The following are the recommended rules to be configured when using an user-created security group or a custom security group on AWS.

Management Rules

The rules mentioned below is required for Avi Load Balancer Controller to SE communication (management interface traffic).

Type

Protocol

Port Range

Source

SSH

TCP

22

0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH access from a specific network, subnet, or IP address.

ICMP - IPv4

ICMP

N/A

Same as above

Data Rules

Data rules include ports to which any virtual service (VIP/FIP) is listening. The table below exhibits an example for HTTP communication on port 80:

Type

Protocol

Port Range

Source

HTTP

TCP

80

0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH from a specific network/subnetwork/IP address.

ICMP - IPv4

ICMP

N/A

Same as above

Tunneling Protocols

The following table exhibits custom ports required for communication between Avi Load Balancer and AWS.

Type

Protocol

Port Range

Source

Custom Protocol EtherIP

97

all

VPC CIDR

Custom Protocol CPHB

73

all

VPC CIDR

Custom Protocol 63

63

all

VPC CIDR

Configuration

[admin:10-155-1-254]: > configure serviceenginegroup Default-Group 
Updating an existing object. Currently, the object is:
----------------------------------------------------------------------------------------------+

Field	Value
----------------------------------------------------------------------------------------------+

uuid	serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15
name	Default-Group
max_vs_per_se	10
min_scaleout_per_vs	1
max_scaleout_per_vs	4
max_se	10
vcpus_per_se	1
memory_per_se	2048
disk_per_se	10 gb

----------------------------------------------------------------------------------------------+
[admin:10.10.1.1]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_
sg_ingress_access_all Ingress access from 0/0. 
sg_ingress_access_none No ingress access. 
sg_ingress_access_vpc Ingress access from VPC CIDR (only on Clouds that support VPC construct). 
[admin:10-155-1-254]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_vpc 
Overwriting the previously entered value for ingress_access_mgmt
[admin:10-155-1-254]: serviceenginegroup> ingress_access_data sg_ingress_access_vpc 
Overwriting the previously entered value for ingress_access_data
[admin:10-155-1-254]: serviceenginegroup> save
----------------------------------------------------------------------------------------------+

Field	Value
----------------------------------------------------------------------------------------------+

uuid	serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15
name	Default-Group
max_vs_per_se	10
min_scaleout_per_vs	1
max_scaleout_per_vs	4
max_se	10
vcpus_per_se	1
memory_per_se	2048
disk_per_se	10 gb
ingress_access_mgmt	SG_INGRESS_ACCESS_VPC
ingress_access_data	SG_INGRESS_ACCESS_VPC

It is recommended to create the AWS tags and security groups at the time of SE creation (when virtual services are deployed to the SE Group). If you have updated these settings, you can delete the SEs and they will be automatically re-created with the new settings.