The following are the recommended rules to be configured when using an user-created security group or a custom security group on AWS.
Management Rules
The rules mentioned below is required for Avi Load Balancer Controller to SE communication (management interface traffic).
Type |
Protocol |
Port Range |
Source |
---|---|---|---|
SSH |
TCP |
22 |
0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH access from a specific network, subnet, or IP address. |
ICMP - IPv4 |
ICMP |
N/A |
Same as above |
Data Rules
Data rules include ports to which any virtual service (VIP/FIP) is listening. The table below exhibits an example for HTTP communication on port 80:
Type |
Protocol |
Port Range |
Source |
---|---|---|---|
HTTP |
TCP |
80 |
0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH from a specific network/subnetwork/IP address. |
ICMP - IPv4 |
ICMP |
N/A |
Same as above |
Tunneling Protocols
The following table exhibits custom ports required for communication between Avi Load Balancer and AWS.
Type |
Protocol |
Port Range |
Source |
---|---|---|---|
Custom Protocol EtherIP |
97 |
all |
VPC CIDR |
Custom Protocol CPHB |
73 |
all |
VPC CIDR |
Custom Protocol 63 |
63 |
all |
VPC CIDR |
Configuration
[admin:10-155-1-254]: > configure serviceenginegroup Default-Group Updating an existing object. Currently, the object is: ----------------------------------------------------------------------------------------------+ Field Value ----------------------------------------------------------------------------------------------+ uuid serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15 name Default-Group max_vs_per_se 10 min_scaleout_per_vs 1 max_scaleout_per_vs 4 max_se 10 vcpus_per_se 1 memory_per_se 2048 disk_per_se 10 gb ----------------------------------------------------------------------------------------------+ [admin:10.10.1.1]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_ sg_ingress_access_all Ingress access from 0/0. sg_ingress_access_none No ingress access. sg_ingress_access_vpc Ingress access from VPC CIDR (only on Clouds that support VPC construct). [admin:10-155-1-254]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_vpc Overwriting the previously entered value for ingress_access_mgmt [admin:10-155-1-254]: serviceenginegroup> ingress_access_data sg_ingress_access_vpc Overwriting the previously entered value for ingress_access_data [admin:10-155-1-254]: serviceenginegroup> save ----------------------------------------------------------------------------------------------+ Field Value ----------------------------------------------------------------------------------------------+ uuid serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15 name Default-Group max_vs_per_se 10 min_scaleout_per_vs 1 max_scaleout_per_vs 4 max_se 10 vcpus_per_se 1 memory_per_se 2048 disk_per_se 10 gb ingress_access_mgmt SG_INGRESS_ACCESS_VPC ingress_access_data SG_INGRESS_ACCESS_VPC
It is recommended to create the AWS tags and security groups at the time of SE creation (when virtual services are deployed to the SE Group). If you have updated these settings, you can delete the SEs and they will be automatically re-created with the new settings.