...
Management Security Group
Caption |
---|
0 | Table |
---|
1 | Configuring Security Group for Management Subnet |
---|
|
Type | Protocol | Port Range | Source | Notes/Purpose |
---|
SSH | TCP | 22 |
|
00000y | SSH to CLI | Custom UDP rule | UDP | 123 |
|
00000y | NTP | Custom UDP rule | UDP | 161 |
|
00000y | SNMP Polling | Custom UDP rule | UDP | 162 |
|
00000y | SNMP traps | Custom TCP rule | TCP | 2022 |
|
00000y | NetConf over ssh | Custom TCP rule | TCP | 2024 |
|
000000000000000Custom UDP rule | UDP | 3057 | 0.0.0.0/0Used for load balancing service | 00000y | Call processing requests | Custom UDP rule | UDP | 3055 |
|
00000y | Keep Alives and Registration | Custom |
|
TCP ruleTCP | 4019 | 0.0.0.0/0 | Applicable to D-SBC only | Custom 00000y | SLS (license server) traffic | Custom TCP rule | TCP | 444 |
|
00000y | Communicating with EMS, AWS EC2-API server, and Platform Manager. |
|
HA Security Group
Caption |
---|
0 | Table |
---|
1 | Configuring Security Group for HA Subnet |
---|
|
| | | | |
---|
All Traffic | All | All | x.x.x.x/y | x.x.x.x/y is the HA subnet CIDR. |
|
Packet Security Group
Caption |
---|
0 | Table |
---|
1 | Configuring Security Group for Packet Ports PKT0 and PKT1 |
---|
|
| | | |
---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y | Custom TCP rule | TCP | 5061 | x.x.x.x/y | Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y |
|
Note |
---|
|
The source ranges for the packet security group may be external IP address ranges, or they may be the HFE private subnet CIDR if a High-availability Forwarding Engine is present in the configuration. |
HA Forwarding Node Security Groups
Caption |
---|
0 | Table |
---|
1 | Configuring a Security Group for the Public-facing/Management Port (eth0) |
---|
|
| | | |
---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y | Custom TCP rule | TCP | 5061 | x.x.x.x/y | Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y |
|
Caption |
---|
0 | Table |
---|
1 | Configuring a Security Group for the Private-facing Port (eth2) |
---|
|
| | | |
---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity | Custom TCP rule | TCP | 5061 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity | Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity |
|
Note |
---|
|
The source ranges for the HFE Private-facing Port security group may be the private subnet CIDR of the SBC PKT0 or PKT1 subnets. |
Outbound Security Group Rules
Ribbon recommends opening all ports using Outbound/Egress rules in the security groups associated with management, HA and packet interfaces.
Caption |
---|
0 | Table |
---|
1 | Outbound Security Group Rules |
---|
|
|
00000
Note |
---|
|
If you open specific ports in outbound security group rules, the remaining ports are blocked. |
Info |
---|
|
Refer to the Management Security Group, HA Security Group, and Packet Security Group tables for the minimum required security group rules for the SBC to function. |
Info |
---|
|
Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061. |
Create Security Groups
Navigate to EC2 Management Console.
From the left pane, click Security Groups.
Caption |
---|
0 | Figure |
---|
1 | Security Groups Tab |
---|
|
Image Modified |
- Click Create Security Group. The Create Security Group page displays.
Enter a Security group name for the MGT0 security group and Description.
Select an appropriate VPC from the list.
Click Add Rule to create security group rules as suggested above.
Info |
---|
|
By default, the Inbound rules tab displays on the screen. |
Caption |
---|
0 | Figure |
---|
1 | Creating a Security Group for MGT |
---|
|
Image Modified |
- Click Create.
Repeat steps 3 through 7 to create the new security group for HA, PKT0, and PKT1 subnets.
- If deploying with a High-availability Forwarding Engine option, repeat steps 3 through 7 to create a new security group for the HFE public and private-facing subnets.
For more information, refer to Security Groups for Your VPC.