This section discusses the default security groups created by NSX Advanced Load Balancer.
The following are the rules which are added to the default security groups created by NSX Advanced Load Balancer:
Data rules – Rules to open ports to communicate with virtual service.
Management rules – This is for NSX Advanced Load Balancer Controller to SE communication. The following are the rules required for management communication.
Enable SSH on port 22.
Enable ping for all ICMP-IPv4 packets.
Tunneling rules – Custom Protocol EtherIP (97), Custom Protocol CPHB (73), and Custom Protocol 63 (63).
The following are the different options available for the default security group. Each of the NSX Advanced Load Balancer-created rules are added only to the security groups it created.
ingress_access_mgmt
ingress_access_data
custom_securitygroups_mgmt
custom_securitygroups_data
Ingress Access for Management Inteface
The following table lists behaviour and the possible values for the ingress_access_mgmt option:
Possible Values |
Behaviour |
---|---|
SG_INGRESS_ACCESS_NONE |
Management rules are not set up |
SG_INGRESS_ACCESS_ALL |
Management rules are setup with source IP address as 0.0.0.0/0 |
SG_INGRESS_ACCESS_VPC |
Management rules are setup with source IP address as VPC CIDR |
Possible Values |
Behaviour |
---|---|
SG_INGRESS_ACCESS_NONE |
Data rules are not set up |
SG_INGRESS_ACCESS_ALL |
Data rules are setup with source IP address as 0.0.0.0/0 |
SG_INGRESS_ACCESS_VPC |
Data rules are setup with source IP address as VPC CIDR |
The following are the limitations of the default security groups created by NSX Advanced Load Balancer:
One security group is created per SE, and AWS allows only 500 security groups per account.
The source IP address for all the data and management traffic is set to either (0.0.0.0) or (VPC CIDR). There is no control to allow or disallow certain networks only.
AWS automatically allows all outbound traffic through security groups.
NSX Advanced Load Balancer supports a custom security group option, which allows customers to create their own security group. The custom security groups are attached to the SE and the default security groups. The default security groups are not of much use if the custom security group is in use.