vSRX on an Isolated Network: Provision via Cloud-Init


Introduced within the Junos OS Release – 15.1X49-D100 – the vSRX now comes with cloud-init. As per Junipers configuration guide,

… the cloud-init package (version 0.7x) comes pre-installed in the vSRX image to help simplify configuring new vSRX instances operating in an OpenStack environment according to a specified user-data file. Cloud-init is performed during the first-time boot of a vSRX instance.[1]

In other words, you can pass the Junos configuration to the instance at point of creation, via the use of the user-data key. Like so:

openstack server create --image vsrx-image-15.1X49-D100.6 \
                        --flavor vsrx_flavor \
                        --user-data /root/juniper.conf.txt \
                        --nic net-id=587b75b5-ceb6-49e8-b850-861809f14d5e,v4-fixed-ip= \
                        --nic net-id=423b2b1b-5591-4861-baab-64e9fef84f47,v4-fixed-ip= \
                        --nic net-id=24ca3340-a3de-4708-ad2b-2a2ab826250c,v4-fixed-ip= \

In the background this uploads the configuration to the Nova metadata service, which can then be retrieved via . The intention is that the vSRX then calls this URL during the initial boot and pulling the required config. Now, to get to this address traffic from your host must either go through the router namespace or the DHCP namespace. For the topic of this discussion will look into the DHCP namespace method.

Within the DHCP namespace (upon the Network Controller) there is a Neutron metadata proxy that forwards the request onto a Neutron metadata agent, who then forwards onto the Nova metadata API. As the Neutron metadata proxy is hosted upon the DHCP agent IP upon the given subnet, it allows the instance to query the metadata service via a local IP, i.e:

root@% ifconfig fxp0
fxp0:   encaps: ether; framing: ether
        flags=0x3/0x8000 <PRESENT|RUNNING>
        curr media: i802 fa:16:3e:e7:b5:2f
fxp0.0: flags=0x4008000 <UP|MULTICAST>
        inet primary mtu 1500 local= dest= bcast=

root@% curl 
## Last changed: 2017-09-04 16:07:32 UTC
system {
    services {
        web-management {
            http {
                interface fxp0.0;

However, this leads to one small detail. When the vSRX boots up it must have a route telling it that it to reach via the DHCP agents IP. Neutron provides the option to inject static routes into the instance at boot via DHCP and the 121 option. But here lies the problem – the vSRX does not support option 121.


The solution to the issue is this, we set the default gateway on the Neutron subnet (that we attach for management/FXP0) to that of the DHCP agent IP. Lets step through how this works,

  1. At boot, the vSRX obtains a DHCP lease containing the IP and gateway address.
  2. At the point the vSRX performs a GET for the configuration (from the metadata service) it is routed via the default gateway, which is the IP of the DHCP agent.
  3. The request is proxied onto the Nova metadata service. The vSRX applies the configuration.
  4. Routing issues as negated due to a different management default gateway being defined within the Junos configuration. Due to this overwriting the gateway address previously obtained via DHCP.


[1] http://www.juniper.net/documentation/en_US/vsrx/topics/task/configuration/security-vsrx-cloud-init-support.html

Rick Donato

Want to become an OpenStack expert?

Here is our hand-picked selection of the best courses you can find online:
OpenStack Essentials course
Certified OpenStack Administrator course
Docker Mastery course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial