The suggested size of the VPC is CIDR x.x.x.x/24, where each subnet has a CIDR of x.x.x.x/20. Refer to
Using VPC for more details about creating a VPC network in Google Cloud.
VPC Creation
1. From the GCP Console Navigation menu, navigate to Networking and select VPC network > VPC networks.
The VPC networks page will appear.
2. Click Create VPC Network to create a VPC network for the deployment.
The Create a VPC network page will appear.
3. Complete the Name and Description fields.
Subnet Creation
To create a subnet for mgt0, complete the following procedure:
- For Subnet creation mode, choose Custom.
- Give the subnet a name (for example, mtg0).
- Select the appropriate region (Note that all subnets for an SBC instantiation must be in the same region).
Enter a suitable IP range based on your needs, typically a CIDR of 10.x.x.0/20 will suffice for management.
- Enable Private Google access for the Mgt0 subnet (Ha0, Pkt0, and Pkt1 do not need private Google access).
- Click Done in the subnet window.
- Select Regional for Dynamic routing mode.
- DNS server policy is not required. Leave it as No Server Policy.
- Click Create. The user is returned to the Create a VPC network screen. The new VPC network and subnet will be displayed once the creation process completes.
- Repeat steps 1-9 to create a subnet for HA0 using an IPv4 CIDR block 10.x.16.0/20
- Repeat steps 1-9 to create a subnet for HA0 PKT0 using an IPv4 CIDR block 10.x.32.0/20
- Repeat steps 1-9 to create a subnet for HA0 PKT1 using an IPv4 CIDR block 10.x.48.0/20
- After creating the VPC networks, continue to the next procedure.
Creating Firewall Rules
Firewall rules govern the traffic in and out of the network. At least two separate firewall rules (one for incoming IP traffic, one for outgoing traffic) are required for each subnet, although more rules may be created and applied to the same networks. Before creating the firewall rules, review the recommended firewall rule settings in the Firewall Rules Overview section.
For a comprehensive description of firewall rules, refer to Firewalls.
To create a new firewall rule, complete the following procedure:
- From the GCP Console Navigation menu, navigate to Networking > VPC Network > Firewall rules.
The following window will open:
- Click CREATE FIREWALL RULE to create an incoming traffic firewall rule for the Management network.
The following window will open:
Enter a Name and Description for the incoming Management Firewall Rule.
- Under Network, select the newly created VPC Network from the drop-down list.
- Enter a Priority for the rule (keep the default value 1000).
- Select Ingress for Direction of traffic.
- Select Allow for Action on match.
- Select All instances in the network for Targets.
- Select IP ranges as the Source filter.
- Enter one or more Source IP ranges to permit using CIDR format
- Click Specified protocols and ports under the Protocols and ports section.
- Click tcp and enter the individual or range of ports to open, separated with commas. To enable all ports, enter the keyword "all".
- Click udp and enter the individual or range of ports to open, separated with commas. To enable all ports, enter the keyword "all".
- Click Create.
- The user returns to the Firewall Rules page and the new firewalls rule is listed
- Click CREATE FIREWALL RULE to create an outgoing traffic firewall rule for the Management network
The following window will open:
Enter a Name and Description for the outgoing Management Firewall Rule.
- Select the Network to apply the rule to from the drop-down list.
- Enter a Priority for the rule (you can keep the default value 1000).
- Select Egress for Direction of traffic.
- Select Allow for Action on match.
- Select All instances in the network for Targets.
- Select IP ranges as the Destination filter.
- Select Allow all under the Protocols and ports section to permit egress traffic to all destinations.
- Click Create.
The user returns to the Firewall Rules page and the new firewalls rule is listed.
- Repeat this procedure to create ingress and egress firewall rules for HA0, PKT0 and PKT1 networks.
Firewall Rules Overview
Ribbon recommends opening the following ports using Inbound/Ingress and Egress firewall rules for management, HA, packet 0 and packet 1 interfaces.
Ingress (Inbound) Management Firewall Rules
Configuring Firewall Rules for Management Subnet
| | | | |
---|
SSH | TCP | 22 | 0.0.0.0/0 | SSH to CLI |
Custom UDP rule | UDP | 123 | 0.0.0.0/0 | NTP |
Custom UDP rule | UDP | 161 | 0.0.0.0/0 | SNMP Polling |
Custom UDP rule | UDP | 162 | 0.0.0.0/0 | SNMP traps |
Custom TCP rule | TCP | 2022 | 0.0.0.0/0 | NetConf over ssh |
Custom TCP rule | TCP | 2024 | 0.0.0.0/0 | SSH to Linux |
HTTP | TCP | 80 | 0.0.0.0/0 | EMA |
HTTPS | TCP | 443 | 0.0.0.0/0 | REST to ConfD DB |
Custom UDP rule | UDP | 3054 | 0.0.0.0/0 | Call processing requests |
Custom UDP rule | UDP | 3055 | 0.0.0.0/0 | Keep Alives and Registration |
Custom TCP rule | TCP | 444 | 0.0.0.0/0 | Communicating with EMS, AWS EC2-API server, and Platform Manager. |
Ingress HA Firewall Rules
Configuring Firewall Rules for HA Subnet
| | | | |
---|
All Traffic | All | All | x.x.x.x/y | x.x.x.x/y is the HA subnet CIDR. |
Ingress Packet (pkt0, pkt1) Firewall Rules
Configuring firewall rules for Packet Ports PKT0 and PKT1
| | | |
---|
Custom UDP rule | UDP | 5060 | x.x.x.x/y |
Custom TCP rule | TCP | 5061 | x.x.x.x/y |
Custom UDP rule | UDP | 1024-65535 | 0.0.0.0/0 |
Egress (Outbound) Firewall Rules
It is recommended to open all ports using Outbound/Egress rules in the firewalls associated with management, HA and packet interfaces.
| | | |
---|
All Traffic | All | All | 0.0.0.0/0 |
Caution
If specific ports are opened in outbound security group rules, the remaining ports are blocked.
Creating Route Rules
Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to other destinations. These destinations can be inside your VPC network (for example, in another VM) or outside of it.
GCP has four different types of routes in two categories. System-generated routes are automatically created when you create a network, add a subnet, or modify the secondary IP range of a subnet. Custom routes are those that you create and maintain, either directly or by using a Cloud Router.
Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop for delivery.
When you create a VPC network, GCP creates a system-generated default route. This route serves two purposes:
It defines the path out of the VPC network, including the path to the Internet. In addition to having this route, instances must meet additional requirements if they need Internet access.
It provides the standard path for Private Google Access.
Initial Default System-Generated Routes for MGT0, HA0, PKT0, PKT1
The system-generated default route has a priority of 1000
. Because its destination is the broadest possible (0.0.0.0/0
), GCP will only use it if a route with a more specific destination does not apply to a packet. Refer to routing order for details about how destination specificity and route priority are used to select a route.
You can delete the default route in order to completely isolate your network from the Internet or if you need to replace it with a custom route.
For detailed information on the Routing in GCP, refer to Routes.
To remove the HA0 system-created route, complete the following procedure:
- Navigate to Networking > VPC network > Routes.
The list of existing Routes for the project will be displayed.
Select the outgoing route for the HA0 network and click DELETE to remove it.
You will be asked to confirm the deletion.
To add a route for mgt0 to a Bastion Server or VPN IP address, complete the following procedure:
- Navigate to Networking > VPC network > Routes.
- Click CREATE ROUTE.
- Click Create Route Table to create a route table for MGT0.
- Enter a Name for the route and Description.
- Select the management network (in this case mtg0) under Network.
- Enter the Destination IP range as 0.0.0.0/0 to route all outbound traffic to the bastion server.
- Select Specify IP address under Next hop.
- Enter the IP address of the bastion server under Next hop IP address.
- Click Create.
The route will be created and the route list updated. - Repeat if required to add or remove other routes for PKT0 and/or PKT1
Reserving Static IP Addresses
In order to be able to access the SBC management IP, you must associate a static IP address to MGT0 private primary IP and any secondary private IP addresses.
Based on your network requirement you can associate Static IP addresses to secondary IP addresses of PKT0 and PKT1 network interfaces also.
To reserve a static IP address for MGT0, complete the following steps:
- Navigate to Networking > VPC network > External IP addresses.
The External IP addresses list is displayed.
- Click Reserve static address (if no addresses exist) or click the plus ( + ) button.
The Reserve a static address page is displayed.
- Enter a Name and a Description for the IP address.
- Select Premium for Network Service Tier.
- Select IPv4 for IP Version.
- Select Regional for Type.
- Select the appropriate Region for the static IP address to be allocated in.
- Click Reserve.
Associating Static IP Addresses to MTG0:
To associate a static IP address to MTG0:
- Navigate to Networking > VPC network > External IP addresses.
The External IP addresses list is displayed.
- Click on Change next to the desired unused external IP address.
The Attached IP address window appears.
- Select the appropriate internal IP address from the Attach to drop-down list.
Click OK.
- Repeat as required for PKT0 and PKT1 network interfaces.
Instantiating a Standalone GCE SBC Instance
Complete the following steps to instantiate a Standalone SBC instance in Google Cloud:
- From the GCP Console Navigation menu, navigate to, select Compute Engine > VM instances.
- Click Create.
The Create an instance page is displayed.
- Enter a name in the Name field.
- Select an appropriate Region.
- Select an appropriate Zone.
- Click Customize in the Machine type panel to open the expanded list.
- Use the sliders to select 4 vCPU and 15 GB memory.
- Select Intel Broadwell or later under CPU platform.
- Choose the Boot disk option and then press Change to open the Boot disk panel:
- Select Custom Images, then select the account containing the image (if not the current) and choose the SBC image.
- Select SSD persistent disk as the Boot disk type with the disk size as ≥ 65GB.
- Click Select.
- Under Identity and API access click Allow full access to all Cloud APIs.
- Click on Management, security, disks, networking, sole tenancy. The tab will expand.
Click Management.
In the Metadata section, enter the following data using Key value "user-data". The following table describes the user-data.
Meta Data Format - Key = user-data
#cloud-config
runcmd:
- usermod -p '$6$io3njQos$gZtBJ4MazQeWC0beqQwRPUDZCQcKXhMr2B8QLWYGajchR2BtkyHPvBTCQj0LctHAFaYTwbsIsUkm12ta4IoLe/' linuxadmin
write_files:
- content: |
{
"CEName": "<CEName>",
"SystemName": "<SystemName>",
"SbcPersonalityType": "isbc",
"Mgt0Prefix": "<prefix>",
"ThirdPartyCpuAlloc" : "0",
"ThirdPartyMemAlloc" : "0"
}
path: /opt/sonus/conf/userData.json
Meta Data Example - Key = user-data
#cloud-config
runcmd:
- usermod -p '$6$io3njQos$gZtBJ4MazQeWC0beqQwRPUDZCQcKXhMr2B8QLWYGajchR2BtkyHPvBTCQj0LctHAFaYTwbsIsUkm12ta4IoLe/' linuxadmin
write_files:
- content: |
{
"CEName": "vsbc1",
"ReverseNatPkt0" : "False",
"ReverseNatPkt1" : "False",
"SystemName": "vsbcSystem",
"SbcPersonalityType": "isbc",
"ThirdPartyCpuAlloc" : "0",
"ThirdPartyMemAlloc" : "0",
"Mgt0Prefix": "20"
}
path: /opt/sonus/conf/userData.json
Userdata Content Description
| | | |
---|
CEName | 64 | string | This specifies the actual CE name of the SBC instance. For more information, see System and Instance Naming Conventions. CEName Requirements: Must start with an alphabetic character. Only contain alphabetic characters and/or numbers. No special characters. Cannot exceed 64 characters in length
|
SystemName | 26 | string | This specifies the actual system name of the SBC instance. For more information, see System and Instance Naming Conventions. System Requirements: Must start with an alphabetic character. Only contain alphabetic characters and/or numbers. No special characters. Cannot exceed 26 characters in length.
|
Mgt0Prefix | 2 | digits | The prefix (for example, /24) of the MGT0 subnet. |
SbcPersonalityType | 4 | string | The name of the SBC personality type for this instance. At this time only integrated SBC (isbc) is supported in AWS. |
ThirdPartyCpuAlloc | n/a | 0-? in vCPUs | Enter the number of CPUs to be reserved for use with third-party apps. Note: Default is 0 |
ThirdPartyMemAlloc | n/a | 0-? in MB | Enter the number of MB of memory to be reserved for use with third-party apps. Note: Default is 0 |
Click Networking.
Click default under Network interfaces. The default Network interface will expand.
Select the management VPC Network that you created earlier.
For Subnetwork select the management network that you created earlier.
Select Ephemeral (Automatic) for Primary internal IP.
Select an External IP for management based on that you created earlier.
Click Done.
Click Add network interface to add an interface for HA0.
Select the appropriate VPC Network that you created earlier.
For Subnetwork select the management network that you created earlier.
Select Ephemeral (Automatic) for Primary internal IP.
Click Done.
Repeat steps 24-28 for PKT0 and PKT1 networks.
When completed, the Networking tab will be similar to this example:
- Click Create to instantiate the VM.
Enabling Serial Console Access to the Instance
- After you create the instance, click the instance name and then click EDIT.
- Enable the console access by clicking Enable connecting to serial ports.
- Click Save.
Connecting to the Serial Console of the Instance
- After you create the instance, click the instance name and then click EDIT.
- Connect to the serial console by clicking Connect to serial console.
- The first item shown in the console is the ssh key information needed to connect to the instance using SSH key.