This section discusses the default security groups created by Avi Load Balancer.

The following are the rules which are added to the default security groups created by Avi Load Balancer:

  • Data rules – Rules to open ports to communicate with virtual service.

  • Management rules – This is for Avi Load Balancer Controller to SE communication. The following are the rules required for management communication.

    • Enable SSH on port 22.

    • Enable ping for all ICMP-IPv4 packets.

  • Tunneling rules on the Data interfaces for SE to SE communication: Custom Protocol EtherIP (97), Custom Protocol CPHB (73), and Custom Protocol 63 (63).

The following are the different options available for the default security group. Each of the Avi Load Balancer-created rules are added only to the security groups it created.

  • ingress_access_mgmt

  • ingress_access_data

  • custom_securitygroups_mgmt

  • custom_securitygroups_data

Ingress Access for Management Inteface

The following table lists behaviour and the possible values for the ingress_access_mgmt option:

Possible Values

Behaviour

SG_INGRESS_ACCESS_NONE

Management rules are not set up

SG_INGRESS_ACCESS_ALL

Management rules are setup with source IP address as 0.0.0.0/0

SG_INGRESS_ACCESS_VPC

Management rules are setup with source IP address as VPC CIDR

Ingress Access Option for Data Interface

The following table lists behaviour and the possible values for the ingress_access_data option:

Possible Values

Behaviour

SG_INGRESS_ACCESS_NONE

Data rules are not set up

SG_INGRESS_ACCESS_ALL

Data rules are setup with source IP address as 0.0.0.0/0

SG_INGRESS_ACCESS_VPC

Data rules are setup with source IP address as VPC CIDR

Custom Security Group for Management Interface

The following table lists behaviour and the possible values for the custom_securitygroups_mgmt option:

Possible Values

Behaviour

List of security group IDs

The user-provided security group is added to the management NIC, but no rules are added to the custom security group

Custom Security Groups for Data Interface

The following table lists behaviour and the possible values for the custom_securitygroups_data option:

Possible Values

Behaviour

List of security group IDs

The user-provided security group is added to the data NIC, but no rules are added to the custom security group

The following are the limitations of the default security groups created by Avi Load Balancer:

  • One security group is created per SE, and AWS allows only 500 security groups per account.

  • The source IP address for all the data and management traffic is set to either (0.0.0.0) or (VPC CIDR). There is no control to allow or disallow certain networks only.

  • AWS automatically allows all outbound traffic through security groups.

  • Avi Load Balancer supports a custom security group option, which allows customers to create their own security group. The custom security groups are attached to the SE and the default security groups. The default security groups are not of much use if the custom security group is in use.