diff --git a/docs/_aws_account_setup.md b/docs/_aws_account_setup.md new file mode 100644 index 0000000000..258e5cfca7 --- /dev/null +++ b/docs/_aws_account_setup.md @@ -0,0 +1,53 @@ + + +### Create an AWS Account + +If you already have an AWS account, skip to [Set Up IAM Access](#set-up-iam-access). + +1. Open a web browser and navigate to [https://aws.amazon.com/](https://aws.amazon.com/). +2. Click **Create an AWS Account**. +3. Enter your email address and choose an AWS account name, then click **Verify email address**. Check your inbox for the verification code and enter it when prompted. +4. Set a strong password for the root user and click **Continue**. +5. On the **Contact Information** page, select **Personal** or **Business** as appropriate, fill in all required fields, and click **Continue**. +6. On the **Billing Information** page, enter a valid payment method. AWS requires a credit or debit card to verify identity. Click **Verify and Continue**. +7. On the **Identity Verification** page, choose your verification method (SMS or voice call), enter your phone number, and complete the verification. +8. Select a **Support Plan**. The **Basic** plan is free and suitable for evaluation. Click **Complete sign up**. +9. Click **Go to the AWS Management Console** and sign in with your root account credentials. + +:::important +AWS best practice is to avoid using the root account for day-to-day operations. Perform the IAM setup in the next section before proceeding. +::: + +### Set Up IAM Access + +Create a dedicated IAM user with the permissions required to deploy SSR infrastructure. + +1. In the AWS Console, search for **IAM** in the top search bar and select it. +2. In the left navigation, select **Users**, then click **Create user**. +3. Enter a username (for example, `ssr-deploy-admin`) and click **Next**. +4. On the **Set permissions** page, select **Attach policies directly**. +5. Attach the following AWS managed policies: + - `AmazonEC2FullAccess` + - `AmazonVPCFullAccess` + - `AWSCloudFormationFullAccess` + - `IAMReadOnlyAccess` +6. Click **Next**, review the summary, then click **Create user**. +7. Select the newly created user and navigate to the **Security credentials** tab. +8. Under **Access keys**, click **Create access key**. Choose **Command Line Interface (CLI)** as the use case, acknowledge the recommendation, and click **Next**. +9. Click **Create access key**, then **Download .csv file** to save your credentials securely. Click **Done**. + +:::note +Store your access keys in a secure location. They cannot be retrieved after the initial creation. If lost, deactivate the old key and create a new one. +::: + +10. To use the AWS CLI, configure it with your new credentials: + +```bash +aws configure +``` + +When prompted, enter: +- **AWS Access Key ID**: from the downloaded CSV +- **AWS Secret Access Key**: from the downloaded CSV +- **Default region name**: your target deployment region (for example, `us-east-1`) +- **Default output format**: `json` diff --git a/docs/_aws_keypair.md b/docs/_aws_keypair.md new file mode 100644 index 0000000000..1ef485fb8d --- /dev/null +++ b/docs/_aws_keypair.md @@ -0,0 +1,33 @@ + + +#### Create an EC2 Key Pair + +An EC2 key pair is required to authenticate SSH access to your SSR instances. + +1. In the AWS Console, navigate to **EC2**. +2. In the left navigation pane, under **Network & Security**, click **Key Pairs**. +3. Click **Create key pair**. +4. Enter the following values: + + | Field | Value | + | ----- | ----- | + | Name | A descriptive name, for example `ssr-keypair` | + | Key pair type | RSA | + | Private key file format | `.pem` (for Linux/macOS/AWS CLI) or `.ppk` (for PuTTY on Windows) | + +5. Click **Create key pair**. The private key file downloads automatically. +6. Move the downloaded key file to a secure location, for example `~/.ssh/`, and set restrictive permissions: + +```bash +chmod 400 ~/.ssh/ssr-keypair.pem +``` + +:::important +This is the only time you can download the private key. If you lose it, you must create a new key pair. Store your key file securely and do not share it. +::: + +To connect to an instance using this key pair: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem t128@ +``` diff --git a/docs/_aws_security_groups.md b/docs/_aws_security_groups.md new file mode 100644 index 0000000000..57fb975914 --- /dev/null +++ b/docs/_aws_security_groups.md @@ -0,0 +1,68 @@ + + +#### Create the Conductor Security Group + +The Conductor security group controls inbound access to the Conductor instance. + +1. In the AWS Console, navigate to **EC2**. +2. In the left navigation pane, under **Network & Security**, click **Security Groups**. +3. Click **Create security group**. +4. Enter the following: + + | Field | Value | + | ----- | ----- | + | Security group name | `ssr-conductor-sg` | + | Description | `Security group for SSR Conductor` | + | VPC | Select your `ssr-vpc` | + +5. Under **Inbound rules**, click **Add rule** and add the following rules: + + | Type | Protocol | Port range | Source | Description | + | ---- | -------- | ---------- | ------ | ----------- | + | SSH | TCP | 22 | Your admin CIDR (e.g. `203.0.113.0/24`) | Admin SSH access | + | HTTPS | TCP | 443 | Your admin CIDR | Conductor GUI access | + | Custom TCP | TCP | 930 | `10.0.0.0/16` (VPC CIDR) | SSR to Conductor control | + | Custom TCP | TCP | 4505 | `10.0.0.0/16` | Salt master (router mgmt) | + | Custom TCP | TCP | 4506 | `10.0.0.0/16` | Salt master (router mgmt) | + +6. Leave **Outbound rules** as the default (all traffic allowed). +7. Click **Create security group**. + +:::note +Replace `Your admin CIDR` with the specific IP range of your management workstations. Using `0.0.0.0/0` is not recommended for production deployments. +::: + +#### Create the Router Security Group + +The Router security group controls inbound access to the SSR Router instance. + +1. Click **Create security group** again. +2. Enter the following: + + | Field | Value | + | ----- | ----- | + | Security group name | `ssr-router-sg` | + | Description | `Security group for SSR Router` | + | VPC | Select your `ssr-vpc` | + +3. Under **Inbound rules**, add the following: + + | Type | Protocol | Port range | Source | Description | + | ---- | -------- | ---------- | ------ | ----------- | + | SSH | TCP | 22 | Your admin CIDR | Admin SSH access | + | HTTPS | TCP | 443 | Your admin CIDR | Router GUI access | + | Custom UDP | UDP | 1280 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 1280 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 1283 | `0.0.0.0/0` | SVR peer communication | + | Custom TCP | TCP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports | + | Custom UDP | UDP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports | + +4. Click **Create security group**. + +:::note +For a detailed reference of all ports required for SSR operation, see [Enable Ports on the Firewall](config_firewall_ports.md). +::: + +:::important +Do **not** enable the CloudFormation templates' default security group if you have created custom security groups as described above. You will specify your custom security groups during template deployment. +::: diff --git a/docs/_aws_vpc_setup.md b/docs/_aws_vpc_setup.md new file mode 100644 index 0000000000..79d40e3b7a --- /dev/null +++ b/docs/_aws_vpc_setup.md @@ -0,0 +1,99 @@ + + +#### Create the VPC + +A dedicated VPC isolates your SSR deployment and gives you full control over routing and network segmentation. + +1. In the AWS Console, search for **VPC** and select it. +2. Click **Create VPC**, and select **VPC only**. +3. Enter the following values: + + | Field | Value | + | ----- | ----- | + | Name tag | A descriptive name, for example `ssr-vpc` | + | IPv4 CIDR block | A private address range, for example `10.0.0.0/16` | + | IPv6 CIDR block | No IPv6 CIDR block | + | Tenancy | Default | + +4. Click **Create VPC**. + +### Create Subnets + +SSR requires three subnets for a conductor-managed router deployment. Create each subnet within the VPC you just created. + +:::note +Subnet CIDR examples below are based on the `10.0.0.0/16` VPC range. Adjust to fit your environment. +::: + +#### Management Subnet + +Used by the Conductor and for out-of-band administration of the Router. + +1. In the VPC Dashboard, click **Subnets**, then **Create subnet**. +2. Select your VPC from the **VPC ID** dropdown. +3. Enter the following: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-mgmt-subnet` | + | Availability Zone | Choose your preferred AZ | + | IPv4 CIDR block | `10.0.1.0/24` | + +4. Click **Create subnet**. +5. Select the new subnet, click **Actions**, and choose **Edit subnet settings**. +6. Enable **Auto-assign public IPv4 address** and save. + +#### Public (WAN) Subnet + +Used for external connectivity and peer SSR communication. + +1. Click **Create subnet**, select your VPC, and enter: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-public-subnet` | + | Availability Zone | Same AZ as the management subnet | + | IPv4 CIDR block | `10.0.2.0/24` | + +2. Click **Create subnet**. +3. Enable **Auto-assign public IPv4 address** on this subnet. + +#### Private (LAN) Subnet + +Used for internal workloads and application traffic. + +1. Click **Create subnet**, select your VPC, and enter: + + | Field | Value | + | ----- | ----- | + | Subnet name | `ssr-private-subnet` | + | Availability Zone | Same AZ as the other subnets | + | IPv4 CIDR block | `10.0.3.0/24` | + +2. Click **Create subnet**. +3. Do **not** enable Auto-assign public IPv4 for this subnet. + +### Create and Attach an Internet Gateway + +The Internet Gateway provides outbound internet connectivity to the management and public subnets. + +1. In the VPC Dashboard, click **Internet gateways**, then **Create internet gateway**. +2. Enter a name (for example, `ssr-igw`) and click **Create internet gateway**. +3. Select the new Internet Gateway, click **Actions**, then **Attach to VPC**. +4. Select your `ssr-vpc` and click **Attach internet gateway**. + +### Configure Route Tables + +Create a route table for the public-facing subnets and associate the management and public subnets with it. + +1. In the VPC Dashboard, click **Route tables**, then **Create route table**. +2. Enter a name (for example, `ssr-public-rt`) and select your `ssr-vpc`. +3. Click **Create route table**. +4. Select the new route table, click the **Routes** tab, then **Edit routes**. +5. Click **Add route**, enter `0.0.0.0/0` for the destination, and set the target to your `ssr-igw` Internet Gateway. Click **Save changes**. +6. Click the **Subnet associations** tab, then **Edit subnet associations**. +7. Select `ssr-mgmt-subnet` and `ssr-public-subnet`, then click **Save associations**. + +:::note +The private subnet intentionally uses the **main (default) route table** which has no internet gateway route, ensuring internal traffic does not have a direct path to the internet. +::: diff --git a/docs/deploy_aws.md b/docs/deploy_aws.md new file mode 100644 index 0000000000..8c982462b1 --- /dev/null +++ b/docs/deploy_aws.md @@ -0,0 +1,61 @@ +--- +title: Deploying SSR in Amazon Web Services +sidebar_label: AWS Deployment Overview +--- + +This section provides end-to-end deployment guides for running the Juniper Session Smart Router (SSR) in Amazon Web Services (AWS). The guides cover the full journey: from creating an AWS account and setting up the required cloud infrastructure through to a running, configured SSR deployment. + +## Deployment Models + +SSR supports two management models and two licensing models in AWS. Review the options below to choose the right guide for your deployment. + +### Management Model + +| Management Model | Description | Best For | +| ---------------- | ----------- | -------- | +| **Conductor-managed** | A Session Smart Conductor (also deployed in AWS or on-premises) centrally manages one or more SSR routers. Supports full SSR feature set including advanced routing policies, HA, and CLI/GUI administration. | Enterprise deployments requiring full control over routing policy and configuration | +| **Mist-managed** | SSR routers are managed through the Juniper Mist cloud portal using Zero Touch Provisioning (ZTP). Requires an active Mist organization and registration code. | WAN Assurance deployments integrated with the Mist AI platform | + +:::important +SSR Version 6.x installed from an AWS Marketplace image supports **Mist-managed** routers only. For a conductor-managed deployment running SSR 6.x, install SSR 5.x first and upgrade through the Conductor, or use the BYOL image with explicit version selection. +::: + +### Licensing Model + +| License Model | Description | +| ------------- | ----------- | +| **PAYG (Pay As You Go)** | Hourly billing through the AWS Marketplace. Includes a 30-day free trial. Best for proof-of-concept and evaluation. Software upgrades and on-premises deployments require a separate token. | +| **BYOL (Bring Your Own License)** | Install your own licensed copy of SSR software. Requires Artifactory credentials or a Mist registration code. Supports image-based installations. Requires Conductor version 6.3.0-R1 or newer for BYOL router management. | + +## Available Guides + +| Guide | Management | Licensing | Notes | +| ----- | ---------- | --------- | ----- | +| [AWS: Conductor-Managed Deployment](deploy_aws_conductor.mdx) | Conductor | BYOL | **Recommended starting point.** Complete end-to-end guide from AWS account to running router | +| [AWS: PAYG Conductor-Managed Router](intro_installation_quickstart_aws.md) | Conductor | PAYG | Evaluation / PoC deployments using marketplace hourly billing | +| [AWS: PAYG Mist-Managed Router](intro_installation_quickstart_mist_aws.md) | Mist | PAYG | Mist WAN Assurance with marketplace hourly billing | +| [AWS: BYOL Mist-Managed Router](intro_installation_quickstart_byol_mist_aws.md) | Mist | BYOL | Mist WAN Assurance with your own license | + +## Supported AWS Instance Types + +The following EC2 instance sizes are supported for SSR deployments. Choose the size that best meets your throughput and interface requirements. + +| AWS Instance Size | Max vNICs | vCPU | Memory | +| ----------------- | --------- | ---- | ------ | +| c5.xlarge | 4 | 4 | 8 GB | +| c5.2xlarge | 4 | 8 | 16 GB | +| c5.4xlarge | 8 | 16 | 32 GB | +| c5.9xlarge | 8 | 36 | 72 GB | +| c5n.xlarge | 4 | 4 | 10.5 GB | +| c5n.2xlarge | 4 | 8 | 21 GB | +| c5n.4xlarge | 8 | 16 | 42 GB | +| c5n.9xlarge | 8 | 36 | 96 GB | + +For Conductor sizing guidance when managing multiple routers, see [System Requirements](intro_system_reqs.md#conductor-scaling-recommendations). + +## Additional Resources + +- [Cloud Platform Support](supported_cloud_platforms.md) +- [System Requirements](intro_system_reqs.md) +- [Firewall Port Reference](config_firewall_ports.md) +- [BYOL Cloud Images Release Notes](release_notes_byol.md) diff --git a/docs/deploy_aws_conductor.mdx b/docs/deploy_aws_conductor.mdx new file mode 100644 index 0000000000..b23a560bda --- /dev/null +++ b/docs/deploy_aws_conductor.mdx @@ -0,0 +1,534 @@ +--- +title: "AWS: Conductor-Managed Deployment Guide" +sidebar_label: Conductor-Managed Deployment +--- + +import AwsAccountSetup from './_aws_account_setup.md'; +import AwsVpcSetup from './_aws_vpc_setup.md'; +import AwsKeypair from './_aws_keypair.md'; +import AwsSecurityGroups from './_aws_security_groups.md'; +import AuthorityName from './_set_authority_name.md'; +import SetConductorIP from './_set_conductor_ip.md'; +import ChangeDefaultPasswords from './_change_def_passwords.md'; +import NextStepsConfig from './_conductor_install_nextsteps.md'; + +This guide walks through deploying a complete Juniper Session Smart Router (SSR) solution in AWS using the **BYOL (Bring Your Own License)** model with a **Conductor-managed** architecture. When you complete this guide, you will have: + +- An AWS account and VPC configured for SSR +- A Session Smart Conductor deployed and configured +- A Session Smart Router deployed and onboarded to the Conductor +- A baseline working configuration verified end-to-end + +## Prerequisites + +Before you begin, confirm you have: + +- A Juniper account with Artifactory credentials (username and token) for accessing SSR software repositories. Contact your Juniper Sales representative if you do not have these. +- The SSR software version you want to deploy. Your Juniper Sales representative can advise if you are unsure. +- AWS CLI installed on your local workstation (optional, for CLI-based deployment). See the [AWS CLI installation guide](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). + +--- + +## Step 1: Set Up Your AWS Account + + + +--- + +## Step 2: Plan Your Deployment + +The following diagram illustrates the AWS infrastructure deployed by this guide: + +```mermaid +graph TB + subgraph AWS VPC ["AWS VPC (10.0.0.0/16)"] + subgraph mgmt ["Management Subnet (10.0.1.0/24)"] + COND[Session Smart Conductor\nEC2 Instance] + end + subgraph pub ["Public Subnet (10.0.2.0/24)"] + RTR_WAN[Router WAN Interface\nge-0-1] + end + subgraph priv ["Private Subnet (10.0.3.0/24)"] + RTR_LAN[Router LAN Interface\nge-0-2] + end + subgraph rtr_mgmt ["Router Mgmt Subnet (10.0.1.0/24)"] + RTR_MGMT[Router Mgmt Interface\nge-0-0] + end + end + IGW[Internet Gateway] --> mgmt + IGW --> pub + RTR_MGMT -->|Port 930, 4505, 4506| COND +``` + +### Deployment Summary + +| Component | AWS Resource | Subnet | Notes | +| --------- | ------------ | ------ | ----- | +| Conductor | EC2 instance | Management | Single NIC; SSH + HTTPS inbound | +| Router management interface | EC2 NIC | Management | Connects back to Conductor | +| Router WAN interface | EC2 NIC | Public | External/peer connectivity | +| Router LAN interface | EC2 NIC | Private | Internal workload connectivity | + +--- + +## Step 3: Create AWS Infrastructure + +### 3.1 Create VPC, Subnets, and Routing + + + +### 3.2 Create an EC2 Key Pair + + + +### 3.3 Create Security Groups + + + +--- + +## Step 4: Subscribe to the SSR BYOL Marketplace Offering + +1. Open the [Session Smart Networking Platform BYOL](https://aws.amazon.com/marketplace/pp/prodview-lz6cjd43qgw3c?sr=0-2&ref_=beagle&applicationId=AWSMPContessa) listing in the AWS Marketplace. +2. Click **Continue to Subscribe**. +3. Review and accept the terms and conditions. +4. Click **Continue to Configuration**. + +:::note +There is no software cost associated with the BYOL image. You pay only for the AWS EC2 compute resources. Software licensing is handled through your Artifactory credentials. +::: + +### Requesting a Private Offer + +If your environment has no outbound internet access to the SSR repositories, you can request a Private Offer instead: + +1. Locate your AWS Account ID: + - Open the [AWS Console](https://console.aws.amazon.com). + - Click the dropdown next to your username at the top right; the Account ID is displayed. + - Make a note of the Account ID. +2. Contact your Juniper Networks Sales representative and provide: + - Your AWS Account ID + - The SSR software version required for your deployment +3. Your Juniper Sales representative will email you the private offer. +4. Open the email and accept the terms and conditions to activate the offer. + +--- + +## Step 5: Deploy the Session Smart Conductor + +A Conductor must be deployed before any managed routers. The Conductor is a single EC2 instance with one network interface connected to the management subnet. + +### 5.1 Launch via AWS Console (CloudFormation) + +1. From the BYOL offering, click **Continue to Configuration**. +2. In the **Fulfillment Option** dropdown, select **CloudFormation Template**. +3. Select the **Juniper Session Smart Conductor** template. +4. Select your target region and click **Continue to Launch**. +5. In the **Choose Action** dropdown, select **Launch CloudFormation**, then click **Launch**. +6. The CloudFormation stack creation wizard opens. Fill in the stack parameters: + + | Parameter | Value | + | --------- | ----- | + | Stack name | A descriptive name, for example `ssr-conductor` | + | Name | Instance name, for example `conductor` | + | Instance Type | Select from the [supported instance sizes](deploy_aws.md#supported-aws-instance-types). `c5.xlarge` is recommended for small deployments | + | SSR Version | The SSR software version to install (for example `6.3.5-1`) | + | Artifactory Username | Your Artifactory username | + | Artifactory Token | Your Artifactory token | + | VPC ID | Select your `ssr-vpc` | + | Control Subnet ID | Select `ssr-mgmt-subnet` | + | Control Subnet Allowed CIDR | The CIDR of the management subnet (`10.0.1.0/24`) | + | Admin Allowed CIDR | Your admin workstation CIDR | + | Key Name | Select `ssr-keypair` | + +7. Click **Next** through the options pages, then click **Create stack**. + +![CloudFormation deployment complete](/img/platforms_aws_deployment_complete.png) + +8. Monitor the stack creation under the **Events** tab. When the status shows `CREATE_COMPLETE`, proceed to the **Outputs** tab. +9. Note the following values from the **Outputs** tab: + - **HTTPSLogin** — the URL to access the Conductor GUI + - **PublicEIP** — the public IP address of the Conductor instance + +:::note +After the CloudFormation stack reports `CREATE_COMPLETE`, allow an additional **10–15 minutes** for the BYOL SSR software installation to complete before attempting to log in. +::: + +### 5.2 Launch via AWS CLI (CloudFormation) + +If you prefer to deploy programmatically, follow the CloudFormation console steps 1–7 above to reach the template URL, then copy the **Amazon S3 URL** of the template. + +Create a parameters file `conductor.parameters.json`: + +```bash +vi conductor.parameters.json +``` + +Paste and adjust the following JSON: + +```json +{ + "Name": "", + "Version": "", + "InstanceType": "c5n.xlarge", + "ArtifactoryUsername": "", + "ArtifactoryPassword": "", + "VpcId": "", + "ControlSubnet": "", + "ControlAllowedCidr": "10.0.1.0/24", + "AdminAllowedCidr": "", + "KeyName": "ssr-keypair" +} +``` + +Deploy the stack: + +```bash +aws cloudformation create-stack \ + --stack-name ssr-conductor \ + --template-url \ + --parameters file://conductor.parameters.json \ + --capabilities CAPABILITY_IAM +``` + +Monitor deployment status: + +```bash +aws cloudformation describe-stacks \ + --stack-name ssr-conductor \ + --query 'Stacks[0].StackStatus' +``` + +### 5.3 Manual Deployment (Without CloudFormation) + +If you prefer not to use CloudFormation templates, you can launch the EC2 instance directly: + +1. In the AWS Console, navigate to **EC2** and click **Launch Instance**. +2. Under **Application and OS Images**, click **Browse more AMIs**, search for `Session Smart Networking Platform BYOL`, and select the image. +3. Choose an instance type (see [supported sizes](deploy_aws.md#supported-aws-instance-types)). +4. Under **Key pair**, select `ssr-keypair`. +5. Under **Network settings**, click **Edit**: + - Select your `ssr-vpc` + - Select `ssr-mgmt-subnet` + - Select `ssr-conductor-sg` as the security group +6. Under **Configure storage**, ensure at least **128 GB** is allocated. +7. Expand **Advanced details** and populate the **User data** field with the cloud-init configuration below to automate onboarding: + +```yaml +#cloud-config +write_files: + - path: /etc/128T-hardware-bootstrapper/onboarding-config.json + content: | + { + "name": "", + "ssr-version": "", + "mode": "conductor", + "artifactory-user": "", + "artifactory-password": "", + "node-name": "node0", + "cloud-provider": "aws" + } +``` + +| Field | Description | +| ----- | ----------- | +| `name` | The name to assign to this Conductor | +| `ssr-version` | SSR software version to install (for example `6.3.5-1`) | +| `artifactory-user` | Your Artifactory username | +| `artifactory-password` | Your Artifactory token/password | +| `node-name` | For a standalone Conductor, use `node0` | + +8. Click **Launch instance**. + +If you do not provide user data, run onboarding manually after the instance starts: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem ec2-user@ +sudo /usr/libexec/hardwareBootstrapper128t config-generator +``` + +Follow the prompts. The instance will reboot once when onboarding completes. + +--- + +## Step 6: Log In to the Conductor + +1. Navigate to the HTTPS URL from the CloudFormation Outputs tab (or `https://`). + + :::note + The Conductor uses a self-signed certificate by default. If your browser warns about an unsafe connection, you can safely proceed for initial setup. See [Configure Custom TLS Certificates](config-custom-certs.md) to install a trusted certificate. + ::: + +2. Log in with the default credentials: + - **Username:** `admin` + - **Password:** `128Tadmin` + +### Change Default Passwords + + + +--- + +## Step 7: Configure the Conductor + +### 7.1 Set the Authority Name + + + +Complete the authority name change by clicking **VALIDATE** and then **COMMIT**. + +### 7.2 Set the Conductor IP Address + + + +The Conductor's public IP address (from the CloudFormation Outputs or the EC2 console) is the address managed routers will use to connect. This must be set before deploying any routers. + +### 7.3 Add a Software Access Token (optional, for on-premises upgrades) + +If you require the ability to upgrade SSR software or deploy on-premises routers, add your Artifactory token to the Conductor. This propagates to all managed routers. + +SSH to the Conductor and run: + +```bash +ssh -i ~/.ssh/ssr-keypair.pem t128@ +``` + +Then from the PCLI: + +```bash +pcli +set software access-token +``` + +### 7.4 Create a Basic Configuration + +Before deploying routers, create the minimum required configuration on the Conductor: an Authority, at least one Service, and a Tenant. + +For a step-by-step walkthrough, see [Configure the Conductor](intro_basic_conductor_config.md). + +A default configuration template is also available on the Conductor: + +1. Log in to the Conductor GUI and navigate to **Configuration**. +2. Select **Templates** and browse the available default templates. +3. Apply a template as the starting point for your deployment. See [Configuration Templates](config_templates.md#default-templates) for details. + +--- + +## Step 8: Deploy the Session Smart Router + +With the Conductor running and configured, deploy the router. The router uses three network interfaces (management, WAN, and LAN) attached to the corresponding subnets. + +### 8.1 Enable Enhanced Networking (ENA) + +Before launching the router instance, enable ENA support on the AMI to achieve maximum throughput. Run the following from your local workstation: + +```bash +aws ec2 modify-instance-attribute \ + --instance-id \ + --ena-support +``` + +:::note +If you are using the CloudFormation template, ENA is configured automatically. +::: + +### 8.2 Launch via AWS Console (CloudFormation) + +1. Return to the BYOL marketplace offering and click **Continue to Configuration**. +2. In the **Fulfillment Option** dropdown, select **CloudFormation Template**. +3. Select the **Juniper Session Smart Conductor Managed Router** template. +4. Select your target region and click **Continue to Launch**. +5. In the **Choose Action** dropdown, select **Launch CloudFormation**, then click **Launch**. +6. Fill in the stack parameters: + + | Parameter | Value | + | --------- | ----- | + | Stack name | For example `ssr-router-1` | + | Router Name | For example `branch-router-1` | + | Instance Type | Select from [supported sizes](deploy_aws.md#supported-aws-instance-types) | + | SSR Version | Must match or be lower than the Conductor version | + | Artifactory Username | Your Artifactory username | + | Artifactory Token | Your Artifactory token | + | VPC ID | Select your `ssr-vpc` | + | Management Subnet ID | Select `ssr-mgmt-subnet` | + | Public Subnet ID | Select `ssr-public-subnet` | + | Private Subnet ID | Select `ssr-private-subnet` | + | Conductor Primary IP | The private IP of your Conductor from Step 5 | + | Key Name | Select `ssr-keypair` | + +7. Click **Next**, then **Create stack**. + +![Router deployment](/img/platforms_aws_router_deployment.png) + +8. Wait for `CREATE_COMPLETE`. Allow an additional **10–15 minutes** for BYOL installation to complete. + +### 8.3 Launch via AWS CLI (CloudFormation) + +Create `router.parameters.json`: + +```json +{ + "RouterName": "", + "Version": "", + "InstanceType": "c5n.xlarge", + "ArtifactoryUsername": "", + "ArtifactoryPassword": "", + "VpcId": "", + "ManagementSubnet": "", + "PublicSubnet": "", + "PrivateSubnet": "", + "ConductorPrimaryIp": "", + "AdminAllowedCidr": "", + "KeyName": "ssr-keypair" +} +``` + +Deploy: + +```bash +aws cloudformation create-stack \ + --stack-name ssr-router-1 \ + --template-url \ + --parameters file://router.parameters.json \ + --capabilities CAPABILITY_IAM +``` + +### 8.4 Manual Deployment (Without CloudFormation) + +1. In the AWS Console, navigate to **EC2** → **Launch Instance**. +2. Search for and select the **Session Smart Networking Platform BYOL** AMI. +3. Choose an instance type. +4. Under **Network settings**, click **Edit** and configure **three** network interfaces: + + | Interface | Subnet | Security Group | + | --------- | ------ | -------------- | + | eth0 (primary) | `ssr-mgmt-subnet` | `ssr-router-sg` | + | eth1 | `ssr-public-subnet` | `ssr-router-sg` | + | eth2 | `ssr-private-subnet` | `ssr-router-sg` | + +5. Expand **Advanced details** and populate **User data** for automatic onboarding: + +```yaml +#cloud-config +write_files: + - path: /etc/128T-hardware-bootstrapper/onboarding-config.json + content: | + { + "name": "", + "ssr-version": "", + "mode": "conductor-managed", + "artifactory-user": "", + "artifactory-password": "", + "conductor-hosts": [""], + "cloud-provider": "aws" + } +``` + +| Field | Description | +| ----- | ----------- | +| `name` | The router name (must match the configured router in the Conductor) | +| `ssr-version` | SSR software version to install | +| `conductor-hosts` | List of Conductor IP addresses (use the private IP) | + +6. Click **Launch instance**. + +### 8.5 Network Interface Layout + +The router template deploys the EC2 instance with network interfaces attached in the following order. Use these names in your Conductor or Mist configuration: + +**With management interface (recommended):** + +| SSR Interface Name | EC2 Interface | Subnet | +| ------------------ | ------------- | ------ | +| `ge-0-0` | eth0 | Management | +| `ge-0-1` | eth1 | Public (WAN) | +| `ge-0-2` | eth2 | Private (LAN) | + +**Without management interface:** + +| SSR Interface Name | EC2 Interface | Subnet | +| ------------------ | ------------- | ------ | +| `ge-0-0` | eth0 | Public (WAN) | +| `ge-0-1` | eth1 | Private (LAN) | + +--- + +## Step 9: Disable Source/Destination Check + +By default, AWS drops traffic on a network interface where the instance is not the source or destination. Since the SSR forwards traffic on behalf of other hosts, this check must be disabled on the router's network interfaces. + +1. In the **EC2 Console**, select the router instance. +2. Click the **Actions** dropdown, then select **Networking** → **Change source/destination check**. + + ![AWS Networking menu](/img/AWS-bootstrap1.png) + +3. In the **Change Source/Destination Check** dialog, select **Stop** and click **Save**. + + ![Source/Destination Check](/img/AWS-bootstrap2.png) + +:::note +Repeat this step for each network interface on the router instance if the dialog applies per-interface. +::: + +--- + +## Step 10: Create Router Configuration on the Conductor + +Before the router can pass traffic, it must have a configuration that matches the router name and interface layout you deployed. + +For a complete walkthrough of creating a basic router configuration (router object, WAN interface, LAN interface, service route), see [Basic Router Configuration](intro_basic_router_config.md). + +Key points for an AWS deployment: + +- The **router name** in the Conductor configuration must exactly match the `name` field used in the cloud-init user data or the CloudFormation template. +- Use the interface names from the [Network Interface Layout](#85-network-interface-layout) table above. +- The **Conductor Address** set in Step 7.2 must be reachable from the router's management subnet. + +--- + +## Step 11: Verify the Deployment + +### Verify the Conductor is Running + +1. SSH to the Conductor: + ```bash + ssh -i ~/.ssh/ssr-keypair.pem t128@ + ``` +2. Check the service status: + ```bash + sudo systemctl status 128T + ``` +3. Confirm the service shows **Active (running)**. +4. Log in to the Conductor GUI at `https://` with the `admin` user. + +### Verify the Router has Connected + +1. In the Conductor GUI, navigate to **Routers**. +2. Confirm your router appears and shows a **Connected** state. +3. Check that the routing table and Session table are populated as expected. + +### Verify Traffic Forwarding + +From the Conductor PCLI, confirm sessions are being established: + +```bash +show sessions router +``` + +From the Conductor or Router GUI, use the **Topology** view to confirm adjacency and SVR path establishment. + +--- + +## Step 12: Next Steps + + + +### Additional Configuration Topics + +With SSR deployed and running in AWS, explore the following to complete your deployment: + +- **High Availability:** See [Conductor-managed HA Concepts](concepts-ha-options.md) for HA Conductor and Router configurations. +- **BGP with AWS TGW:** See [BGP Configuration](config_bgp.md) for connecting SSR to AWS Transit Gateway using BGP. +- **Security Hardening:** See [Security Hardening Guidelines](sec_hardening_guidelines.md). +- **Upgrading:** See [Upgrading the SSR](intro_upgrading.md) for the upgrade process on AWS instances. +- **Monitoring:** See [Monitoring the SSR](concepts_monitoring.md) for metrics and alerting configuration. diff --git a/sidebars.js b/sidebars.js index a30d30927a..3d729998ec 100644 --- a/sidebars.js +++ b/sidebars.js @@ -127,6 +127,16 @@ module.exports = { "sec-ztp-web-proxy", "sec-conductor-onboard", ], + "Deployment Guides": [ + { + "type": "category", + "label": "Amazon Web Services (AWS)", + "items": [ + "deploy_aws", + "deploy_aws_conductor", + ], + }, + ], "Cloud / Hypervisor Installations": [ "supported_cloud_platforms", "concepts_hypervisor_support",