Create security groups to support Management (MGT0), High Availability (HA0), PKT0 and PKT1 subnets for the SBC SWe.
Before creating the security groups, review the recommended security group rule settings in the following section.
Security Group Rules Overview
Inbound Security Group Rules
Ribbon recommends opening the following ports using Inbound/Ingress rules in the security groups associated with management, HA and packet subnets.
Management Security Group
Configuring Security Group for Management Subnet
| | | | |
---|
SSH | TCP | 22 | x.x.x.x/y | SSH to CLI |
Custom UDP rule | UDP | 123 | x.x.x.x/y | NTP |
Custom UDP rule | UDP | 161 | x.x.x.x/y | SNMP Polling |
Custom UDP rule | UDP | 162 | x.x.x.x/y | SNMP traps |
Custom TCP rule | TCP | 2022 | x.x.x.x/y | NetConf over ssh |
Custom TCP rule | TCP | 2024 | x.x.x.x/y | SSH to Linux |
HTTP | TCP | 80 | x.x.x.x/y | EMA |
HTTPS | TCP | 443 | x.x.x.x/y | REST to ConfD DB |
Custom UDP rule | UDP | 3057 | x.x.x.x/y | Used for load balancing service |
Custom UDP rule | UDP | 3054 | x.x.x.x/y | Call processing requests |
Custom UDP rule | UDP | 3055 | x.x.x.x/y | Keep Alives and Registration |
Custom TCP rule | TCP | 4019 | x.x.x.x/y | Applicable to D-SBC only |
Custom UDP rule | UDP | 5093 | x.x.x.x/y | SLS (license server) traffic |
Custom TCP rule | TCP | 444 | x.x.x.x/y | Communicating with EMS, AWS EC2-API server, and Platform Manager |
HA Security Group
Configuring Security Group for HA Subnet
| | | | |
---|
All Traffic | All | All | x.x.x.x/y | x.x.x.x/y is the HA subnet CIDR. |
Packet Security Group
Configuring Security Group for Packet Ports PKT0 and PKT1
| | | |
---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y |
Custom TCP rule | TCP | 5061 | x.x.x.x/y |
Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y |
Caution
The source ranges for the packet security group may be external IP address ranges, or they may be the HFE private subnet CIDR if a High-availability Forwarding Engine is present in the configuration.
HA Forwarding Node Security Groups
Configuring a Security Group for the Public-facing/Management Port (eth0)
| | | |
---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y |
Custom TCP rule | TCP | 5061 | x.x.x.x/y |
Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y |
Configuring a Security Group for the Private-facing Port (eth2)
| | | |
---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity |
Custom TCP rule | TCP | 5061 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity |
Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity |
Caution
The source ranges for the HFE Private-facing Port security group may be the private subnet CIDR of the SBC PKT0 or PKT1 subnets.
Outbound Security Group Rules
Ribbon recommends opening all ports using Outbound/Egress rules in the security groups associated with management, HA and packet interfaces.
Outbound Security Group Rules
| | | |
---|
All Traffic | All | All | 0.0.0.0/0 |
Caution
If you open specific ports in outbound security group rules, the remaining ports are blocked.
Create Security Groups
Navigate to EC2 Management Console.
From the left pane, click Security Groups.
- Click Create Security Group. The Create Security Group page displays.
Enter a Security group name for the MGT0 security group and Description.
Select an appropriate VPC from the list.
Click Add Rule to create security group rules as suggested above.
Creating a Security Group for MGT
- Click Create.
Repeat steps 3 through 7 to create the new security group for HA, PKT0, and PKT1 subnets.
- If deploying with a High-availability Forwarding Engine option, repeat steps 3 through 7 to create a new security group for the HFE public and private-facing subnets.
For more information, refer to Security Groups for Your VPC.