Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Create security group rules for the four subnets, by referring to the corresponding tables in this section:

  • MGT0
  • HA
  • PKT0
  • PKT1

Customize security groups based on your network security requirement.

Info
titleNote

If you are installing SBC SWe for the first time, you must create a security group to allow https HTTPS access.  

Inbound Security Group Rules

Sonus recommends opening up It is recommended to open the following ports for Inbound/Ingress rules in the security groups associated with management, HA, and packet interfaces.

Management Security Group

Caption
0Table
1Configuring Security Group for Management Subnet
3T1


TypeProtocolPort RangeSourceNotes/Purpose
SSHTCP220.0.0.0/0SSH to CLI
Custom UDP ruleUDP1230.0.0.0/0NTP
Custom UDP ruleUDP1610.0.0.0/0SNMP Polling
Custom UDP ruleUDP1620.0.0.0/0SNMP traps
Custom TCP ruleTCP20220.0.0.0/0NetConf over ssh
Custom TCP ruleTCP20240.0.0.0/0SSH to Linux
HTTPTCP800.0.0.0/0EMA
Custom TCP ruleTCP4440.0.0.0/0Platform Manager
HTTPSTCP4430.0.0.0/0REST to ConfD DB
Custom UDP ruleUDP30570.0.0.0/0Used for load balancing service
Custom UDP ruleUDP30540.0.0.0/0Call processing requests
Custom UDP ruleUDP30550.0.0.0/0Keep Alives and Registration
Custom TCP ruleTCP40190.0.0.0/0Applicable to D-SBC only
Custom UDP ruleUDP50930.0.0.0/0SLS (license server) traffic

...

Custom TCP ruleTCP4430.0.0.0/0Communicating with EMS and AWS EC2-API server.

HA Security Group

Caption
0Table
1Configuring Security Group for HA Subnet
3T2


TypeProtocolPort RangeSourceNotes/Purpose
All TrafficAllAllx.x.x.x/yx.x.x.x/y is the HA subnet CIDR.

...

Caption
0Table
1Configuring Security Group for Packet Ports PKT0 and PKT1
3T3


TypeProtocolPort RangeSource
Custom UDP ruleUDP5060x.x.x.x/y
Custom TCP ruleTCP5061x.x.x.x/y
Custom UDP ruleUDP1024-655350.0.0.0/0

...

Outbound Security Group Rules

Sonus recommends opening up all It is recommended to open all the ports for outbound/Egress rules in the security groups associated with management, HA and packet interfaces.

Caption
0Table
1Outbound Security Group Rules
Type ProtocolPort RangeDestination
All TrafficAllAll0.0.0.0/0
 

Info
titleNote

The HA solution works only if the mgt0 has internet access. If the routing table (associated with the subnet of mgt0) fails to have all the traffic rules, the HA solution does not work.

Note
titleCaution

If specific ports are opened in outbound security group rules, the remaining ports are blocked.

 

Info
titleNote

Refer to the Management Security Group, HA Security Group, and Packet Security Group tables for the minimum required security group rules for SBC to function.

 

...

Infocaption
title
0Table
1Configuring Security Group for Management Subnet
3T1
TypeProtocolPort Range DestinationNotes/Purpose
Custom UDP ruleUDP1230.0.0.0/0NTP
Custom UDP ruleUDP161
Note

Considering that SIP signaling port for SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.

Route Table Rule

The AWS uses the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match). You need to have the rule to route all the non-Virtual Private Clouds (VPC) traffic to internet gateway or ensure that the internet traffic is routed through your own NAT instance or Gateway. If you cannot provide a way to send out the SBC API query to the internet, the HA solution fails (SBC) in the AWS.

The routes to the IPv4 and IPv6 addresses or CIDR blocks are independent of each other. The AWS uses the most specific route that matches either IPv4 traffic or IPv6 traffic to determine how to route the traffic.

For example, the following route table has a route for IPv4 Internet traffic 0.0.0.0/0

...

that points to an Internet gateway. Any traffic destined for a target within the VPC (10.0.0.0/

...

16) is covered by the Local route, and therefore, routed within the VPC. All other traffic from the subnet uses the Internet gateway.

Caption
0Table
1Route Table
DestinationTarget
10

...

.0.0.0/

...

16Local

0.0.0.0/0

...

HA Security Group

...

0Table
1Configuring Security Group for HA Subnet
3T2
TypeProtocolPort RangeDestinationNote/Purpose
All TrafficAllAllx.x.x.x/yx.x.x.x/y is the HA subnet CIDR.

Packet Security Group

...

0Table
1Configuring Security Group for Packet Ports PKT0 and PKT1
3T3
TypeProtocolPort RangeDestination Note/Purpose
Custom UDP ruleUDP5060x.x.x.x/yDestination IP address to be filled based on call configuration
Custom TCP ruleTCP5061x.x.x.x/yDestination IP address to be filled based on call configuration
Custom UDP ruleUDP1024-655350.0.0.0/0 

igw-11aa22bb

For detailed information on the Route Table, refer to AWS documentation.

Dynamic Host Configuration Protocol (DHCP) Option Set

The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. Some of those parameters are the domain name, domain name server, and the netbios-node-type.

The DHCP options sets are associated with your AWS account so that you can use them across all of your VPC. For detailed information on the DHCP option sets, refer to DHCP Options Sets of the AWS documentation.

The following DHCP option sets are provided by AWS:

  • default DHCP option set
  • custom DHCP option set

When you create a VPC, the AWS automatically creates a set of DHCP options and associates them with the VPC. This set includes two options:

  • domain-name-servers=AmazonProvidedDNS
  • domain-name=domain-name-for-your-region

The AmazonProvidedDNS is an Amazon DNS server, which enables DNS for instances that need to communicate over the VPC's Internet gateway. The string AmazonProvidedDNS maps to a DNS server running on a reserved IP address at the base of the VPC IPv4 network range, with the last octet incremented by two digits. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2.”. For VPCs with multiple IPv4 CIDR blocks, the DNS server IP address is located in the primary CIDR block.

The AWS HA uses several API requests to know the peer instance and also during IP switch-over. At the back-end, the AWS has several servers with different IP address running to provide the SBC seamless performance or response. If one server goes down, the Amazon provided DNS automatically updates the API endpoint. This may not be the case with the custom DNS and results in an API request failure. To overcome this issue, the SBC needs to add the field AmazonProvidedDNS in the DNS server, in addition to the IP address of the custom DNS server. For detailed information on the custom DNS, refer to Using DNS with Your VPC of the AWS documentation.

Info
titleNote

Considering that SIP signaling port for SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.

 

Create Security Group

To create a security group:

  1. Navigate to EC2 Management Console.
     

  2. From the left pane, click Security Groups.

    Caption
    0Figure
    1Security Groups Tab

  3. Anchor
    Step3
    Step3
    Click Create Security Group. The Create Security Group page displays.
     

  4. Enter Security group name and Description.
     

  5. Select an appropriate VPC from the list.
     

  6. Click Add Rule to create security group rules. 

    Info
    titleNote

    By default, inbound rules are displayed in on the screen.

    Caption
    0Figure
    1Creating Security Group for MGT

  7. Anchor
    Step7
    Step7
    Click Create.
     

  8. Repeat step 3 through 7 to create the new security group for HA, PKT0, and PKT1 network interfaces.

...