Configuring your Google VPC network

All Google Compute Engine (GCE) VM instances belong to a Google Virtual Private Cloud (VPC) network. You need to configure the VPC network to control access to the VM instances that will host your Pexip Infinity nodes in your Google Cloud Platform (GCP) deployment.

Google Cloud VPN for private / hybrid cloud deployments

For a private or hybrid cloud deployment, you must configure the Google Cloud virtual private network (VPN) to connect your on-premises network to the Google VPC network.

Google assigns a default range of private addresses to your VPC regions. You must ensure that the IP address ranges for the VPC regions in which you deploy your VM instances do not overlap with any subnets you use in your corporate network. If you do have overlapping subnets, you can create new subnets for each region in your Google VPC network, and then select that subnetwork when deploying your instance. See https://cloud.google.com/compute/docs/vpc/#subnet-ranges for information about the default VPC subnets per region.

For full information about how to configure the Google Cloud VPN, see https://cloud.google.com/compute/docs/vpn/overview.

A VPN is not required for public cloud deployments as you can access all of your nodes via their public IP addresses.

Enabling communication between Pexip Infinity nodes

To allow Pexip Infinity nodes to communicate, there must be a firewall rule in place to allow UDP and IPsec ESP protocol traffic between nodes. This applies to all deployment options (private, public and hybrid).

By default, the Google VPC network has a firewall rule called "default-allow-internal". This rule allows TCP, UDP and ICMP traffic between private addresses on the internal network, but it does not allow ESP traffic.

To modify this firewall rule to also allow ESP traffic:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select the default-allow-internal rule.
  3. Select Edit.
  4. Change Protocols and ports from "tcp:0-65535; udp:0-65535; icmp" to "tcp:0-65535; udp:0-65535; icmp; esp".

  5. Select Save.

Note that this change adds ESP to the existing rule but does not remove or restrict any of the other default protocols and ports. This is because the default-allow-internal rule applies to all instances in your GCP project, and if you have something other than Pexip Infinity running (e.g. a reverse proxy, or something completely unrelated) then you probably want to allow UDP and TCP traffic to work.

Controlling access to the Management Node

We recommend that you lock down access to the Management Node to just the management stations that will administer your Pexip Infinity platform. This applies to all deployment options (private, public and hybrid), but is particularly important in public cloud deployments.

To create a new firewall rule to restrict access to the Management Node:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select Create firewall rule.
  3. Complete the following fields (leave all other settings as default):

    Name Enter a name for the rule, for example "pexip-allow-management".
    Direction of traffic Select Ingress.
    Action on match Select Allow.
    Targets Select Specified target tags.
    Target tags Enter a tag name, for example "pexip-management". You will use this name later when you create your Management Node VM instance to associate that instance with these firewall rules (see Deploying a Management Node in Google Cloud Platform).
    Source filter Select IP ranges.
    Source IP ranges

    Enter the <IP address/subnet> of the management station/browsers that require access to the Management Node.

    Note that on a corporate network accessing a public cloud deployment, this should be the external public IP address of the corporate network and not the private address of the machine that is hosting the browser.

    Protocols and ports

    Enter tcp:443

    Note that you may need to include tcp:22 to allow SSH access if you intend to restrict or remove the default-allow-ssh rule.

  4. Select Create.

Controlling access to Conferencing Nodes for installation/provisioning

We recommend that you lock down access to the provisioning interface on your Conferencing Nodes to just the management stations that will administer your Pexip Infinity platform. This applies to all deployment options (private, public and hybrid), but is particularly important in public and hybrid cloud deployments for nodes with an external IP address.

To create a new firewall rule to restrict access to the provisioning interface of a Conferencing Node:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select Create firewall rule.
  3. Complete the following fields (leave all other settings as default):

    Name Enter a name for the rule, for example "pexip-allow-provisioning".
    Direction of traffic Select Ingress.
    Action on match Select Allow.
    Targets Select Specified target tags.
    Target tags Enter a tag name, for example "pexip-provisioning". You will use this name later when you create your Conferencing Node VM instances to associate those instances with these firewall rules (see Deploying a Conferencing Node in Google Cloud Platform).
    Source filter Select IP ranges.
    Source IP ranges

    Enter the <IP address/subnet> of the management station/browsers that require access to the Conferencing Nodes.

    Note that on a corporate network accessing a public cloud deployment, this should be the external public IP address of the corporate network and not the private address of the machine that is hosting the browser.

    Protocols and ports Enter tcp:8443
  4. Select Create.

Controlling access to Conferencing Nodes for conference participants

A wider, more general access is typically required to the protocols and ports required to access conferences hosted on your Conferencing Nodes.

To create a new firewall rule to allow access to the conferencing-related ports and protocols of a Conferencing Node:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select Create firewall rule.
  3. Complete the following fields (leave all other settings as default):

    Name Enter a name for the rule, for example "pexip-allow-conferencing".
    Direction of traffic Select Ingress.
    Action on match Select Allow.
    Targets Select Specified target tags.
    Target tags Enter a tag name, for example "pexip-conferencing". You will use this name later when you create your Conferencing Node VM instances to associate those instances with these firewall rules (see Deploying a Conferencing Node in Google Cloud Platform).
    Source filter Select IP ranges.
    Source IP ranges

    Enter 0.0.0.0/0

    For a private deployment, the Source IP ranges should be restricted to the corporate intranet IP addresses.

    Protocols and ports

    Enter tcp:80; tcp:443; tcp:1720; tcp:5060; tcp:5061; tcp:33000-39999; tcp:40000-49999; udp:1719; udp:33000-39999; udp:40000-49999

    Note that if you have enabled SIP UDP then udp:5060 must also be included.

  4. Select Create.

After you have configured your firewall rules, your ingress rules will look similar to this: