In this section:

Create security groups to support Management (MGT0), High Availability (HA0), PKT0 and PKT1 subnets for the SBC SWe.

Before creating the security groups, review the recommended security group rule settings in the following section.

Security Group Rules Overview

Inbound Security Group Rules

Ribbon recommends opening the following ports using Inbound/Ingress rules in the security groups associated with management, HA and packet subnets.

Management Security Group

Configuring Security Group for Management Subnet

Type
Protocol
Port Range
Source
Notes/Purpose
SSHTCP22x.x.x.x/ySSH to CLI
Custom UDP ruleUDP123x.x.x.x/yNTP
Custom UDP ruleUDP161x.x.x.x/ySNMP Polling
Custom UDP ruleUDP162x.x.x.x/ySNMP traps
Custom TCP ruleTCP2022x.x.x.x/yNetConf over ssh
Custom TCP ruleTCP2024x.x.x.x/ySSH to Linux
HTTPTCP80x.x.x.x/yEMA
HTTPSTCP443x.x.x.x/yRESTCONF to ConfD DB
Custom UDP ruleUDP3057x.x.x.x/yUsed for load balancing service
Custom UDP ruleUDP3054x.x.x.x/yCall processing requests
Custom UDP ruleUDP3055x.x.x.x/yKeep Alives and Registration
Custom TCP ruleTCP4019x.x.x.x/yApplicable to D-SBC only
Custom UDP ruleUDP5093x.x.x.x/ySLS (license server) traffic
Custom TCP ruleTCP444x.x.x.x/yCommunicating with EMS, AWS EC2-API server, and Platform Manager


HA Security Group

Configuring Security Group for HA Subnet

Type
Protocol
Port Range
Source
Notes/Purpose
All TrafficAllAllx.x.x.x/yx.x.x.x/y is the HA subnet CIDR.


Packet Security Group

Configuring Security Group for Packet Ports PKT0 and PKT1

Type
Protocol
Port Range
Source
Custom UDP ruleUDP5060x.x.x.x/y
Custom TCP ruleTCP5061x.x.x.x/y
Custom UDP ruleUDP1024-65535x.x.x.x/y

Caution

The source ranges for the packet security group may be external IP address ranges, or they may be the HFE private subnet CIDR if a High-availability Forwarding Engine is present in the configuration.

HA Forwarding Node Security Groups


Configuring a Security Group for the Public-facing/Management Port (eth0)

Type
Protocol
Port Range
Source
Custom UDP ruleUDP5060x.x.x.x/y
Custom TCP ruleTCP5061x.x.x.x/y
Custom UDP ruleUDP1024-65535x.x.x.x/y


Configuring a Security Group for the Private-facing Port (eth2)

Type
Protocol
Port Range
Source
Custom UDP ruleUDP5060x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity
Custom TCP ruleTCP5061x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity
Custom UDP ruleUDP1024-65535x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity

Caution

The source ranges for the HFE Private-facing Port security group may be the private subnet CIDR of the SBC PKT0 or PKT1 subnets.

Outbound Security Group Rules 

Ribbon recommends opening all ports using Outbound/Egress rules in the security groups associated with management, HA and packet interfaces.   


Outbound Security Group Rules

Type 
Protocol
Port Range
Destination
All TrafficAllAll0.0.0.0/0

Caution

 If you open specific ports in outbound security group rules, the remaining ports are blocked.

Note

Refer to the Management Security Group, HA Security Group, and Packet Security Group tables for the minimum required security group rules for the SBC to function.

Note

 Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.

Create Security Groups

  1. Navigate to EC2 Management Console.

  2. From the left pane, click Security Groups.

    Security Groups Tab

  3. Click Create Security Group. The Create Security Group page displays.
  4. Enter a Security group name for the MGT0 security group and Description.

  5. Select an appropriate VPC from the list.

  6. Click Add Rule to create security group rules as suggested above. 

    Note

     By default, the Inbound rules tab displays on the screen.


    Creating a Security Group for MGT

  7. Click Create.
  8. Repeat steps 3 through 7 to create the new security group for HA, PKT0, and PKT1 subnets.

  9. If deploying with a High-availability Forwarding Engine option, repeat steps 3 through 7 to create a new security group for the HFE public and private-facing subnets.


 For more information, refer to Security Groups for Your VPC