In this section:
Create security group rules for the subnets associated with the following interfaces using the tables corresponding to each type of interface.
Customize security groups based on your network security requirements.
If you are installing SBC SWe for the first time, you must create a security group to allow HTTPS access.
It is recommended to open the following ports using Inbound/Ingress rules in the security groups associated with the management, HA and packet interfaces. Port recommendations are also provided for deployments that include an High-Availability Front End (HFE).
Firewall Rules for the Management Subnet
Type | Protocol | Port Range | Notes/Purpose |
---|---|---|---|
SSH | TCP | 22 | SSH to CLI. NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe. |
Custom UDP rule | UDP | 123 | NTP |
Custom UDP rule | UDP | 161 | SNMP Polling |
Custom UDP rule | UDP | 162 | SNMP traps |
Custom TCP rule | TCP | 2022 | NetConf over ssh NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe. |
Custom TCP rule | TCP | 2024 | SSH to Linux NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe. |
HTTP | TCP | 80 | EMA |
Custom TCP rule | TCP | 444 | Platform Manager |
HTTPS | TCP | 443 | REST to ConfD DB |
Custom UDP rule | UDP | 3057 | Used for load balancing service |
Custom UDP rule | UDP | 3054 | Call processing requests |
Custom UDP rule | UDP | 3055 | Keep Alives and Registration |
Custom TCP rule | TCP | 4019 | Applicable to D-SBC only |
Custom UDP rule | UDP | 5093 | SLS (license server) traffic |
Custom TCP rule | TCP | 443 | Communicating with EMS and AWS EC2-API server. |
Configuring a Security Group for the HA Subnet
Type | Protocol | Port Range | Source | Notes/Purpose |
---|---|---|---|---|
All Traffic | All | All | x.x.x.x/y | x.x.x.x/y is the HA subnet CIDR. |
Configuring a Security Group for the Packet Ports PKT0 and PKT1
Type | Protocol | Port Range | Source |
---|---|---|---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y |
Custom TCP rule | TCP | 5061 | x.x.x.x/y |
Custom UDP rule | UDP | 1024-65535 | 0.0.0.0/0 |
Configuring a Security Group for the Public-facing Port (eth0)
Type | Protocol | Port Range | Source |
---|---|---|---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y |
Custom TCP rule | TCP | 5061 | x.x.x.x/y |
It is recommended to open all ports using Outbound/Egress rules in the security groups associated with the management, HA and packet interfaces. If an HFE is present, the same recommendation applies to its public-facing (eth0) port.
Outbound Security Group Rules
Type | Protocol | Port Range | Destination |
---|---|---|---|
All Traffic | All | All | 0.0.0.0/0 |
The HA solution works only if the mgt0 port has internet access. If the routing table (associated with the subnet of mgt0) fails to have all the traffic rules, the HA solution does not work.
If specific ports are opened in outbound security group rules, the remaining ports are blocked.
Refer to the Management Security Group, HA Security Group, and Packet Security Group tables for the minimum required security group rules for the SBC to function.
Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.