateway dashboard.
    4. Check whether the VPC state is attached.

    Example: vpc-6d810314

    Management Subnet

    Specify whether CSO must create a new subnet or use an existing subnet from the AWS account. The management subnet of vSRX is used to push the initial stage-1 configuration. The following options are available:

    • Use an existing subnet in AWS account

    • Create new

    IP Prefix

    Enter the management IP prefix. The first four IP addresses in the subnet are reserved by AWS. For example, IP addresses x.x.x.0/x through x.x.x.3/x are always reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

    Example: 105.0.1.5/24

    Connectivity Requirements

    Click a connection plan to select the plan for WAN connectivity.

    A connection plan contains information prepopulated from the device template, and includes the device information, a list of SD-WAN features supported, and the number of links supported.

    Note: vSRX as SD-WAN spoke in AWS template supports cloud spoke site for AWS VPC.

    WAN Underlay Links

    WAN_0

    WAN_1

    Select the check boxes to configure the WAN links. Depending on the connection plan selected, you can configure up to two WAN links per site that support SD-WAN. You can configure these links as MPLS or Internet links.

    Name

    Displays the name of the WAN link. This field cannot be modified.

    Type

    Displays the connection type for WAN underlays. Only Internet link is supported.

    Subscribed Bandwidth

    Enter the maximum bandwidth (in Mbps) to be allowed for a specific WAN link.

    Provider

    Enter the name of the Internet Service Provider (ISP).

    Cost/Month

    Enter the cost per month of the subscribed bandwidth in the specified currency. In bandwidth-optimized SD-WAN, this information is used to identify the least-expensive link to route traffic if multiple WAN links meet SLA profile parameters. For more information on link switching based on the cost parameter, see Cost-Based Link Switching.

    Static IP Prefix

    Enter the private IPv4 address from the subnet. For example, if the IPv4 CIDR address is 105.0.2.0/24 for a WAN interface in the AWS account, then enter any IP address inside the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

    Example: 105.0.2.12/24

    Gateway IP

    Enter the IPv4 address for the gateway. Typically, the first IP address in the subnet is selected for gateway IP address.

    Example: 105.0.2.1

    Elastic IP

    Elastic IP address is a public, static IPv4 address designed for dynamic cloud computing. The public IP address is mapped to the privet subnet IP using one-to-one NAT. You must allocate the IP addresses based on the number of WAN links that are enabled. For example, If two WAN links are enabled, then you must allocate two elastic IP addresses.

    Example: 34.213.255.184

    Traffic Type

    Select the traffic type. The options available are:

    • DATA_ONLY—Select this option if you want to use the WAN link to transmit only data traffic.

    • OAM_AND_DATA—Select this option if you want to use the WAN link to transmit both data traffic and management traffic.

    Note: You must select at least one WAN link with the OAM_AND_DATA traffic type.

    Additional Requirements

    Based on the connectivity requirement, the following fields are populated:

    Default Links

    Select the default links that must be used for routing traffic. The site can have multiple default links to the hub site as well as to the Internet.

    Default links are used primarily for overlay traffic but can be used for local breakout traffic as well. A default link cannot be used exclusively for local breakout traffic. The default link is optional and in case it is not chosen, all links are used through equal-cost multipath (ECMP).

    Backup Link

    Select a backup link through which traffic can be routed when the primary links are unavailable. You cannot select the default link as the backup link. Note that you cannot assign the backup link for exclusive breakout traffic (the Use only for breakout traffic option). If local breakout is enabled for the site, the breakout traffic is also routed through the backup link when the breakout link is not available.

    When a primary link comes back online, CSO monitors the performance on the primary link and when the primary link meets the SLA requirements, the traffic is switched back to the primary link. However, note that the SLA data is not monitored for the backup link.

    Enable Local Breakout

    Click the toggle button to enable local breakout on the site.

    Links for Breakout

    Select the WAN links on which you want to enable local breakout. You can also choose to use any one WAN link exclusively for local breakout traffic or for both local breakout and WAN traffic.

    Preferred Breakout Link

    Select the preferred link for local breakout. If no link is selected, then the breakout link is chosen using ECMP from the available links.

    LAN Segments

    Add at least one LAN segment.

    Name

    Enter a unique string of alphanumeric characters and special characters ( -). No spaces are allowed and the maximum length is 15 characters.

    Ports

    Select a LAN port from the drop-down list.

    Note: The ports in LAN segment must be contiguous. For example, If both WAN_0 and WAN_1 are enabled and are using interfaces ge-0/0/0 and ge-0/0/1 respectively, then LAN_0 must use ge-0/0/2. If only WAN_0 is enabled and is using interface ge-0/0/0, the LAN_0 must use ge-0/0/1.

    IP Address Prefix

    Enter one or more IPv4 prefixes for the LAN segment for the service. The IP prefix is for the network on the LAN side of the CPE device with vSRX instance. Go to AWS account, check the subnet and provide an IPv4 address within the subnet. The first four IP addresses in the subnet are reserved by AWS. Hence, provide an IP prefix other than the reserved IP prefix.

    Example: 105.0.4.5/24

    Department

    Select a department to which you want to assign the LAN segment. Click Create Department to create a new department and assign the LAN segment to it. You group LAN segments as departments for ease of management and for applying policies at the department level.

    Departments

    Create departments to group LAN segments within a site. You use departments to apply specific policies to LAN segments that are members of a department.

    Name

    Enter a name for the department.

    Description

    Enter a description for the department.

    VPN

    Select a VPN to which you want to assign the department.

  4. Review the configuration and modify the settings, if needed, from the Summary tab.
  5. Click OK.

    The newly created cloud site is displayed on the Sites page.

Related Documentation

footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top