Configuring AWS security groups
Access to AWS instances is restricted by the AWS firewall. This may be configured by associating an instance with an AWS security group that specifies the permitted inbound and outbound traffic from the group.
A minimal AWS security group that permits access to a public cloud style Pexip Infinity deployment would look similar to this:
Inbound rules
Type | Protocol | Port range | Source |
---|---|---|---|
SSH | TCP | 22 | <management station IP address/subnet> |
HTTPS | TCP | 443 | 0.0.0.0/0 |
Custom TCP Rule | TCP | 1720 | 0.0.0.0/0 |
Custom TCP Rule | TCP | 5060 | 0.0.0.0/0 |
Custom TCP Rule | TCP | 5061 | 0.0.0.0/0 |
Custom TCP Rule | TCP | 8443 | <management station IP address/subnet> |
Custom TCP Rule | TCP | 33000-49999 | 0.0.0.0/0 |
Custom UDP Rule * | UDP | 5060 | 0.0.0.0/0 |
Custom UDP Rule | UDP | 40000-49999 | 0.0.0.0/0 |
Custom UDP Rule | UDP | 500 | <sg-12345678> |
Custom UDP Rule | UDP | 1719 | 0.0.0.0/0 |
Custom Protocol | ESP (50) | All | <sg-12345678> |
All ICMP | ICMP | All | <management station IP address/subnet> |
* only required if you intend to enable SIP over UDP |
Outbound rules
Type | Protocol | Port range | Source |
---|---|---|---|
All traffic | All | All | 0.0.0.0/0 |
Where 0.0.0.0/0 implies any source / destination, <management station IP address/subnet> should be restricted to a single IP address or subnet for SSH access only, and <sg-12345678> is the identity of this security group (and thus permits traffic from other AWS instances — the Management Node and Conferencing Nodes — associated with the same security group).
A single security group can be applied to the Management Node and all Conferencing Nodes. However, if you want to apply further restrictions to your Management Node (for example, to exclude the TCP/UDP signaling and media ports), then you can configure additional security groups and use them as appropriate for each AWS instance.
Remember that the Management Node and all Conferencing Nodes must be able to communicate with each other. If your instances only have private addresses, ensure that the necessary external systems such as NTP and DNS servers are routable from those nodes.
For further information on the ports and protocols specified here, see Pexip Infinity port usage and firewall guidance.