Configuring AWS security groups

Access to AWS instances is restricted by the AWS firewall. This may be configured by associating an instance with an AWS security group that specifies the permitted inbound and outbound traffic/ports from the group.

A minimal AWS security group that permits access to a public cloud style Pexip Infinity deployment would look similar to this:

Inbound rules

Type Protocol Port range Source
SSH TCP 22 <management station IP address/subnet>
Custom TCP Rule TCP 1720
Custom TCP Rule TCP 5060
Custom TCP Rule TCP 5061
Custom TCP Rule TCP 8443 <management station IP address/subnet>
Custom TCP Rule TCP 33000-49999
Custom UDP Rule * UDP 5060
Custom UDP Rule UDP 40000-49999
Custom UDP Rule UDP 500 <sg-12345678>
Custom UDP Rule UDP 1719
Custom Protocol ESP (50) All <sg-12345678>
All ICMP ICMP All <management station IP address/subnet>

* Only required if you intend to enable SIP over UDP.

Outbound rules

Type Protocol Port range Source
All traffic All All

Where implies any source / destination, <management station IP address/subnet> should be restricted to a single IP address or subnet for SSH access only, and <sg-12345678> is the identity of this security group (and thus permits traffic from other AWS instances — the Management Node and Conferencing Nodes — associated with the same security group).

A single security group can be applied to the Management Node and all Conferencing Nodes. However, if you want to apply further restrictions to your Management Node (for example, to exclude the TCP/UDP signaling and media ports), then you can configure additional security groups and use them as appropriate for each AWS instance.

Remember that the Management Node and all Conferencing Nodes must be able to communicate with each other. If your instances only have private addresses, ensure that the necessary external systems such as NTP and DNS servers are routable from those nodes.

For further information on the ports and protocols specified here, see Pexip Infinity port usage and firewall guidance.