This section discusses the default security groups created by Avi Load Balancer.
The following are the rules which are added to the default security groups created by Avi Load Balancer:
Data rules – Rules to open ports to communicate with virtual service.
Management rules – This is for Avi Load Balancer Controller to SE communication. The following are the rules required for management communication.
Enable SSH on port 22.
Enable ping for all ICMP-IPv4 packets.
Tunneling rules on the Data interfaces for SE to SE communication: Custom Protocol EtherIP (97), Custom Protocol CPHB (73), and Custom Protocol 63 (63).
The following are the different options available for the default security group. Each of the Avi Load Balancer-created rules are added only to the security groups it created.
ingress_access_mgmt
ingress_access_data
custom_securitygroups_mgmt
custom_securitygroups_data
Ingress Access for Management Inteface
The following table lists behaviour and the possible values for the ingress_access_mgmt option:
Possible Values |
Behaviour |
---|---|
SG_INGRESS_ACCESS_NONE |
Management rules are not set up |
SG_INGRESS_ACCESS_ALL |
Management rules are setup with source IP address as 0.0.0.0/0 |
SG_INGRESS_ACCESS_VPC |
Management rules are setup with source IP address as VPC CIDR |
Ingress Access Option for Data Interface
Possible Values |
Behaviour |
---|---|
SG_INGRESS_ACCESS_NONE |
Data rules are not set up |
SG_INGRESS_ACCESS_ALL |
Data rules are setup with source IP address as 0.0.0.0/0 |
SG_INGRESS_ACCESS_VPC |
Data rules are setup with source IP address as VPC CIDR |
Custom Security Group for Management Interface
The following table lists behaviour and the possible values for the custom_securitygroups_mgmt option:
Possible Values |
Behaviour |
---|---|
List of security group IDs |
The user-provided security group is added to the management NIC, but no rules are added to the custom security group |
Custom Security Groups for Data Interface
The following table lists behaviour and the possible values for the custom_securitygroups_data option:
Possible Values |
Behaviour |
---|---|
List of security group IDs |
The user-provided security group is added to the data NIC, but no rules are added to the custom security group |
The following are the limitations of the default security groups created by Avi Load Balancer:
One security group is created per SE, and AWS allows only 500 security groups per account.
The source IP address for all the data and management traffic is set to either (0.0.0.0) or (VPC CIDR). There is no control to allow or disallow certain networks only.
AWS automatically allows all outbound traffic through security groups.
Avi Load Balancer supports a custom security group option, which allows customers to create their own security group. The custom security groups are attached to the SE and the default security groups. The default security groups are not of much use if the custom security group is in use.