Skip to content

AI-Generated AWS Deployment guide #973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Chr1st0ph3rTurn3r wants to merge 5 commits into
base: master
Choose a base branch
from
Open

AI-Generated AWS Deployment guide #973

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4b05396
AI generated AWS deployment guide
Chr1st0ph3rTurn3r Apr 14, 2026
32342e7
Merge branch 'master' into feature/aws-deployment-guide
Chr1st0ph3rTurn3r Apr 15, 2026
828a6d5
Merge branch 'master' into feature/aws-deployment-guide
Chr1st0ph3rTurn3r Apr 16, 2026
d1357e0
Merge branch 'master' into feature/aws-deployment-guide
Chr1st0ph3rTurn3r Apr 21, 2026
62fbae8
Merge branch 'master' into feature/aws-deployment-guide
Chr1st0ph3rTurn3r May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions docs/_aws_account_setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
<!--- AWS Account Setup --->

### Create an AWS Account

If you already have an AWS account, skip to [Set Up IAM Access](#set-up-iam-access).

1. Open a web browser and navigate to [https://aws.amazon.com/](https://aws.amazon.com/).
2. Click **Create an AWS Account**.
3. Enter your email address and choose an AWS account name, then click **Verify email address**. Check your inbox for the verification code and enter it when prompted.
4. Set a strong password for the root user and click **Continue**.
5. On the **Contact Information** page, select **Personal** or **Business** as appropriate, fill in all required fields, and click **Continue**.
6. On the **Billing Information** page, enter a valid payment method. AWS requires a credit or debit card to verify identity. Click **Verify and Continue**.
7. On the **Identity Verification** page, choose your verification method (SMS or voice call), enter your phone number, and complete the verification.
8. Select a **Support Plan**. The **Basic** plan is free and suitable for evaluation. Click **Complete sign up**.
9. Click **Go to the AWS Management Console** and sign in with your root account credentials.

:::important
AWS best practice is to avoid using the root account for day-to-day operations. Perform the IAM setup in the next section before proceeding.
:::

### Set Up IAM Access

Create a dedicated IAM user with the permissions required to deploy SSR infrastructure.

1. In the AWS Console, search for **IAM** in the top search bar and select it.
2. In the left navigation, select **Users**, then click **Create user**.
3. Enter a username (for example, `ssr-deploy-admin`) and click **Next**.
4. On the **Set permissions** page, select **Attach policies directly**.
5. Attach the following AWS managed policies:
- `AmazonEC2FullAccess`
- `AmazonVPCFullAccess`
- `AWSCloudFormationFullAccess`
- `IAMReadOnlyAccess`
6. Click **Next**, review the summary, then click **Create user**.
7. Select the newly created user and navigate to the **Security credentials** tab.
8. Under **Access keys**, click **Create access key**. Choose **Command Line Interface (CLI)** as the use case, acknowledge the recommendation, and click **Next**.
9. Click **Create access key**, then **Download .csv file** to save your credentials securely. Click **Done**.

:::note
Store your access keys in a secure location. They cannot be retrieved after the initial creation. If lost, deactivate the old key and create a new one.
:::

10. To use the AWS CLI, configure it with your new credentials:

```bash
aws configure
```

When prompted, enter:
- **AWS Access Key ID**: from the downloaded CSV
- **AWS Secret Access Key**: from the downloaded CSV
- **Default region name**: your target deployment region (for example, `us-east-1`)
- **Default output format**: `json`
33 changes: 33 additions & 0 deletions docs/_aws_keypair.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<!--- AWS EC2 Key Pair Setup --->

#### Create an EC2 Key Pair

An EC2 key pair is required to authenticate SSH access to your SSR instances.

1. In the AWS Console, navigate to **EC2**.
2. In the left navigation pane, under **Network & Security**, click **Key Pairs**.
3. Click **Create key pair**.
4. Enter the following values:

| Field | Value |
| ----- | ----- |
| Name | A descriptive name, for example `ssr-keypair` |
| Key pair type | RSA |
| Private key file format | `.pem` (for Linux/macOS/AWS CLI) or `.ppk` (for PuTTY on Windows) |

5. Click **Create key pair**. The private key file downloads automatically.
6. Move the downloaded key file to a secure location, for example `~/.ssh/`, and set restrictive permissions:

```bash
chmod 400 ~/.ssh/ssr-keypair.pem
```

:::important
This is the only time you can download the private key. If you lose it, you must create a new key pair. Store your key file securely and do not share it.
:::

To connect to an instance using this key pair:

```bash
ssh -i ~/.ssh/ssr-keypair.pem t128@<instance-public-ip>
```
68 changes: 68 additions & 0 deletions docs/_aws_security_groups.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
<!--- AWS Security Groups for SSR --->

#### Create the Conductor Security Group

The Conductor security group controls inbound access to the Conductor instance.

1. In the AWS Console, navigate to **EC2**.
2. In the left navigation pane, under **Network & Security**, click **Security Groups**.
3. Click **Create security group**.
4. Enter the following:

| Field | Value |
| ----- | ----- |
| Security group name | `ssr-conductor-sg` |
| Description | `Security group for SSR Conductor` |
| VPC | Select your `ssr-vpc` |

5. Under **Inbound rules**, click **Add rule** and add the following rules:

| Type | Protocol | Port range | Source | Description |
| ---- | -------- | ---------- | ------ | ----------- |
| SSH | TCP | 22 | Your admin CIDR (e.g. `203.0.113.0/24`) | Admin SSH access |
| HTTPS | TCP | 443 | Your admin CIDR | Conductor GUI access |
| Custom TCP | TCP | 930 | `10.0.0.0/16` (VPC CIDR) | SSR to Conductor control |
| Custom TCP | TCP | 4505 | `10.0.0.0/16` | Salt master (router mgmt) |
| Custom TCP | TCP | 4506 | `10.0.0.0/16` | Salt master (router mgmt) |

6. Leave **Outbound rules** as the default (all traffic allowed).
7. Click **Create security group**.

:::note
Replace `Your admin CIDR` with the specific IP range of your management workstations. Using `0.0.0.0/0` is not recommended for production deployments.
:::

#### Create the Router Security Group

The Router security group controls inbound access to the SSR Router instance.

1. Click **Create security group** again.
2. Enter the following:

| Field | Value |
| ----- | ----- |
| Security group name | `ssr-router-sg` |
| Description | `Security group for SSR Router` |
| VPC | Select your `ssr-vpc` |

3. Under **Inbound rules**, add the following:

| Type | Protocol | Port range | Source | Description |
| ---- | -------- | ---------- | ------ | ----------- |
| SSH | TCP | 22 | Your admin CIDR | Admin SSH access |
| HTTPS | TCP | 443 | Your admin CIDR | Router GUI access |
| Custom UDP | UDP | 1280 | `0.0.0.0/0` | SVR peer communication |
| Custom TCP | TCP | 1280 | `0.0.0.0/0` | SVR peer communication |
| Custom TCP | TCP | 1283 | `0.0.0.0/0` | SVR peer communication |
| Custom TCP | TCP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports |
| Custom UDP | UDP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports |

4. Click **Create security group**.

:::note
For a detailed reference of all ports required for SSR operation, see [Enable Ports on the Firewall](config_firewall_ports.md).
:::

:::important
Do **not** enable the CloudFormation templates' default security group if you have created custom security groups as described above. You will specify your custom security groups during template deployment.
:::
99 changes: 99 additions & 0 deletions docs/_aws_vpc_setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
<!--- AWS VPC and Subnet Setup --->

#### Create the VPC

A dedicated VPC isolates your SSR deployment and gives you full control over routing and network segmentation.

1. In the AWS Console, search for **VPC** and select it.
2. Click **Create VPC**, and select **VPC only**.
3. Enter the following values:

| Field | Value |
| ----- | ----- |
| Name tag | A descriptive name, for example `ssr-vpc` |
| IPv4 CIDR block | A private address range, for example `10.0.0.0/16` |
| IPv6 CIDR block | No IPv6 CIDR block |
| Tenancy | Default |

4. Click **Create VPC**.

### Create Subnets

SSR requires three subnets for a conductor-managed router deployment. Create each subnet within the VPC you just created.

:::note
Subnet CIDR examples below are based on the `10.0.0.0/16` VPC range. Adjust to fit your environment.
:::

#### Management Subnet

Used by the Conductor and for out-of-band administration of the Router.

1. In the VPC Dashboard, click **Subnets**, then **Create subnet**.
2. Select your VPC from the **VPC ID** dropdown.
3. Enter the following:

| Field | Value |
| ----- | ----- |
| Subnet name | `ssr-mgmt-subnet` |
| Availability Zone | Choose your preferred AZ |
| IPv4 CIDR block | `10.0.1.0/24` |

4. Click **Create subnet**.
5. Select the new subnet, click **Actions**, and choose **Edit subnet settings**.
6. Enable **Auto-assign public IPv4 address** and save.

#### Public (WAN) Subnet

Used for external connectivity and peer SSR communication.

1. Click **Create subnet**, select your VPC, and enter:

| Field | Value |
| ----- | ----- |
| Subnet name | `ssr-public-subnet` |
| Availability Zone | Same AZ as the management subnet |
| IPv4 CIDR block | `10.0.2.0/24` |

2. Click **Create subnet**.
3. Enable **Auto-assign public IPv4 address** on this subnet.

#### Private (LAN) Subnet

Used for internal workloads and application traffic.

1. Click **Create subnet**, select your VPC, and enter:

| Field | Value |
| ----- | ----- |
| Subnet name | `ssr-private-subnet` |
| Availability Zone | Same AZ as the other subnets |
| IPv4 CIDR block | `10.0.3.0/24` |

2. Click **Create subnet**.
3. Do **not** enable Auto-assign public IPv4 for this subnet.

### Create and Attach an Internet Gateway

The Internet Gateway provides outbound internet connectivity to the management and public subnets.

1. In the VPC Dashboard, click **Internet gateways**, then **Create internet gateway**.
2. Enter a name (for example, `ssr-igw`) and click **Create internet gateway**.
3. Select the new Internet Gateway, click **Actions**, then **Attach to VPC**.
4. Select your `ssr-vpc` and click **Attach internet gateway**.

### Configure Route Tables

Create a route table for the public-facing subnets and associate the management and public subnets with it.

1. In the VPC Dashboard, click **Route tables**, then **Create route table**.
2. Enter a name (for example, `ssr-public-rt`) and select your `ssr-vpc`.
3. Click **Create route table**.
4. Select the new route table, click the **Routes** tab, then **Edit routes**.
5. Click **Add route**, enter `0.0.0.0/0` for the destination, and set the target to your `ssr-igw` Internet Gateway. Click **Save changes**.
6. Click the **Subnet associations** tab, then **Edit subnet associations**.
7. Select `ssr-mgmt-subnet` and `ssr-public-subnet`, then click **Save associations**.

:::note
The private subnet intentionally uses the **main (default) route table** which has no internet gateway route, ensuring internal traffic does not have a direct path to the internet.
:::
61 changes: 61 additions & 0 deletions docs/deploy_aws.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
---
title: Deploying SSR in Amazon Web Services
sidebar_label: AWS Deployment Overview
---

This section provides end-to-end deployment guides for running the Juniper Session Smart Router (SSR) in Amazon Web Services (AWS). The guides cover the full journey: from creating an AWS account and setting up the required cloud infrastructure through to a running, configured SSR deployment.

## Deployment Models

SSR supports two management models and two licensing models in AWS. Review the options below to choose the right guide for your deployment.

### Management Model

| Management Model | Description | Best For |
| ---------------- | ----------- | -------- |
| **Conductor-managed** | A Session Smart Conductor (also deployed in AWS or on-premises) centrally manages one or more SSR routers. Supports full SSR feature set including advanced routing policies, HA, and CLI/GUI administration. | Enterprise deployments requiring full control over routing policy and configuration |
| **Mist-managed** | SSR routers are managed through the Juniper Mist cloud portal using Zero Touch Provisioning (ZTP). Requires an active Mist organization and registration code. | WAN Assurance deployments integrated with the Mist AI platform |

:::important
SSR Version 6.x installed from an AWS Marketplace image supports **Mist-managed** routers only. For a conductor-managed deployment running SSR 6.x, install SSR 5.x first and upgrade through the Conductor, or use the BYOL image with explicit version selection.
:::

### Licensing Model

| License Model | Description |
| ------------- | ----------- |
| **PAYG (Pay As You Go)** | Hourly billing through the AWS Marketplace. Includes a 30-day free trial. Best for proof-of-concept and evaluation. Software upgrades and on-premises deployments require a separate token. |
| **BYOL (Bring Your Own License)** | Install your own licensed copy of SSR software. Requires Artifactory credentials or a Mist registration code. Supports image-based installations. Requires Conductor version 6.3.0-R1 or newer for BYOL router management. |

## Available Guides

| Guide | Management | Licensing | Notes |
| ----- | ---------- | --------- | ----- |
| [AWS: Conductor-Managed Deployment](deploy_aws_conductor.mdx) | Conductor | BYOL | **Recommended starting point.** Complete end-to-end guide from AWS account to running router |
| [AWS: PAYG Conductor-Managed Router](intro_installation_quickstart_aws.md) | Conductor | PAYG | Evaluation / PoC deployments using marketplace hourly billing |
| [AWS: PAYG Mist-Managed Router](intro_installation_quickstart_mist_aws.md) | Mist | PAYG | Mist WAN Assurance with marketplace hourly billing |
| [AWS: BYOL Mist-Managed Router](intro_installation_quickstart_byol_mist_aws.md) | Mist | BYOL | Mist WAN Assurance with your own license |

## Supported AWS Instance Types

The following EC2 instance sizes are supported for SSR deployments. Choose the size that best meets your throughput and interface requirements.

| AWS Instance Size | Max vNICs | vCPU | Memory |
| ----------------- | --------- | ---- | ------ |
| c5.xlarge | 4 | 4 | 8 GB |
| c5.2xlarge | 4 | 8 | 16 GB |
| c5.4xlarge | 8 | 16 | 32 GB |
| c5.9xlarge | 8 | 36 | 72 GB |
| c5n.xlarge | 4 | 4 | 10.5 GB |
| c5n.2xlarge | 4 | 8 | 21 GB |
| c5n.4xlarge | 8 | 16 | 42 GB |
| c5n.9xlarge | 8 | 36 | 96 GB |

For Conductor sizing guidance when managing multiple routers, see [System Requirements](intro_system_reqs.md#conductor-scaling-recommendations).

## Additional Resources

- [Cloud Platform Support](supported_cloud_platforms.md)
- [System Requirements](intro_system_reqs.md)
- [Firewall Port Reference](config_firewall_ports.md)
- [BYOL Cloud Images Release Notes](release_notes_byol.md)
Loading
Loading