In this section:
An SBC deployment requires a VPC with one IPv4 subnet for each of:
For HFE environments, two more VPCs with one IPv4 subnet are needed:
This interface on the HFE for PKT1 traffic can only be connected using Private IPs.
From the GCP Console Navigation menu, navigate to the Networking section and then select VPC network > VPC networks.
Click Create to return to the Create a VPC Network window. The new VPC network and subnet will be displayed once the creation process completes.
To create extra subnets in a VPC, perform the following steps.
Select the VPC for which a subnet needs to be added.
Enter a suitable IP range based on your needs, typically a CIDR of 10.x.x.0/24 will suffice.
You can only create networks with "10" as the first octet. For example, 20.0.0.0/24 is invalid subnet, and therefore network creation would fail.
Click ADD in the subnet window.
Firewall rules govern the traffic in and out of the network. At least two separate firewall rules (one for incoming IP traffic, one for outgoing traffic) are required for each subnet, although more rules may be created and applied to the same networks. Before creating the firewall rules, review the recommended firewall rule settings in the Firewall Rules Overview section.
For PKT0 and PKT1 interfaces, configure the SBC firewalls to allow the subnet that brings up the instances.
For a comprehensive description of firewall rules, refer to Firewalls.To create a new firewall rule, complete the following procedure.
From the GCP Console Navigation menu, navigate to Networking > VPC Network > Firewall rules.
Click Create Firewall Rule to create an incoming traffic firewall rule for the Management network.
Enter a Name and Description for the incoming Management Firewall Rule.
Each firewall rule requires a unique name.
Click Create. The system returns you to the Firewall Rules page and the new firewalls rule is listed:
Click Create Firewall Rule to create an outgoing traffic firewall rule for the Management network:
Enter a Name and Description for the outgoing Management Firewall Rule.
Each firewall rule requires a unique name.
Click Create. The Firewall Rules page opens and the new firewalls rule is listed.
Repeat this procedure to create ingress and egress firewall rules for HA0, PKT0 and PKT1 networks.
Ribbon recommends opening the following ports using Inbound/Ingress and Egress firewall rules for management, HA, PKT0 and PKT1 interfaces.
Each firewall rule requires a unique name.
For PKT0 and PKT1 interfaces, configure the SBC firewalls to allow the subnet that brings up the instances.
More information about Firewall rules for the HFE environment can be found here: Google firewall rules.
Ribbon recommends that you open all ports using Outbound/Egress rules in the firewalls associated with management, HA and packet interfaces.
The HA solution works only if the mgt0 port has internet access. If the routing table (associated with the subnet of mgt0) fails to have all the traffic rules, the HA solution does not work.
If specific ports are opened in outbound security group rules, the remaining ports are blocked.
Refer to the Management Firewall Rules, HA Firewall Rules, and Packet Security Firewall Rules tables for the minimum required security group rules for the SBC to function.
Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to other destinations. These destinations can be inside your VPC network (for example, in another VM) or outside of it.
GCP has four different types of routes in two categories. System-generated routes are automatically created when you create a network, add a subnet, or modify the secondary IP range of a subnet. Custom routes are those that you create and maintain, either directly or by using a Cloud Router.
Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
When you create a VPC network, GCP creates a system-generated default route. This route serves two purposes:
It defines the path out of the VPC network, including the path to the Internet. In addition to having this route, instances must meet additional requirements if they need Internet access.
It provides the standard path for Private Google Access.
The system-generated default route has a priority of 1000
. Because its destination is the broadest possible (0.0.0.0/0
), GCP will only use it if a route with a more specific destination does not apply to a packet. Refer to routing order for details about how destination specificity and route priority are used to select a route.
You can delete the default route in order to completely isolate your network from the Internet or if you need to replace it with a custom route.
For detailed information on the Routing in GCP, refer to Routes.
To remove the HA0 system-created route, complete the following procedure.
Navigate to Networking > VPC network > Routes. The list of existing Routes for the project will be displayed.
Select the outgoing route for the HA0 network and then click DELETE to remove it.
You cannot delete the default VPC network routes.
To add a route for mgt0 to a Bastion Server or VPN IP address, complete the following procedure.
Navigate to Networking > VPC network > Routes.
Click Create Route Table to create a route table for MGT0.
Enter the IP address of the bastion server under Next hop IP address.
Repeat if required to add or remove other routes for PKT0 and/or PKT1.
Routes required for the HFE environment can be found here: Google network routes
In order to be able to access the SBC management IP, you must associate a static IP address to MGT0 private primary IP and any secondary private IP addresses.
Based on your network requirement you can associate Static IP addresses to secondary IP addresses of PKT0 and PKT1 network interfaces also.
To reserve a static IP address for MGT0, complete the following steps:
Navigate to Networking > VPC network > External IP addresses. The External IP addresses list is displayed.
Click Reserve static address (if no addresses exist) or click the plus ( + ) button. The Reserve a static address page is displayed.
To associate a static IP address to after an instance has been created:
Navigate to Networking > VPC network > External IP addresses. The External IP addresses list is displayed.
Click on Change next to the desired unused external IP address. The Attached IP address window appears.
Select the appropriate internal IP address from the Attach to drop-down list.
Click OK.
Repeat as required for PKT0 and PKT1 network interfaces.
Static Interal IP Addresses can be reserved in a VPC. These can then be attached to a network interface during instance creation.
Select the VPC where the static IP address needs to be created.
Click RESERVE.