This setion discusses the default security groups created by NSX Advanced Load Balancer.

The following are the rules which are added to the default security groups created by NSX Advanced Load Balancer:

  • Data rules – Rules to open ports to communicate with virtual service.

  • Management rules – This is for NSX Advanced Load Balancer Controller to SE communication. The following are the rules required for management communication. To enable SSH on port 22 To enable ping for all ICMP-IPv4 packets.

  • Tunneling rules – Custom Protocol EtherIP (97), Custom Protocol CPHB (73), and Custom Protocol 63 (63).

The following are the different options available for the default security group. Each of the NSX Advanced Load Balancer created rules are added only to the security groups it created.

  • ingress_access_mgmt

  • ingress_access_data

  • custom_securitygroups_mgmt

  • custom_securitygroups_data

Ingress Access for Management Inteface

The following table lists behaviour and the possible values for the ingress_access_mgmt option:

Possible Values

Behaviour

SG_INGRESS_ACCESS_NONE

Management rules are not set up

SG_INGRESS_ACCESS_ALL

Management rules are setup with source IP address as 0.0.0.0/0

SG_INGRESS_ACCESS_VPC

Management rules are setup with source IP address as VPC CIDR

Possible Values

Behaviour

SG_INGRESS_ACCESS_NONE

Data rules are not set up

SG_INGRESS_ACCESS_ALL

Data rules are setup with source IP address as 0.0.0.0/0

SG_INGRESS_ACCESS_VPC

Data rules are setup with source IP address as VPC CIDR

The following are the limitations of the default security groups created by NSX Advanced Load Balancer:

  • One security group is created per SE and AWS allows only 500 security groups per account.

  • The source IP address for all the data and management traffic is set to either (0.0.0.0) or (VPC CIDR). There is no control to allow or disallow certain network only.

  • AWS automatically allows all outbound traffic through security groups.

  • NSX Advanced Load Balancer supports custom security group option, which allows customers to create their own security group. The custom security groups are attached to the SE, in addition to the default security groups. The default security groups are not of much use if the custom security group is in use.