Security Group Options for AWS Deployment with Avi Vantage
Overview
Avi Vantage manages creation, modification, and deletion of security groups (SG) in Amazon Web Services (AWS). Avi Vantage creates one default security group per Service Engine on AWS.
Starting with Avi Vantage release 17.2.13, configuration of custom security groups is supported for Avi Service Engines. The customer security groups are configured for both management and data interfaces.
Default Security Group Rules
The following are the rules which are added to the default security groups created by Avi Vantage.
- Data rules – Rules to open ports to communicate with virtual service.
- Management rules – This is for Avi Controller to SE communication. The following are the rules required for management communication.
- To enable SSH on port 22
- To enable ping for all ICMP-IPv4 packets
- Tunneling rules – Custom Protocol EtherIP (97), Custom Protocol CPHB (73), and Custom Protocol 63 (63)
The following are the different options available for the default security group. Each of the Avi Vantage created rules are added only to the security groups created by Avi Vantage .
ingress_access_mgmtingress_access_datacustom_securitygroups_mgmtcustom_securitygroups_data>
Ingress Access for Management Interface
The following table lists behaviour and the possible values for the ingress_access_mgmt option:
| Possible Values | Behaviour |
|---|---|
| SG_INGRESS_ACCESS_NONE | Management rules are not set up |
| SG_INGRESS_ACCESS_ALL | Management rules are setup with source IP address as 0.0.0.0/0 |
| SG_INGRESS_ACCESS_VPC | Management rules are setup with source IP address as VPC CIDR |
Ingress Access Option for Data Interface
The following table lists behaviour and the possible values for the ingress_access_data option:
| Possible Values | Behaviour |
|---|---|
| SG_INGRESS_ACCESS_NONE | Data rules are not set up |
| SG_INGRESS_ACCESS_ALL | Data rules are setup with source IP address as 0.0.0.0/0 |
| SG_INGRESS_ACCESS_VPC | Data rules are setup with source IP address as VPC CIDR |
Custom Security Group for Management Interface
The following table lists behaviour and the possible values for the custom_securitygroups_mgmt option:
| Possible Values | Behaviour |
|---|---|
| List of security group IDs | The user-provided security group is added to the managemet NIC, but no rules are added to the custom security group |
Custom Security Groups for Data Interface
The following table lists behaviour and the possible values for the custom_securitygroups_data option:
| Possible Values | Behaviour |
|---|---|
| List of security group IDs | The user-provided security group is added to the data NIC, but no rules are added to the custom security group |
The following are the limitations of the default security groups created by Avi Vantage:
- One security group is created per SE and AWS allows only 500 security groups per account.
- The source IP address for all the data and management traffic is set to either (0.0.0.0) or (VPC CIDR). There is no control to allow or disallow certain network only.
- AWS automatically allows all outbound traffic through security groups.
- Avi Vantage supports custom security group option, which allows customers to create their own security group. The custom security groups are attached to the SE, in addition to the default security groups. The default security groups are not of much use if the custom security group is in use.
Configuring Custom Security Group
It is recommended to create a custom security group at the SE group level and disable the default security group creation. disable_avi_sg_creation is the flag to disable the default security group creation by Avi Vantage.
admin@10.10.1.1:~$ shell
Login: admin
Password:
[admin:10.10.1.1]: > configure serviceenginegroup Default-Group
[admin:10.10.1.1]: serviceenginegroup> disable_avi_sg_creation
Notes:
- Once the option to create the default security group is disabled, Avi Vantage does not create any new security group.
- By default, rules for management interface, data interface, and tunnelling protocols are not added to the custom security groups. These rules are created manually. This is equivalent to setting the value for the
ingress_access_dataoption andingress_access_mgmtoption to None. - If the
disable_avi_sg_creationoption is set on an existing cloud, it applies only to the newly created Service Engines and virtual services. The existing security groups are not deleted automatically.
Recommended Security Group Rules
The following are the recommended rules to be configured when using an user-created security group or a custom security group on AWS.
Management Rules
The rules mentioned below is required for Avi Controller to SE communication (management interface traffic).
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| SSH | TCP | 22 | 0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH access from a specific network, subnet, or IP address. |
| ICMP - IPv4 | ICMP | N/A | Same as above |
Data Rules
Data rules include ports to which any virtual service (VIP/FIP) is listening. The table below exhibits an example for HTTP communication on port 80.
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH from a specific network/subnetwork/IP address. |
| ICMP - IPv4 | ICMP | N/A | Same as above |
Tunneling Protocols
The following table exhibits custom ports required for communication between Avi Vantage and AWS.
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| Custom Protocol | 73 | all | VPC CIDR |
| Customer Protocol | 97 | all | VPC CIDR |
| Customer Protocol | 63 | all | VPC CIDR |
Configuration
[admin:10-155-1-254]: > configure serviceenginegroup Default-Group
Updating an existing object. Currently, the object is:
----------------------------------------------------------------------------------------------+
Field Value
----------------------------------------------------------------------------------------------+
uuid serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15
name Default-Group
max_vs_per_se 10
min_scaleout_per_vs 1
max_scaleout_per_vs 4
max_se 10
vcpus_per_se 1
memory_per_se 2048
disk_per_se 10 gb
----------------------------------------------------------------------------------------------+
[admin:10.10.1.1]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_
sg_ingress_access_all Ingress access from 0/0.
sg_ingress_access_none No ingress access.
sg_ingress_access_vpc Ingress access from VPC CIDR (only on Clouds that support VPC construct).
[admin:10-155-1-254]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_vpc
Overwriting the previously entered value for ingress_access_mgmt
[admin:10-155-1-254]: serviceenginegroup> ingress_access_data sg_ingress_access_vpc
Overwriting the previously entered value for ingress_access_data
[admin:10-155-1-254]: serviceenginegroup> save
----------------------------------------------------------------------------------------------+
Field Value
----------------------------------------------------------------------------------------------+
uuid serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15
name Default-Group
max_vs_per_se 10
min_scaleout_per_vs 1
max_scaleout_per_vs 4
max_se 10
vcpus_per_se 1
memory_per_se 2048
disk_per_se 10 gb
ingress_access_mgmt SG_INGRESS_ACCESS_VPC
ingress_access_data SG_INGRESS_ACCESS_VPC
It is recommended to create the AWS tags and security groups at the time of SE creation (when virtual Services are deployed to the SE Group). If you have updated these settings, you can delete the SEs and they will be automatically re-created with the new settings.