The following are the recommended rules to be configured when using an user-created security group or a custom security group on AWS.

Management Rules

The rules mentioned below is required for NSX Advanced Load Balancer Controller to SE communication (management interface traffic).

Type

Protocol

Port Range

Source

SSH

TCP

22

0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH access from a specific network, subnet, or IP address.

ICMP - IPv4

ICMP

N/A

Same as above

Data Rules

Data rules include ports to which any virtual service (VIP/FIP) is listening. The table below exhibits an example for HTTP communication on port 80:

Type

Protocol

Port Range

Source

HTTP

TCP

80

0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH from a specific network/subnetwork/IP address.

ICMP - IPv4

ICMP

N/A

Same as above

Tunneling Protocols

The following table exhibits custom ports required for communication between NSX Advanced Load Balancer and AWS.

Type

Protocol

Port Range

Source

Custom Protocol

73

all

VPC CIDR

Customer Protocol

97

all

VPC CIDR

It is recommended to create the AWS tags and security groups at the time of SE creation (when virtual services are deployed to the SE Group). If you have updated these settings, you can delete the SEs and they will be automatically re-created with the new settings.