Recommended Security Group Rules for AWS Deployment

The following are the recommended rules to be configured when using an user-created security group or a custom security group on AWS.

Management Rules

The rules mentioned below is required for NSX Advanced Load Balancer Controller to SE communication (management interface traffic).


Type	Protocol	Port Range	Source
SSH	TCP	22	0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH access from a specific network, subnet, or IP address.
ICMP - IPv4	ICMP	N/A	Same as above

Data Rules

Data rules include ports to which any virtual service (VIP/FIP) is listening. The table below exhibits an example for HTTP communication on port 80:


Type	Protocol	Port Range	Source
HTTP	TCP	80	0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH from a specific network/subnetwork/IP address.
ICMP - IPv4	ICMP	N/A	Same as above

Tunneling Protocols

The following table exhibits custom ports required for communication between NSX Advanced Load Balancer and AWS.


Type	Protocol	Port Range	Source
Custom Protocol	73	all	VPC CIDR
Customer Protocol	97	all	VPC CIDR

It is recommended to create the AWS tags and security groups at the time of SE creation (when virtual services are deployed to the SE Group). If you have updated these settings, you can delete the SEs and they will be automatically re-created with the new settings.