Using Terraform and Ansible to deploy and configure a Juniper vSRX network gateway on the IBM Cloud.
- terraform installed.
- ansible installed.
- An IBM Cloud Infrastructure Username and API Key.
- Clone repository:
git clone https://github.com/cloud-design-dev/IBM-Cloud-JunipervSRX-Terraform-Ansible.git cd IBM-Cloud-JunipervSRX-Terraform-Ansible
- Copy
terraform.tfvars.template
toterraform.tfvars
:cp terraform.tfvars.template terraform.tfvars
- Edit
terraform.tfvars
to match your environment. - Deploy all resources:
terraform init terraform plan -out default.tfplan terraform apply default.tfplan
After the plan completes you should have 2 new files: An Ansible inventory file (./ansible/inventory.ini
) and a playbook variables file (./ansible/playbook/vars.yml
). You can now move on to running one of the example playbooks.
For a standalone gateway appliance use the set-interface-standalone.yml
playbook. For an HA pair use the set-interface-ha.yml
playbook. This will create the networking interfaces within the vSRX for the associated VLANs/subnets.
ansible-playbook -i ansible/inventory ansible/playbooks/set-interface-[standalone/ha].yml
This will create the policies to control the network traffic flow. For this playbook I am using the Security-flow that is outlined in the here.
ansible-playbook -i ansible/inventory ansible/playbooks/set-security.yml
This will configure the vSRX to send Syslogs to a remote server. You will need to update the playbook and substitute SYSLOG_IP
with the IP of your syslog server.
- Edit
ansible/playbooks/set-logging.yml
and replaceSYSLOG_IP
with the IP of your syslog server. - Run playbook
ansible-playbook -i ansible/inventory ansible/playbooks/set-logging.yml
This will create an IPsec tunnel on the vSRX with a remote Peer in IBM Cloud VPC. It will create the tunnel interface and appropriate IPsec/IKE/security policies.
Note: By default, VPN for VPC disables PFS in Phase 2, and Juniper vSRX requires PFS to be enabled in Phase 2. Therefore, you must create a custom IPsec policy to replace the default policy for the VPN as outlined here.
ansible-playbook -i ansible/inventory ansible/playbooks/set-ipsec.yml
After the playbook completes you can log in to the vSRX and check the status of the tunnel:
Configuration Mode
run show security ipsec security-associations
If you do not already have a vSRX deployed I have provided some Terraform examples for both a standalone and HA vSRX deployment. These examples will also create the Ansible inventory and playbook variables file needed to run the provided playbooks.