Configuring Azure Network Security Groups
Access to Azure instances is restricted by the Azure firewall. This may be configured by associating a subnet or instance with a Network Security Group which specifies the permitted inbound and outbound traffic from the group.
A minimal security group that permits access to a public cloud style Pexip Infinity deployment would look similar to this:
Inbound security rules
Priority | Name | Source | Destination | Service | Action |
---|---|---|---|---|---|
105 | HTTP | Any | Any | TCP/80 | Allow |
110 | HTTPS | Any | Any | TCP/443 | Allow |
115 | H.323 CS | Any | Any | TCP/1720 | Allow |
120 | SIP TCP | Any | Any | TCP/5060 | Allow |
125 | SIP TLS | Any | Any | TCP/5061 | Allow |
130 | TCP call signaling | Any | Any | TCP/33000-39999 | Allow |
135 | TCP call media | Any | Any | TCP/40000-49999 | Allow |
140 | H.323 LS | Any | Any | UDP/1719 | Allow |
145 | SIP UDP * | Any | Any | UDP/5060 | Allow |
150 | UDP call signaling | Any | Any | UDP/33000-39999 | Allow |
155 | UDP call media | Any | Any | UDP/40000-49999 | Allow |
160 | Management traffic | CIDR block: <management station IP address/subnet> | Any | Any/Any | Allow |
* only required if you intend to enable SIP over UDP |
Where Any implies any source/destination and <management station IP address/subnet> should be restricted to a single IP address or subnet for management access only.
Outbound security rules
The default network security group rules suffice. These permit outbound traffic to the same Virtual Network, or to the Internet.
A single security group can be applied to the Management Node and all Conferencing Nodes. However, if you want to apply further restrictions to your Management Node (for example, to exclude the TCP/UDP signaling and media ports), then you can configure additional security groups and use them as appropriate for each Azure instance. Remember that the Management Node and all Conferencing Nodes must be able to communicate with each other.
For further information on the ports and protocols specified here, see Pexip Infinity port usage.
Azure Resource Manager (ARM) templates for deploying a security group
Pexip provides two ARM templates — one with, and one without, SIP UDP access enabled — which may be used to deploy a security group containing the above rules. These templates may be used from PowerShell or the Azure CLI. Alternatively, you may use the Azure Portal to deploy a security group using the relevant template.
The details of each template are as follows. You should pick the one most suitable for your needs.
Name | SIP UDP access | Template URL | Resources created |
---|---|---|---|
security-group | Disabled |
https://pexipas.blob.core.windows.net/templates/20160330/security-group.json |
Network security group |
security-group-with-sip-udp | Enabled |
https://pexipas.blob.core.windows.net/templates/20160330/security-group-with-sip-udp.json |
Network security group |
Both templates contain the following parameters:
Name | Description |
---|---|
managementNetwork | Network from which to permit management traffic (CIDR notation e.g. 1.2.3.4/28). |
securityGroupName | Name of the security group to create. |