In this section:
Create security group rules for the subnets associated with the following interfaces using the tables corresponding to each type of interface.
- MGT0
- HA
- PKT0
- PKT1
Customize security groups based on your network security requirements.
Note
If you are installing SBC SWe for the first time, you must create a security group to allow HTTPS access.
Inbound Security Group Rules
It is recommended to open the following ports using Inbound/Ingress rules in the security groups associated with the management, HA and packet interfaces. Port recommendations are also provided for deployments that include an High-Availability Front End (HFE).
Management Security Group
Firewall Rules for the Management Subnet
| Type | Protocol | Port Range | Notes/Purpose |
|---|---|---|---|
| SSH | TCP | 22 | SSH to CLI. NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe. |
| Custom UDP rule | UDP | 123 | NTP |
| Custom UDP rule | UDP | 161 | SNMP Polling |
| Custom UDP rule | UDP | 162 | SNMP traps |
| Custom TCP rule | TCP | 2022 | NetConf over ssh NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe. |
| Custom TCP rule | TCP | 2024 | SSH to Linux NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe. |
| HTTP | TCP | 80 | EMA |
| Custom TCP rule | TCP | 444 | Platform Manager |
| HTTPS | TCP | 443 | REST to ConfD DB |
| Custom UDP rule | UDP | 3057 | Used for load balancing service |
| Custom UDP rule | UDP | 3054 | Call processing requests |
| Custom UDP rule | UDP | 3055 | Keep Alives and Registration |
| Custom TCP rule | TCP | 4019 | Applicable to D-SBC only |
| Custom UDP rule | UDP | 5093 | SLS (license server) traffic |
| Custom TCP rule | TCP | 443 | Communicating with EMS and AWS EC2-API server. |
HA Security Group
Configuring a Security Group for the HA Subnet
| Type | Protocol | Port Range | Source | Notes/Purpose |
|---|---|---|---|---|
| All Traffic | All | All | x.x.x.x/y | x.x.x.x/y is the HA subnet CIDR. |
Packet Security Group
Configuring a Security Group for the Packet Ports PKT0 and PKT1
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| Custom UDP rule | UDP | 5060 | x.x.x.x/y |
| Custom TCP rule | TCP | 5061 | x.x.x.x/y |
| Custom UDP rule | UDP | 1024-65535 | 0.0.0.0/0 |
HA Forwarding Node Security Group
Configuring a Security Group for the Public-facing Port (eth0)
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| Custom UDP rule | UDP | 5060 | x.x.x.x/y |
| Custom TCP rule | TCP | 5061 | x.x.x.x/y |
Outbound Security Group Rules
It is recommended to open all ports using Outbound/Egress rules in the security groups associated with the management, HA and packet interfaces. If an HFE is present, the same recommendation applies to its public-facing (eth0) port.
Outbound Security Group Rules
| Type | Protocol | Port Range | Destination |
|---|---|---|---|
| All Traffic | All | All | 0.0.0.0/0 |
Note
The HA solution works only if the mgt0 port has internet access. If the routing table (associated with the subnet of mgt0) fails to have all the traffic rules, the HA solution does not work.
Caution
If specific ports are opened in outbound security group rules, the remaining ports are blocked.
Note
Refer to the Management Security Group, HA Security Group, and Packet Security Group tables for the minimum required security group rules for the SBC to function.
Note
Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.
Route Table Rule
AWS uses the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match). You need to have the rule to route all the non-Virtual Private Clouds (VPC) traffic to internet gateway or ensure that the internet traffic is routed through your own NAT instance or Gateway. If you cannot provide a way to send out the SBC API query to the internet, the HA solution fails (SBC) in AWS.
The routes to the IPv4 and IPv6 addresses or CIDR blocks are independent of each other. AWS uses the most specific route that matches either IPv4 traffic or IPv6 traffic to determine how to route the traffic.
For example, the following route table has a route for IPv4 Internet traffic 0.0.0.0/0 that points to an Internet gateway. Any traffic destined for a target within the VPC (10.0.0.0/16) is covered by the Local route, and therefore, routed within the VPC. All other traffic from the subnet uses the internet gateway.
Route Table
| Destination | Target |
|---|---|
| 10.0.0.0/16 | Local |
| 0.0.0.0/0 | igw-11aa22bb |
For detailed information on the Route Table, refer to AWS documentation.
Dynamic Host Configuration Protocol (DHCP) Option Set
The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. Some of those parameters are the domain name, domain name server, and the netbios-node-type.
The DHCP options sets are associated with your AWS account so that you can use them across all of your VPC. For detailed information on the DHCP option sets, refer to DHCP Options Sets of the AWS documentation.
The following DHCP option sets are provided by AWS:
- default DHCP option set
- custom DHCP option set
When you create a VPC, AWS automatically creates a set of DHCP options and associates them with the VPC. This set includes two options:
domain-name-servers=AmazonProvidedDNSdomain-name=domain-name-for-your-region
The AmazonProvidedDNS is an Amazon DNS server, which enables DNS for instances that need to communicate over the VPC's Internet gateway. The string AmazonProvidedDNS maps to a DNS server running on a reserved IP address at the base of the VPC IPv4 network range, with the last octet incremented by two digits. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2.”. For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.
AWS HA uses several API requests to know the peer instance and also during IP switch-over. At the back-end, AWS has several servers with different IP address running to provide the SBC seamless performance or response. If one server goes down, the Amazon-provided DNS automatically updates the API endpoint. This may not be the case with the custom DNS and results in an API request failure. To overcome this issue, the SBC needs to add the field AmazonProvidedDNS in the DNS server, in addition to the IP address of the custom DNS server. For detailed inforamtion on the custom DNS, refer to Using DNS with Your VPC of the AWS documentation.
Create Security Group
Before creating security group rules, create a subnet for this purpose within the virtual private cloud (VPC). Use the CIDR value for this subnet when creating security group rules.
To create a security group:
- Navigate to EC2 Management Console.
From the left pane, click Security Groups.
Security Groups Tab
Click Create Security Group. The Create Security Group page displays.
Enter a Security group name and Description.
Select an appropriate VPC from the list.
Click Add Rule to create security group rules.
NoteBy default, the Inbound rules tab is displayed on the screen.
Creating Security Group for MGT
- Click Create.
Repeat step 3 through 7 to create the new security group for HA, PKT0, and PKT1 network interfaces.
Overview
Content Tools