In this section:

 Create security group rules for the subnets associated with the following interfaces using the tables corresponding to each type of interface.

  • MGT0
  • HA
  • PKT0
  • PKT1

Customize security groups based on your network security requirements.

Note

If you are installing SBC SWe for the first time, you must create a security group to allow HTTPS access.

Inbound Security Group Rules

It is recommended to open the following ports using Inbound/Ingress rules in the security groups associated with the management, HA and packet interfaces. Port recommendations are also provided for deployments that include an High-Availability Front End (HFE).

Management Security Group

Firewall Rules for the Management Subnet


TypeProtocolPort RangeNotes/Purpose
SSHTCP22

SSH to CLI.

NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe.

Custom UDP ruleUDP123NTP
Custom UDP ruleUDP161SNMP Polling
Custom UDP ruleUDP162SNMP traps
Custom TCP ruleTCP2022

NetConf over ssh

NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe.

Custom TCP ruleTCP2024

SSH to Linux

NOTE: Only use the specific IPs/ranges from which you will access the SBC SWe.

HTTPTCP80EMA
Custom TCP ruleTCP444Platform Manager
HTTPSTCP443REST to ConfD DB
Custom UDP ruleUDP3057Used for load balancing service
Custom UDP ruleUDP3054Call processing requests
Custom UDP ruleUDP3055Keep Alives and Registration
Custom TCP ruleTCP4019Applicable to D-SBC only
Custom UDP ruleUDP5093SLS (license server) traffic
Custom TCP ruleTCP443Communicating with EMS and AWS EC2-API server.

HA Security Group

Configuring a Security Group for the HA Subnet


TypeProtocolPort RangeSourceNotes/Purpose
All TrafficAllAllx.x.x.x/yx.x.x.x/y is the HA subnet CIDR.

Packet Security Group

Configuring a Security Group for the Packet Ports PKT0 and PKT1


TypeProtocolPort RangeSource
Custom UDP ruleUDP5060x.x.x.x/y
Custom TCP ruleTCP5061x.x.x.x/y
Custom UDP ruleUDP1024-655350.0.0.0/0

HA Forwarding Node Security Group

Configuring a Security Group for the Public-facing Port (eth0)

TypeProtocolPort RangeSource
Custom UDP ruleUDP5060x.x.x.x/y
Custom TCP ruleTCP5061x.x.x.x/y

Outbound Security Group Rules

It is recommended to open all ports using Outbound/Egress rules in the security groups associated with the management, HA and packet interfaces.  If an HFE is present, the same recommendation applies  to its public-facing (eth0) port.

Outbound Security Group Rules

Type ProtocolPort RangeDestination
All TrafficAllAll0.0.0.0/0

 
Note

The HA solution works only if the mgt0 port has internet access. If the routing table (associated with the subnet of mgt0) fails to have all the traffic rules, the HA solution does not work.

Caution

If specific ports are opened in outbound security group rules, the remaining ports are blocked.

 

Note

Refer to the Management Security Group, HA Security Group, and Packet Security Group tables for the minimum required security group rules for the SBC to function.

 

Note

Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.