In this section:
Create security groups to support Management (MGT0), High Availability (HA0), PKT0 and PKT1 subnets for the SBC.
Before creating the security groups, review the recommended security group rule settings in the following section.
Security Group Rules Overview
Inbound Security Group Rules
Ribbon recommends opening the following ports using Inbound/Ingress rules in the security groups associated with management, HA and packet subnets.
Management Security Group
Configuring Security Group for Management Subnet
Type | Protocol | Port Range | Source | Notes/Purpose |
|---|---|---|---|---|
| SSH | TCP | 22 | 0.0.0.0/0 | SSH to CLI |
| Custom UDP rule | UDP | 123 | 0.0.0.0/0 | NTP |
| Custom UDP rule | UDP | 161 | 0.0.0.0/0 | SNMP Polling |
| Custom UDP rule | UDP | 162 | 0.0.0.0/0 | SNMP traps |
| Custom TCP rule | TCP | 2022 | 0.0.0.0/0 | NetConf over ssh |
| Custom TCP rule | TCP | 2024 | 0.0.0.0/0 | SSH to Linux |
| HTTP | TCP | 80 | 0.0.0.0/0 | EMA |
| HTTPS | TCP | 443 | 0.0.0.0/0 | REST to ConfD DB |
| Custom UDP rule | UDP | 3057 | 0.0.0.0/0 | Used for load balancing service |
| Custom UDP rule | UDP | 3054 | 0.0.0.0/0 | Call processing requests |
| Custom UDP rule | UDP | 3055 | 0.0.0.0/0 | Keep Alives and Registration |
| Custom TCP rule | TCP | 4019 | 0.0.0.0/0 | Applicable to D-SBC only |
| Custom UDP rule | UDP | 5093 | 0.0.0.0/0 | SLS (license server) traffic |
| Custom TCP rule | TCP | 444 | 0.0.0.0/0 | Communicating with EMS, AWS EC2-API server, and Platform Manager |
HA Security Group
Configuring Security Group for HA Subnet
Type | Protocol | Port Range | Source | Notes/Purpose |
|---|---|---|---|---|
| All Traffic | All | All | x.x.x.x/y | x.x.x.x/y is the HA subnet CIDR. |
Packet Security Group
Configuring Security Group for Packet Ports PKT0 and PKT1
Type | Protocol | Port Range | Source |
|---|---|---|---|
| Custom UDP rule | UDP | 5060 | x.x.x.x/y |
| Custom TCP rule | TCP | 5061 | x.x.x.x/y |
| Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y |
Caution
The source ranges for the packet security group may be external IP address ranges, or they may be the HFE private subnet CIDR if a High-availability Forwarding Engine is present in the configuration.
HA Forwarding Node Security Groups
Configuring a Security Group for the Public-facing/Management Port (eth0)
Type | Protocol | Port Range | Source |
|---|---|---|---|
| Custom UDP rule | UDP | 5060 | x.x.x.x/y |
| Custom TCP rule | TCP | 5061 | x.x.x.x/y |
| Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y |
Configuring a Security Group for the Private-facing Port (eth2)
Type | Protocol | Port Range | Source |
|---|---|---|---|
| Custom UDP rule | UDP | 5060 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity |
| Custom TCP rule | TCP | 5061 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity |
| Custom UDP rule | UDP | 1024-65535 | x.x.x.x/y is the PKT0 or PKT1 subnet CIDR which is to have external connectivity |
Caution
The source ranges for the HFE Private-facing Port security group may be the private subnet CIDR of the SBC PKT0 or PKT1 subnets.
Outbound Security Group Rules
Ribbon recommends opening all ports using Outbound/Egress rules in the security groups associated with management, HA and packet interfaces.
Outbound Security Group Rules
Type | Protocol | Port Range | Destination |
|---|---|---|---|
| All Traffic | All | All | 0.0.0.0/0 |
Caution
If you open specific ports in outbound security group rules, the remaining ports are blocked.
Note
Refer to the Management Security Group, HA Security Group, and Packet Security Group tables for the minimum required security group rules for the SBC to function.
Note
Considering that the SIP signaling port in SBC configuration is set to the default port (5060), the port numbers for UDP/TCP are set to 5060 and 5061.
Create Security Groups
Navigate to EC2 Management Console.
From the left pane, click Security Groups.
Security Groups Tab
- Click Create Security Group. The Create Security Group page displays.
Enter a Security group name for the MGT0 security group and Description.
Select an appropriate VPC from the list.
Click Add Rule to create security group rules as suggested above.
NoteBy default, the Inbound rules tab displays on the screen.
Creating a Security Group for MGT
- Click Create.
Repeat steps 3 through 7 to create the new security group for HA, PKT0, and PKT1 subnets.
- If deploying with a High-availability Forwarding Engine option, repeat steps 3 through 7 to create a new security group for the HFE public and private-facing subnets.
Overview
Content Tools