Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Requirements for vSRX Virtual Firewall on AWS

This section presents an overview of requirements for deploying a vSRX Virtual Firewall instance on Amazon Web Services (AWS).

Minimum System Requirements for AWS

Table 1 lists the minimum system requirements for vSRX Virtual Firewall instances to be deployed on AWS.

in
Table 1: Minimum System Requirements for vSRX Virtual Firewall

Component

Specification and Details

Hypervisor support

XEN-HVM

Memory

4 GB

Disk space

16 GB

vCPUs

2

vNICs

3

vNIC type

SR-IOV

AMD Processors Starting in Junos OS Release 22.3R2, vSRX Virtual Firewall 3.0 on Amazon Web Services (AWS) support the Advanced Micro Devices (AMD) processor for better performance.

Interface Mapping for vSRX Virtual Firewall on AWS

vSRX Virtual Firewall on AWS supports up to a maximum of eight network interfaces, but the actual maximum number of interfaces that can be attached to a vSRX Virtual Firewall instance is dictated by the AWS instance type in which it is launched. For AWS instances that allow more than eight interfaces, vSRX Virtual Firewall will support up to a maximum of eight interfaces only.

The following are the supported C5 instance types :

  • c5.large

  • c5.xlarge

  • c5.2xlarge

  • c5.4xlarge

  • c5.9xlarge

  • c5n.2xlarge

  • c5n.4xlarge

  • c5n.9xlarge

The following are the supported AMD-based AWS instances:

  • C5a.16xlarge

  • C5a.8xlarge

  • C5a.4xlarge

  • C5a.2xlarge

  • C5a.xlarge

For more information on instance details such as vCPUs, memory and so on, see Pricing Information

For more information on maximum network interfaces by instance type, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html .

Table 2 shows a mapping between vSRX Virtual Firewall interface names and their corresponding AWS interface names for up to eight network interfaces. The first network interface is used for the out-of-band management (fxp0) for vSRX Virtual Firewall.

Table 2: vSRX Virtual Firewall and AWS Interface Names

InterfaceNumber

vSRX Virtual Firewall Interface

AWS Interface

1

fxp0

eth0

2

ge-0/0/0

eth1

3

ge-0/0/1

eth2

4

ge-0/0/2

eth3

5

ge-0/0/3

eth4

6

ge-0/0/4

eth5

7

ge-0/0/5

eth6

8

ge-0/0/6

eth7

We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric routing. Since fxp0 is part of the default (inet.0) routing table, there might be two default routes needed in the same routing instance: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access, resulting in asymmetric routing. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.

Note:

Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.

vSRX Virtual Firewall Default Settings on AWS

vSRX Virtual Firewall requires the following basic configuration settings:

  • Interfaces must be assigned IP addresses.

  • Interfaces must be bound to zones.

  • Policies must be configured between zones to permit or deny traffic.

  • The ENA driver-related component must be ready for vSRX Virtual Firewall.

Table 3 lists the factory-default settings for security policies on the vSRX Virtual Firewall.

Table 3: Factory-Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit
CAUTION:

Do not use the load factory-default command on a vSRX Virtual Firewall AWS instance. The factory-default configuration removes the AWS preconfiguration. If you must revert to factory default, ensure that you manually reconfigure AWS preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX Virtual Firewall instance. See Configure vSRX Using the CLI for AWS preconfiguration details.

Best Practices for Improving vSRX Virtual Firewall Performance

Review the following deployment practices to improve vSRX Virtual Firewall performance:

  • Disable the source/destination check for all vSRX Virtual Firewall interfaces.

  • Limit public key access permissions to 400 for key pairs.

  • Ensure that there are no contradictions between AWS security groups and your vSRX Virtual Firewall configuration.

  • Use the c5n instance types on AWS for best throughput on the vSRX Virtual Firewall.

    Note:

    For c5-large instances, AWS uses second generation Intel Xeon Scalable Processors (Cascade Lake) or first generation Intel Xeon Platinum 8000 series (Skylake-SP) processor and for c4-xtra large instances, AWS uses high frequency Intel Xeon E5-2666 v3.

  • Ensure traffic flows through multiple interfaces of the vSRX Virtual Firewall for optimal usage of the vCPUs.

  • Use vSRX Virtual Firewall NAT to protect your Amazon EC2 instances from direct Internet traffic.