Create VPC and Subnets

An SBC deployment requires a Virtual Private Cloud (VPC) with one IPv4 subnet for each of the following:

  • Management (MGT0)
  • High Availability (HA0)
  • Packet 0 (PKT0)
  • Packet 1 (PKT1)

For HFE environments, configure with two more VPCs with one IPv4 subnet, as described below:

  • "Public" facing for PKT0 untrusted traffic
  • "Private" facing for PKT1 trusted traffic

Note

Connect this interface on the HFE for PKT1 traffic only using Private IP addresses.

Create a VPC

  1. From the GCP Console Navigation menu, navigate to the Networking section and select VPC network > VPC networks.

    GCP Console - VPC Network Navigation


    The VPC networks page displays.

    VPC Networks

  2. Select Create VPC Network to create a VPC network for the deployment.

    Create a VPC Network

  3. Enter information in the Name and Description fields.
  4. As part of the VPC creation process, create a subnet:
    1. For Subnet creation mode, choose Custom.
    2. Fill in the Subnet information as described in steps 4-7 of Create a Subnet section.
  5. Click Done.
  6. Select Regional for Dynamic routing mode.
  7. DNS server policy is not required; maintain the default No Server Policy.
  8. Click Create to return to the Create a VPC Network window. The new VPC network and subnet is displayed when the creation process is completed.

    Return to the Create a VPC Network window

  9. Repeat steps 1-9 to create a subnet for HA0, using an IPv4 CIDR block 10.x.16.0/24.
  10. Repeat steps 1-9 to create a subnet for PKT0, using an IPv4 CIDR block 10.x.32.0/24.
  11. Repeat steps 1-9 to create a subnet for PKT1, using an IPv4 CIDR block 10.x.48.0/24.
  12. If using HFE, also repeat steps 1-9 to:
    1. Create a subnet for HFE node public interface for PKT0, using an IPv4 CIDR block 10.x.64.0/24.
    2. Create a subnet for HFE node public interface for PKT1, using an IPv4 CIDR block 10.x.80.0/24.

Create a Subnet

To create extra subnets in a VPC, perform the following steps:

  1. Go to VPC network > VPC networks.  
  2. Select the VPC for which you want to add a subnet.

    VPC Networks

  3. Click Add subnet.
  4. Enter a name in the Name field (for example, mgt0).
  5. Select the appropriate Region. Ensure all subnets for a SBC instantiation is in the same region.
  6. Enter a suitable IP address range. Generally a CIDR of 10.x.x.0/24 is sufficient.

    Note

    You can only create networks with "10" as the first octet. For example, 20.0.0.0/24 is an invalid subnet, resulting in a failed network creation.

  7. Set Private Google access and Flow logs to Off.
  8. Click ADD in the subnet window.

    Subnet window

Create Firewall Rules

Firewall rules govern the traffic in and out of the network. At least two separate firewall rules (one for the incoming IP traffic, and another for the outgoing traffic) are required for each subnet. You may create and apply more rules to the same networks. 

Tip

Before creating the firewall rules, review the recommended firewall rule settings in the Firewall Rules Overview section.

For a comprehensive description of firewall rules, refer to the Google documentation: https://cloud.google.com/vpc/docs/firewalls.

Note

For PKT0 and PKT1 interfaces, configure the SBC firewalls to allow the subnet that brings up the instances.


To create a new firewall rule, complete the following procedure.

  1. From the GCP Console Navigation menu, navigate to Networking > VPC Network > Firewall rules.

    Firewall Rules

  2. Click Create Firewall Rule to create an incoming traffic firewall rule for the Management network.

    Create Firewall Rule

    1. Enter a Name and Description for the incoming Management Firewall Rule.

      Note

      Each firewall rule requires a unique name.

    2. Under Network, select the VPC Network from the drop-down list.
    3. Enter a Priority for the rule (keep the default value 1000).
    4. Select Ingress for Direction of traffic.
    5. Select Allow for Action on match.
    6. Select All instances in the network for Targets.
    7. Select IP ranges as the Source filter.
    8. Enter one or more Source IP ranges to permit using CIDR format.
    9. Click Specified protocols and ports under the Protocols and ports section.
    10. Click tcp and enter the individual or range of ports to open, separated with commas. To enable all ports, enter the keyword "all".
    11. Click udp and enter the individual or range of ports to open, separated with commas. To enable all ports, enter the keyword "all".
    12. Click Create. The system returns you to the Firewall Rules page and the new firewalls rule is listed:

      New Firewall Rule

  3.  Click Create Firewall Rule to create an outgoing traffic firewall rule for the Management network:

    Create Firewall Rule

  4. Enter a Name and Description for the outgoing Management Firewall Rule.

    Note

    Each firewall rule requires a unique name.


    1. Select the Network to apply the rule to from the drop-down list.
    2. Enter a Priority for the rule (you can keep the default value 1000).
    3. Select Egress for Direction of traffic.
    4. Select Allow for Action on match.
    5. Select All instances in the network for Targets.
    6. Select IP ranges as the Destination filter.
    7. Select Allow all under the Protocols and ports section to permit egress traffic to all destinations.
    8. Click Create. The Firewall Rules page opens and the new firewalls rule is listed.

      Firewall Rules

Repeat this procedure to create ingress and egress firewall rules for HA0, PKT0 and PKT1 networks.

Firewall Rules Overview

Ribbon recommends opening the following ports using Inbound/Ingress and Egress firewall rules for management, HA, PKT0 and PKT1 interfaces.

Note

Each firewall rule requires a unique name.

Note

For PKT0 and PKT1 interfaces, configure the SBC firewalls to allow the subnet that brings up the instances.

Ingress (Inbound) Management Firewall Rules

Firewall Rules for the Management Subnet


TypeProtocolPort RangeNotes/Purpose
SSHTCP22

SSH to CLI.

NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe.

Custom UDP ruleUDP123NTP
Custom UDP ruleUDP161SNMP Polling
Custom UDP ruleUDP162SNMP traps
Custom TCP ruleTCP2022

NetConf over ssh

NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe.

Custom TCP ruleTCP2024

SSH to Linux

NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe.

HTTPTCP80EMA
Custom TCP ruleTCP444Platform Manager
HTTPSTCP443REST to ConfD DB
Custom UDP ruleUDP3057Used for load balancing service
Custom UDP ruleUDP3054Call processing requests
Custom UDP ruleUDP3055Keep Alives and Registration
Custom TCP ruleTCP4019Applicable to D-SBC only
Custom UDP ruleUDP5093SLS (license server) traffic
Custom TCP ruleTCP443Communicating with EMS and AWS EC2-API server.

Ingress HA Firewall Rules

TypeProtocolPort RangeSourceNotes/Purpose
All TrafficAllAllx.x.x.x/yx.x.x.x/y is the HA subnet CIDR.


Ingress Packet (PKT0, PKT1, and HFE ingress interfaces) Firewall Rules

TypeProtocolPort RangeSource
Custom UDP ruleUDP5060x.x.x.x/y
Custom TCP ruleTCP5061x.x.x.x/y
Custom UDP ruleUDP1024-655350.0.0.0/0

Note

For more information about Firewall rules for the HFE environment, refer to Configuring the HFE Node.

Egress (Outbound) Firewall Rules

Ribbon recommends opening all ports using Outbound/Egress rules in the firewalls associated with management, HA and packet interfaces.

Outbound Firewall Rules

TypeProtocolPort RangeDestination

All Traffic

All

All

0.0.0.0/0


Note

The HA solution works only if the mgt0 port has internet access. If the routing table (associated with the subnet of mgt0) fails to have all the traffic rules, the HA solution does not work.

Warning

If specific ports are opened in outbound security group rules, the remaining ports are blocked.

Note

For the minimum security group rules that allows the SBC to function, refer to the Management Firewall Rules, HA Firewall Rules, and Packet Security Firewall Rules tables.

Note

If the SIP signaling port in the SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.

Create Route Rules

Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to other destinations. These destinations can be inside your VPC network (for example, in another VM), or outside of it.

GCP has four different types of routes in two categories. System-generated routes are automatically created when you create a network, add a subnet, or modify the secondary IP address range of a subnet. Custom routes are those that you create and maintain, either directly, or by using a Cloud Router. 

Every route consists of a destination and a next hop. Traffic whose destination IP address is within the destination range is sent to the next hop for delivery.

When you create a VPC network, GCP creates a system-generated default route. This route serves two purposes:

  • It defines the path out of the VPC network, including the path to the Internet. In addition to having this route, if the instances need Internet access, they must meet additional requirements as described in https://cloud.google.com/vpc/docs/vpc#internet_access_reqs.

  • It provides the standard path for Private Google Accesshttps://cloud.google.com/vpc/docs/private-access-options.

Initial Default System-Generated Routes for MGT0, HA0, PKT0, PKT1



The system-generated default route has a priority of 1000. Because its destination is the broadest possible (0.0.0.0/0), the GCP uses it only if a route with a more specific destination does not apply to a packet. For more information on how the GCP uses destination specificity and route priority to select a route, refer to the "Routing order" topic at https://cloud.google.com/vpc/docs/routes#routeselection.

You can delete the default route in order to completely isolate your network from the Internet or if you need to replace it with a custom route.

For detailed information on the Routing in GCP, refer to https://cloud.google.com/vpc/docs/routes.

To remove the HA0 system-created route, complete the following procedure.

  1. Navigate to Networking > VPC network > Routes. The list of existing Routes for the project is displayed.

    Route List

  2. Select the outgoing route for the HA0 network, and click DELETE to remove it.

    Deleting Routes

  3. When promted, confirm the deletion.

    Note

    You cannot delete the default VPC network routes.

Add a Route for mtg0 to a Bastion Server or VPN IP Address

Note

To use a bastion server for SBC in GCP to access the management interface using private IP addresses, you must create the server in a subnet separate to the management interface.


To add a route for mgt0 to a Bastion Server or a VPN IP address, perform the following procedure.

  1. Navigate to Networking > VPC network > Routes.

    Routes

  2. Click CREATE ROUTE.
  3. Click Create Route Table to create a route table for MGT0.

    Create Route Table

  4. Enter a Name for the route, and Description.
  5. Select the management network (in this case mtg0) under Network.
  6. Enter the Destination IP range as 0.0.0.0/0 to route all outbound traffic to the bastion server.
  7. Select Specify IP address under Next hop.
  8. Enter the IP address of the bastion server under Next hop IP address.

    Next Hop IP Address

  9.  Click Create.
    The route is created and the route list is updated.
  10. Repeat the previous steps to add or remove other routes for PKT0 and/or PKT1.

    Note

    Routes required for the HFE environment are available in the section "Google Network Routes" of the page Configuring the HFE Node.

Reserve Static External IP Addresses

To access the SBC management IP, associate the static IP address to the MGT0 private primary IP address, and any secondary private IP addresses.

Based on your network requirement, associate Static IP addresses to secondary IP addresses of PKT0 and PKT1 network interfaces also.

To reserve a static IP address for MGT0, complete the following steps:

  1. Navigate to Networking > VPC network > External IP addresses. The External IP addresses list is displayed.

    External IP addresses

  2. Click Reserve static address (if no addresses exist), or click the plus ( + ) button. The Reserve a static address page is displayed.

    Reserve a static address

  3. Enter a Name and a Description for the IP address.
  4. Select Premium for Network Service Tier.
  5. Select IPv4 for IP Version.
  6. Select Regional for Type.
  7. Select the appropriate Region in which the static IP address is allocated.
  8. Click Reserve.

Associate Static External IP Addresses

To associate a static IP address after creating an instance, perform the following steps:

  1. Navigate to Networking > VPC network > External IP addresses
    The External IP addresses list displays.

    External IP addresses

  2. Click Change next to the desired unused external IP address. 
    The Attached IP address window displays.

    Attached IP address

  3. Select the appropriate internal IP address from the Attach to drop-down list.

  4. Click OK. 

  5. Repeat as required for PKT0 and PKT1 network interfaces.

Reserve Static Internal IP Addresses

You may reserve Static Internal IP Addresses in a VPC, and attach them to a network interface during instance creation.

  1. Navigate to Networking > VPC network.
  2. Select the VPC where the static IP address needs to be created.

    VPC network details

  3. Click Static internal IP addresses.
  4. Click Reserve static address.
  5. Enter a Name.
  6. Select the appropriate Subnet.
  7. Leave Static IP address as Assign automatically.
  8. Click RESERVE.

    Reserve