In this section:

Creating VPC and Subnets

 An SBC deployment requires a VPC with one IPv4 subnet for each of:

  • Management (MGT0)
  • High Availability (HA0)
  • Packet 0 (PKT0)
  • Packet 1 (PKT1)

For HFE environments, two more VPCs with one IPv4 subnet are needed:

  • "Public" facing for PKT0 untrusted traffic
  • "Private" facing for PKT1 trusted traffic

Note

This interface on the HFE for PKT1 traffic can only be connected using Private IPs.

VPC Creation

  1. From the GCP Console Navigation menu, navigate to the Networking section and then select VPC network > VPC networks.

    GCP Console - VPC Network Navigation


    The VPC networks page will open.

    VPC Networks

  2. Click Create VPC Network to create a VPC network for the deployment.

    Create a VPC Network

  3. Complete the Name and Description fields.
  4. As part of the VPC creation process a subnet must be created:
    1. For Subnet creation mode, choose Custom.
    2. Fill in the Subnet information as outlined in steps 4-7 inSubnet Creation.
  5. Click Done.
  6. Select Regional for Dynamic routing mode.
  7. DNS server policy is not required. Leave it as No Server Policy.

  8. Click Create to return to the Create a VPC Network window. The new VPC network and subnet will be displayed once the creation process completes.

    Return to the Create a VPC Network window

  9. Repeat steps 1-9 to create a subnet for HA0 using an IPv4 CIDR block 10.x.16.0/24.
  10. Repeat steps 1-9 to create a subnet for PKT0 using an IPv4 CIDR block 10.x.32.0/24.
  11. Repeat steps 1-9 to create a subnet for PKT1 using an IPv4 CIDR block 10.x.48.0/24.
  12. If using HFE, also repeat steps 1-9 to:
    1. Create a subnet for HFE node public interface for PKT0 using an IPv4 CIDR block 10.x.64.0/24.
    2. Create a subnet for HFE node public interface for PKT1 using an IPv4 CIDR block 10.x.80.0/24.

Creating a Subnet

To create extra subnets in a VPC, perform the following steps.

  1. Go to VPC network > VPC networks.  

  2. Select the VPC for which a subnet needs to be added.

    VPC Networks

  3. Click Add subnet
  4. Enter a name in the Name field (for example, mgt0).
  5. Select the appropriate Region (all subnets for an SBC instantiation must be in the same region).

  6. Enter a suitable IP range based on your needs, typically a CIDR of 10.x.x.0/24 will suffice.

    Note

    You can only create networks with "10" as the first octet. For example, 20.0.0.0/24 is invalid subnet, and therefore network creation would fail.

  7. Set Private Google access and Flow logs to Off (unless required).

  8. Click ADD in the subnet window.

    Subnet window

Creating Firewall Rules

Firewall rules govern the traffic in and out of the network. At least two separate firewall rules (one for incoming IP traffic, one for outgoing traffic) are required for each subnet, although more rules may be created and applied to the same networks. Before creating the firewall rules, review the recommended firewall rule settings in the Firewall Rules Overview section.

Note

For PKT0 and PKT1 interfaces, configure the SBC firewalls to allow the subnet that brings up the instances.

For a comprehensive description of firewall rules, refer to Firewalls.To create a new firewall rule, complete the following procedure.

  1. From the GCP Console Navigation menu, navigate to Networking > VPC Network > Firewall rules.

    Firewall Rules

  2. Click Create Firewall Rule to create an incoming traffic firewall rule for the Management network.

    Create Firewall Rule

    1. Enter a Name and Description for the incoming Management Firewall Rule.

      Note

      Each firewall rule requires a unique name.

    2. Under Network, select the VPC Network from the drop-down list.
    3. Enter a Priority for the rule (keep the default value 1000).
    4. Select Ingress for Direction of traffic.
    5. Select Allow for Action on match.
    6. Select All instances in the network for Targets.
    7. Select IP ranges as the Source filter.
    8. Enter one or more Source IP ranges to permit using CIDR format
    9. Click Specified protocols and ports under the Protocols and ports section.
    10. Click tcp and enter the individual or range of ports to open, separated with commas. To enable all ports, enter the keyword "all".
    11. Click udp and enter the individual or range of ports to open, separated with commas. To enable all ports, enter the keyword "all".

    12. Click Create. The system returns you to the Firewall Rules page and the new firewalls rule is listed:

      New Firewall Rule

  3.  Click Create Firewall Rule to create an outgoing traffic firewall rule for the Management network:

    Create Firewall Rule

  4. Enter a Name and Description for the outgoing Management Firewall Rule.

    Note

    Each firewall rule requires a unique name.

     

    1. Select the Network to apply the rule to from the drop-down list.
    2. Enter a Priority for the rule (you can keep the default value 1000).
    3. Select Egress for Direction of traffic.
    4. Select Allow for Action on match.
    5. Select All instances in the network for Targets.
    6. Select IP ranges as the Destination filter.
    7. Select Allow all under the Protocols and ports section to permit egress traffic to all destinations.

    8. Click Create. The Firewall Rules page opens and the new firewalls rule is listed.

      Firewall Rules

Repeat this procedure to create ingress and egress firewall rules for HA0, PKT0 and PKT1 networks.

Firewall Rules Overview

Ribbon recommends opening the following ports using Inbound/Ingress and Egress firewall rules for management, HA, PKT0 and PKT1 interfaces.

Note

Each firewall rule requires a unique name.

Note

For PKT0 and PKT1 interfaces, configure the SBC firewalls to allow the subnet that brings up the instances.

Ingress (Inbound) Management Firewall Rules

 

Configuring Firewall Rules for Management Subnet

TypeProtocolPort RangeSourceNotes/Purpose
SSHTCP220.0.0.0/0SSH to CLI
Custom UDP ruleUDP1230.0.0.0/0NTP
Custom UDP ruleUDP1610.0.0.0/0SNMP Polling
Custom UDP ruleUDP1620.0.0.0/0SNMP traps
Custom TCP ruleTCP20220.0.0.0/0NetConf over ssh
Custom TCP ruleTCP20240.0.0.0/0SSH to Linux
HTTPTCP800.0.0.0/0EMA
HTTPSTCP4430.0.0.0/0REST to ConfD DB
Custom UDP ruleUDP30540.0.0.0/0Call processing requests
Custom UDP ruleUDP30550.0.0.0/0Keep Alives and Registration
Custom TCP ruleTCP4440.0.0.0/0Communicating with EMS, AWS EC2-API server, and Platform Manager.

Ingress HA Firewall Rules

TypeProtocolPort RangeSourceNotes/Purpose
All TrafficAllAllx.x.x.x/yx.x.x.x/y is the HA subnet CIDR.

Ingress Packet (PKT0, PKT1, and HFE ingress interfaces) Firewall Rules

TypeProtocolPort RangeSource
Custom UDP ruleUDP5060x.x.x.x/y
Custom TCP ruleTCP5061x.x.x.x/y
Custom UDP ruleUDP1024-655350.0.0.0/0

Note

More information about Firewall rules for the HFE environment can be found here: Google firewall rules.

 

Egress (Outbound) Firewall Rules

Ribbon recommends that you open all ports using Outbound/Egress rules in the firewalls associated with management, HA and packet interfaces.

Outbound Firewall Rules

TypeProtocolPort RangeDestination

All Traffic

All

All

0.0.0.0/0

Note

The HA solution works only if the mgt0 port has internet access. If the routing table (associated with the subnet of mgt0) fails to have all the traffic rules, the HA solution does not work.

If specific ports are opened in outbound security group rules, the remaining ports are blocked.

Note

Refer to the Management Firewall Rules, HA Firewall Rules, and Packet Security Firewall Rules tables for the minimum required security group rules for the SBC to function.

Note

Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.

Creating Route Rules

Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to other destinations. These destinations can be inside your VPC network (for example, in another VM) or outside of it.

GCP has four different types of routes in two categories. System-generated routes are automatically created when you create a network, add a subnet, or modify the secondary IP range of a subnet. Custom routes are those that you create and maintain, either directly or by using a Cloud Router. 

Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.

When you create a VPC network, GCP creates a system-generated default route. This route serves two purposes:

  • It defines the path out of the VPC network, including the path to the Internet. In addition to having this route, instances must meet additional requirements if they need Internet access.

  • It provides the standard path for Private Google Access.

Initial Default System-Generated Routes for MGT0, HA0, PKT0, PKT1

 

The system-generated default route has a priority of 1000. Because its destination is the broadest possible (0.0.0.0/0), GCP will only use it if a route with a more specific destination does not apply to a packet. Refer to routing order for details about how destination specificity and route priority are used to select a route.

You can delete the default route in order to completely isolate your network from the Internet or if you need to replace it with a custom route.

For detailed information on the Routing in GCP, refer to Routes.

To remove the HA0 system-created route, complete the following procedure.

  1. Navigate to Networking > VPC network > Routes. The list of existing Routes for the project will be displayed.

    Route List

  2. Select the outgoing route for the HA0 network and then click DELETE to remove it.

    Deleting Routes


    You will be asked to confirm the deletion.

    Note

    You cannot delete the default VPC network routes.

Add a Route for mtg0 to a Bastion Server or VPN IP Address

To add a route for mgt0 to a Bastion Server or VPN IP address, complete the following procedure.

  1. Navigate to Networking > VPC network > Routes.

    Routes

  2. Click CREATE ROUTE.

  3. Click Create Route Table to create a route table for MGT0.

    Create Route Table

  4. Enter a Name for the route and Description.
  5. Select the management network (in this case mtg0) under Network.
  6. Enter the Destination IP range as 0.0.0.0/0 to route all outbound traffic to the bastion server.
  7. Select Specify IP address under Next hop.

  8. Enter the IP address of the bastion server under Next hop IP address.

    Next Hop IP Address

  9.  Click Create.
  10. The route will be created and the route list updated.

  11. Repeat if required to add or remove other routes for PKT0 and/or PKT1.

    Note

    Routes required for the HFE environment can be found here: Google network routes

Reserving Static External IP Addresses

In order to be able to access the SBC management IP, you must associate a static IP address to MGT0 private primary IP and any secondary private IP addresses.

Based on your network requirement you can associate Static IP addresses to secondary IP addresses of PKT0 and PKT1 network interfaces also.

To reserve a static IP address for MGT0, complete the following steps:

  1. Navigate to Networking > VPC network > External IP addresses. The External IP addresses list is displayed.

    External IP addresses

  2. Click Reserve static address (if no addresses exist) or click the plus ( + ) button. The Reserve a static address page is displayed.

    Reserve a static address

  3. Enter a Name and a Description for the IP address.
  4. Select Premium for Network Service Tier.
  5. Select IPv4 for IP Version.
  6. Select Regional for Type.
  7. Select the appropriate Region for the static IP address to be allocated in.
  8. Click Reserve.

Associating Static External IP Addresses:

To associate a static IP address to after an instance has been created:

  1. Navigate to Networking > VPC network > External IP addresses. The External IP addresses list is displayed.

    External IP addresses

  2. Click on Change next to the desired unused external IP address. The Attached IP address window appears.

    Attached IP address

  3. Select the appropriate internal IP address from the Attach to drop-down list.

  4. Click OK. 

  5. Repeat as required for PKT0 and PKT1 network interfaces.

Reserving Static Internal IP Addresses

Static Interal IP Addresses can be reserved in a VPC. These can then be attached to a network interface during instance creation.

  1. Navigate to Networking > VPC network.

  2. Select the VPC where the static IP address needs to be created.

    VPC network details

  3. Click Static internal IP addresses.
  4. Click Reserve static address.
  5. Enter a Name.
  6. Select the appropriate Subnet.
  7. Leave Static IP address as Assign automatically.

  8. Click RESERVE.

    Reserve