Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation vSRX vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms vSRX Virtual Firewall Deployment for Google Cloud Platform Install vSRX Virtual Firewall in Google Cloud

vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms

keyboard_arrow_up
close
keyboard_arrow_left
vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Deploy vSRX Virtual Firewall in Google Cloud Platform

date_range 27-May-23
arrow_backward
arrow_forward

The following procedures describe how to deploy vSRX Virtual Firewall in the Google Virtual Private Cloud (VPC):

  • Deploy the vSRX Virtual Firewall Firewall from Google Cloud Platform Marketplace.

  • Use custom private image to deploy the vSRX Virtual Firewall Firewall from the GCP portal.

  • Use cloud-init to deploy the vSRX Virtual Firewall Firewall through gcloud using CLI.

Deploy the vSRX Virtual Firewall Firewall from Marketplace Launcher

You can use the Google Cloud Platform Marketplace to deploy your vSRX3.0 with licenses as avirtual machine(VM) running on a Google Compute Engine instance.

Before you deploy the vSRX Virtual Firewall, you must create or choose a project in your organization and create any networks and subnets that will connect to the firewall. You cannot attach multiple network interfaces to the same VPC network. Every interface you create must have a dedicated network with at least one subnet.

This topic provide your step to deploy a vSRX Virtual Firewall Firewall from the Google Cloud Platform Marketplace Launcher.

  1. Log in to the Google Cloud Platform console.
  2. In the left navigation area, select Marketplace.
  3. Locate the vSRX Virtual Firewall listing in the Marketplace.

    In the Search box, type ’Juniper’ or ’vSRX Virtual Firewall’ and click one of the following options based on your licensing requirements as shown in Figure 1.

    The images are available from cloud:

    • vSRX Virtual Firewall Next Generation Firewall

    • vSRX Virtual Firewall Next Generation Firewall-BYOL

    • vSRX Virtual Firewall Next Generation Firewall with Anti-Virus Protection

    Figure 1: Locate vSRX Virtual Firewall Listing in the GCP MarketplaceLocate vSRX Virtual Firewall Listing in the GCP Marketplace
  4. Click Launch on Compute Engine. The deployment page appears as shown in Figure 2.
    Figure 2: Launch vSRX Virtual Firewall Instance in GCP from MarketplaceLaunch vSRX Virtual Firewall Instance in GCP from Marketplace
  5. Name the instance and choose resources.

    Provide the details for the vSRX Virtual Firewall VM:

    • Deployment Name—Enter a unique name for your vSRX Virtual Firewall VM.

    • Machine type—Select a machine type based on the system requirements for your license.

    • SSH key—Paste your public SSH key that you created earlier.

      • Paste the key after the text gcp-user:

        Note:

        It is mandatory to use “gcp-user” as username when you login to the vSRX Virtual Firewall for the first time vSRX Virtual Firewall.

      • Select the Block project-wide SSH keys option.

    • Network interfaces—Select the VPC network and the subnets. Note that you can add only those subnets that you’ve created for the selected zone for this vSRX Virtual Firewall VM.

    • IP Forwarding—Retain the default value On. This is a mandatory requirement for the vSRX Virtual Firewall VM.

    • Enable External IP—Select the ephemeral option. This setting allows the GCP to provide an ephemeral IP address to act as the external IP address.

    • Allow HTTP traffic from the Internet—Retain the default value as selected. We recommend not providing HTTP access unless absolutely necessary.

    • Allow TCP port 22 traffic from the Internet—Retain the default value as selected. F or security reasons, we recommend that you limit the SSH access only to the specific IP address to access the vSRX Virtual Firewall

    Name the instance and choose resources as shown in Figure 3.

    Figure 3: Name vSRX Virtual Firewall Instance and Choose Resources in GCP MarketplaceName vSRX Virtual Firewall Instance and Choose Resources in GCP Marketplace

    1. Choose a Deployment Name. The name must be unique and cannot conflict with any other deployment in the project.

    2. Select a zone.

    3. Select a machine type.

    4. Set the SSH Key as shown in Figure 4.

      Figure 4: SSH KeySSH Key

    5. Configure the network and subnet.

    6. Leave IP forwarding ‘on’ (mandatory for vSRX Virtual Firewall deployments) as shown in Figure 5.

      Figure 5: IP Forwarding ConfigurationIP Forwarding Configuration
  6. Accept GCP Marketplace Terms of Service.
  7. Click Deploy.

    The system shows the progress of your vSRX Virtual Firewall deployment. It displays a message indicating the successful completion of the deployment and sends you an e-mail notification for the same.

  8. Click your VM to view the details. You can view your VM details by navigating to the Compute Engine under COMPUTE in the left navigation area.

    Make note of the external IP address, shown under Network interfaces. You'll need this address later to log on to your vSRX Virtual Firewall instance using the CLI.

  9. Logging in to a vSRX Virtual Firewall Instance.

    In GCP deployments, vSRX Virtual Firewall instances provide the following capabilities by default to enhance security:

    • Allows you to login only through SSH.

    • cloud-init is used to setup SSH key login.

    • SSH password login is disabled for root account.

    Note:

    Root login using SSH password is be disabled by default.

    Use an SSH client to log in to a vSRX Virtual Firewall instance for the first time. To log in, specify the location where you saved the SSH key pair file for the user account, and the IP address assigned to the vSRX Virtual Firewall management interface (fxp0).

    Note:

    Root login using a Junos OS password is disabled by default. You can configure other users after the initial Junos OS setup phase.

    If you do not have the key pair filename and the IP address, use these steps to view the key pair name and IP for a vSRX Virtual Firewall instance:

    1. In the GCP portal, select Instances.
    2. Select the vSRX Virtual Firewall instance, and select eth0 in the Description tab to view the IP address for the fxp0 management interface.
    3. Click Connect above the list of instances to view the SSH key pair filename.

    To configure the basic settings for the vSRX Virtual Firewall instance, see Configure vSRX Using the CLI.

    Note:

    gcloud connect to vSRX Virtual Firewall is not supported. Always use ssh with user provided key to connect to vSRX Virtual Firewall after instance is up.

Deploy the vSRX Virtual Firewall Instance from GCP Portal Using Custom Private Image

You can also use your custom private image to deploy the vSRX Virtual Firewall instead of deploying an image from GCP marketplace. Firstly you need upload the private image to Google Cloud storage, then create compute image in GCP, and then deploy vSRX Virtual Firewall on Google Compute Engine.

Watch the video Deploying vSRX Virtual Firewalls on Google Cloud Platform to understand how you can deploy vSRX Virtual Firewall instances from GCP.

Upload vSRX Virtual Firewall Image to Google Cloud Storage

To upload vSRX Virtual Firewall image to Google Cloud Storage:

  1. Prepare the private vSRX Virtual Firewall image file.

    A custom image is a boot disk image that is private to you. To import a disk image to Google Compute Engine, the image file must meet the following requirements.

    • Disk image filename must be disk.raw.

    • RAW image file must have a size in an increment of 1 GB. For example, the file must be either 10 GB or 11 GB but not 10.5 GB.

    • Compressed file must be a .tar.gz file that uses gzip compression and the GNU tar format.

    To use .qcow2 vSRX Virtual Firewall image to generate .tar.gz file follow below steps to process the upload.

    1. Convert .qcow2 to "disk.raw" (disk.raw is the dedicate name for google cloud deployment).

      qemu-img convert -f qcow2 -O raw junos-vsrx3-x86-64-19.2I-20190115_dev_common.0.1057.qcow2 disk.raw

    2. Compress to .tgz file.

      tar -czf vsrx-0115.tar.gz disk.raw

  2. Upload image to Google Cloud Storage. You can upload your custom private image in two ways:

    • Upload image through SDK shell

    • Upload image from Google Cloud Platform portal

Upload image through SDK shell:

Install Google Cloud SDK on Ubuntu.

You must install Google Cloud SDK on your operation system. below is the sample to install it on Ubuntu.

For more information on Google Cloud SDK installation on Ubuntu, see https://cloud.google.com/sdk/docs/quickstart-debian-ubuntu and for Gcloud command-line tool overview, see https://cloud.google.com/sdk/gcloud/.

To upload image through SDK shell:

  1. Create google cloud storage.

    gs://vsrx-image

  2. Copy disk.raw to cloud storage.

    gsutil cp vsrx-0115.tar.gz gs://vsrx-image

To upload image from Google Cloud Platform portal.

  1. Click Storage->Create Bucket->Upload files as shown in Figure 6.

    Figure 6: vSRX Virtual Firewall Image Upload from GCP PortalvSRX Virtual Firewall Image Upload from GCP Portal

  2. Check the private image is available in Google Cloud Storage by selecting Storage -> Bucket detail in Google Cloud Platform web as shown in Figure 7.

    Figure 7: View Private Images in GCP PortalView Private Images in GCP Portal

Create vSRX Virtual Firewall Image

After you upload the vSRX Virtual Firewall image file to GCP storage you need to create GCP compute image for vSRX Virtual Firewall deployment.

  1. Create image in cloud.

    A sample to create vSRX Virtual Firewall image using the package ready in GCP project storage is shown below. The option of 'multi_ip_subnet' is mandatory.

    gcloud compute images create vsrx-0115 '--guest-os-features=multi_ip_subnet' --source-uri=gs://vsrx-image/vsrx-0115.tar.gz

  2. Check the private image is available in Google Cloud Compute Engine.

    root@cnrd-ubuntu173:~# gcloud compute images list | grep vsrx3-194* vsrx-0115. vsrx3-218606 READY

Using Google Console

You can rename the image file using the Google console as well.

  1. Log in to your Google account and open the Google Cloud Platform home page.

  2. Click theimages option on the Google Cloud Platform page. The Create an image page opens as shown in Figure 8

    Figure 8: Google Cloud Platform Image Creation PageGoogle Cloud Platform Image Creation Page

  3. Fill in the required details in the Create an image page and click Create.

    Note:

    It is mandatory to use “gcp-user” as username when you login to the vSRX Virtual Firewall for the first time vSRX Virtual Firewall.

  4. Check the private image that available in Google Cloud Compute Engine. On Google Cloud Platform web, click Compute Engine->Images as shown in Figure 9.

    Figure 9: Check Private Image in Google Cloud Compute EngineCheck Private Image in Google Cloud Compute Engine

Deploy the vSRX Virtual Firewall Firewall from GCP Portal

You can follow below steps to deploy a vSRX Virtual Firewall instance:

  1. Login Google Cloud Platform portal, go to Compute Engine -> VM instances and click CREATE INSTANCE.
  2. Configure a vSRX Virtual Firewall instance.

    • Name—Specify a unique name to the instance.

    • Region—Select proper region you want to deploy the vSRX Virtual Firewall on, you must already create subnet in same region in proper VPC networks.

    • Machine configuration —Choose correct machine type.

    • Container —Uncheck

    • Boot Disk—Choose the private image in Custom Images tab as shown in Figure 10. You must already upload the private image to Google Cloud Storage.

      Figure 10: Boot Disk from Custom ImagesBoot Disk from Custom Images

    • Identity and API access—Set default

    • Firewall / Management —Set default

    • Firewall / Security—Paste your SSH Key pair here. Details please reference “Prepare to setup vSRX Virtual Firewall on GCP – SSH Key”.

    • Firewall / Disks—Set default

    • Firewall / Networking:

      Table 1: Firewall Networking

      Firewall / Networking

      Details

      Hostname

      Optional, you can specify tags for the instance used for route configuration.

      Network Interfaces

      Default

      You can set interfaces to existing VPC networks and subnet in same region. Interface number, Interface order and manage interface setting.

  3. Click Create
  4. Logging in to a vSRX Virtual Firewall Instance.

    In GCP deployments, vSRX Virtual Firewall instances provide the following capabilities by default to enhance security:

    • Allows you to login only through SSH.

    • SSH password login is disabled for root account.

    Note:

    Root login using a Junos OS password or SSH password is disabled by default. You can configure other users after the initial Junos OS setup phase.

    Use an SSH client to log in to a vSRX Virtual Firewall instance for the first time. To log in, specify the location where you saved the SSH key pair file for the user account, and the IP address assigned to the vSRX Virtual Firewall management interface (fxp0).

    Note:

    It is mandatory to use “gcp-user” as username when you login to the vSRX Virtual Firewall for the first time vSRX Virtual Firewall.

    If you do not have the key pair filename and the IP address, use these steps to view the key pair name and IP for a vSRX Virtual Firewall instance:

    1. In the GCP portal, select Instances.
    2. Select the vSRX Virtual Firewall instance, and select eth0 in the Description tab to view the IP address for the fxp0 management interface.
    3. Click Connect above the list of instances to view the SSH key pair filename.

    To configure the basic settings for the vSRX Virtual Firewall instance, see Configure vSRX Using the CLI.

    Note:

    gcloud connect to vSRX Virtual Firewall is not supported. Always use ssh with user provided key to connect to vSRX Virtual Firewall after instance is up.

Deploy the vSRX Virtual Firewall Firewall Using Cloud-init

vSRX Virtual Firewall supports cloud-init. Cloud-init is an open-source multi-distribution package that handles early initialization of a cloud instance. It allows user to customize VM instance with attributes like hostname and default IP on the first boot. Cloud-init is particularly useful when user wants to deploy large number of VM instances in the data center using automation tools.

Some of the initial provisioning parameters for first boot are:

  • Hostname

  • Root password

  • SSH public key

    Note:

    for the ssh key file, it needs to be in the format "<username>:<key value>" as required by google cloud. Something like this:

  • Management interface (fxp0) IP

  • Default gateway IP

You can deploy vSRX Virtual Firewall Firewall using cloud-init in two ways:

GCE supports cloud-init type instance configuration. To launch instance with user data, use the command below as an example.

Figure 11: Sample Cloud-Init Configuration Sample Cloud-Init Configuration

Please note the following points:

  • junos.conf is configuration file with ‘#junos-config’ in content

  • gcp-user.pub is ssh public key

  • vSRX Virtual Firewall 3.0 supports RSA key pair only

  • For the SSH key file, it needs to be in the format <username>:<key value> as required by Google cloud. Refer the sample SSH key file below.

    content_copy zoom_out_map
    root@cnrd-kvmsrv37:~# cat gcp-user.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeR2jhMLzSfgee/5cnduTa+13yVLKbTa/
OFnZSHQsZoA5LKHIXs/TbyooZTX5PnfNr6hx2Iyxjaodu01kT0UJ87wps8n9BH74DP6x0YK07OaZZl5T/
5Iso9fXRCzl9+go9vKzNKhqXmqKUc3Fl6hTX2QzQbtrwN2twLzCxz+OSliCoobJr+/
8wPcvI6fUbL6FRTgE1zC1HBlDKspK7x47YDYPJlUcyMhRtGvxd319jrx5i96mZq850+
dCfZkHSipT09hFRtk8C4MsOaKsw3RWUCY5LCPekrutrLLfhMKh88onv4ud7gXOklSwgVVod49aY2FfiaACMAVoaomfYXweP 
gcp-user



ssh -i <private-key> gcp-user@<vSRX management public ip>

  • In junos.conf, please remove the “gcp-default” block in your user data. They will shadow the one created by vSRX Virtual Firewall init script. Refer the sample junos config

    content_copy zoom_out_map
        #junos-config
security {
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/1.0;             
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                10.0.0.10/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                10.0.1.10/24;
            }
        }
    }
}
    Note:

    gcloud connect to vSRX Virtual Firewall is not supported. Always use ssh with user provided key to connect to vSRX Virtual Firewall after instance is up.

Related Documentation

arrow_backward PREVIOUS Prepare to setup vSRX Virtual Firewall Deployment on GCP
NEXT arrow_forward Upgrade the Junos OS for vSRX Virtual Firewall Software Release
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top