Security Group Options for AWS Deployment with Avi Vantage

Overview

Avi Vantage manages creation, modification, and deletion of security groups (SG) in Amazon Web Services (AWS). Avi Vantage creates one default security group per Service Engine on AWS.
Starting with Avi Vantage release 17.2.14 and 18.1.5, configuration of custom security groups is supported for Avi Service Engines. The customer security groups are configured for both management and data interfaces.

Default Security Group Rules

The following are the rules which are added to the default security groups created by Avi Vantage.

  • Data rules – Rules to open ports to communicate with virtual service.
  • Management rules – This is for Avi Controller to SE communication. The following are the rules required for management communication.
    • To enable SSH on port 22
    • To enable ping for all ICMP-IPv4 packets
  • Tunneling rules – Custom Protocol EtherIP (97), Custom Protocol CPHB (73), and Custom Protocol 63 (63)

The following are the different options available for the default security group. Each of the Avi Vantage created rules are added only to the security groups created by Avi Vantage .

  • ingress_access_mgmt
  • ingress_access_data
  • custom_securitygroups_mgmt
  • custom_securitygroups_data>

Ingress Access for Management Interface

The following table lists behaviour and the possible values for the ingress_access_mgmt option:

Possible Values Behaviour
SG_INGRESS_ACCESS_NONE Management rules are not set up
SG_INGRESS_ACCESS_ALL Management rules are setup with source IP address as 0.0.0.0/0
SG_INGRESS_ACCESS_VPC Management rules are setup with source IP address as VPC CIDR

Ingress Access Option for Data Interface

The following table lists behaviour and the possible values for the ingress_access_data option:

Possible Values Behaviour
SG_INGRESS_ACCESS_NONE Data rules are not set up
SG_INGRESS_ACCESS_ALL Data rules are setup with source IP address as 0.0.0.0/0
SG_INGRESS_ACCESS_VPC Data rules are setup with source IP address as VPC CIDR

Custom Security Group for Management Interface

The following table lists behaviour and the possible values for the custom_securitygroups_mgmt option:

Possible Values Behaviour
List of security group IDs The user-provided security group is added to the managemet NIC, but no rules are added to the custom security group

Custom Security Groups for Data Interface

The following table lists behaviour and the possible values for the custom_securitygroups_data option:

Possible Values Behaviour
List of security group IDs The user-provided security group is added to the data NIC, but no rules are added to the custom security group

The following are the limitations of the default security groups created by Avi Vantage:

  • One security group is created per SE and AWS allows only 500 security groups per account.
  • The source IP address for all the data and management traffic is set to either (0.0.0.0) or (VPC CIDR). There is no control to allow or disallow certain network only.
  • AWS automatically allows all outbound traffic through security groups.
  • Avi Vantage supports custom security group option, which allows customers to create their own security group. The custom security groups are attached to the SE, in addition to the default security groups. The default security groups are not of much use if the custom security group is in use.

Configuring Custom Security Group

It is recommended to create a custom security group at the SE group level and disable the default security group creation. disable_avi_sg_creation is the flag to disable the default security group creation by Avi Vantage.


admin@10.10.1.1:~$ shell
Login: admin
Password:
[admin:10.10.1.1]: > configure serviceenginegroup Default-Group
[admin:10.10.1.1]: serviceenginegroup> disable_avi_sg_creation

Notes:

  • Once the option to create the default security group is disabled, Avi Vantage does not create any new security group.
  • By default, rules for management interface, data interface, and tunnelling protocols are not added to the custom security groups. These rules are created manually. This is equivalent to setting the value for the ingress_access_data option and ingress_access_mgmt option to None.
  • If the disable_avi_sg_creation option is set on an existing cloud, it applies only to the newly created Service Engines and virtual services. The existing security groups are not deleted automatically.

The following are the recommended rules to be configured when using an user-created security group or a custom security group on AWS.

Management Rules

The rules mentioned below is required for Avi Controller to SE communication (management interface traffic).

Type Protocol Port Range Source
SSH TCP 22 0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH access from a specific network, subnet, or IP address.
ICMP - IPv4 ICMP N/A Same as above

Data Rules

Data rules include ports to which any virtual service (VIP/FIP) is listening. The table below exhibits an example for HTTP communication on port 80.

Type Protocol Port Range Source
HTTP TCP 80 0.0.0.0/0 is the default value. This indicates SSH is enabled from anywhere. This value is configured as per requirement to restrict SSH from a specific network/subnetwork/IP address.
ICMP - IPv4 ICMP N/A Same as above

Tunneling Protocols

The following table exhibits custom ports required for communication between Avi Vantage and AWS.

Type Protocol Port Range Source
Custom Protocol 73 all VPC CIDR
Customer Protocol 97 all VPC CIDR
Customer Protocol 63 all VPC CIDR

Configuration


[admin:10-155-1-254]: > configure serviceenginegroup Default-Group 
Updating an existing object. Currently, the object is:
----------------------------------------------------------------------------------------------+

Field	Value
----------------------------------------------------------------------------------------------+

uuid	serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15
name	Default-Group
max_vs_per_se	10
min_scaleout_per_vs	1
max_scaleout_per_vs	4
max_se	10
vcpus_per_se	1
memory_per_se	2048
disk_per_se	10 gb

----------------------------------------------------------------------------------------------+
[admin:10.10.1.1]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_
sg_ingress_access_all Ingress access from 0/0. 
sg_ingress_access_none No ingress access. 
sg_ingress_access_vpc Ingress access from VPC CIDR (only on Clouds that support VPC construct). 
[admin:10-155-1-254]: serviceenginegroup> ingress_access_mgmt sg_ingress_access_vpc 
Overwriting the previously entered value for ingress_access_mgmt
[admin:10-155-1-254]: serviceenginegroup> ingress_access_data sg_ingress_access_vpc 
Overwriting the previously entered value for ingress_access_data
[admin:10-155-1-254]: serviceenginegroup> save
----------------------------------------------------------------------------------------------+

Field	Value
----------------------------------------------------------------------------------------------+

uuid	serviceenginegroup-a25dccd9-6954-45fe-b4e4-330164c0fa15
name	Default-Group
max_vs_per_se	10
min_scaleout_per_vs	1
max_scaleout_per_vs	4
max_se	10
vcpus_per_se	1
memory_per_se	2048
disk_per_se	10 gb
ingress_access_mgmt	SG_INGRESS_ACCESS_VPC
ingress_access_data	SG_INGRESS_ACCESS_VPC

It is recommended to create the AWS tags and security groups at the time of SE creation (when virtual Services are deployed to the SE Group). If you have updated these settings, you can delete the SEs and they will be automatically re-created with the new settings.

Additional Information

Security Hardening in OpenStack and AWS Clouds