You are here: Installation > Amazon Web Services installations > Configuring AWS security groups

Configuring AWS security groups

Access to AWS instances is restricted by the AWS firewall. This may be configured by associating an instance with an AWS security group that specifies the permitted inbound and outbound traffic from the group.

A minimal AWS security group that permits access to a public cloud style Pexip Infinity deployment would look similar to this:

Inbound rules

Type Protocol Port range Source
SSH TCP 22 <management station IP address/subnet>
HTTPS TCP 443 0.0.0.0/0
Custom TCP Rule TCP 1720 0.0.0.0/0
Custom TCP Rule TCP 5060 0.0.0.0/0
Custom TCP Rule TCP 5061 0.0.0.0/0
Custom TCP Rule TCP 8443 <management station IP address/subnet>
Custom TCP Rule TCP 33000-49999 0.0.0.0/0
Custom UDP Rule * UDP 5060 0.0.0.0/0
Custom UDP Rule UDP 40000-49999 0.0.0.0/0
Custom UDP Rule UDP 500 <sg-12345678>
Custom UDP Rule UDP 1719 0.0.0.0/0
Custom Protocol ESP (50) All <sg-12345678>
All ICMP ICMP All <management station IP address/subnet>
* only required if you intend to enable SIP over UDP

Outbound rules

Type Protocol Port range Source
All traffic All All 0.0.0.0/0

Where 0.0.0.0/0 implies any source / destination, <management station IP address/subnet> should be restricted to a single IP address or subnet for SSH access only, and <sg-12345678> is the identity of this security group (and thus permits traffic from other AWS instances — the Management Node and Conferencing Nodes — associated with the same security group).

A single security group can be applied to the Management Node and all Conferencing Nodes. However, if you want to apply further restrictions to your Management Node (for example, to exclude the TCP/UDP signaling and media ports), then you can configure additional security groups and use them as appropriate for each AWS instance.

Remember that the Management Node and all Conferencing Nodes must be able to communicate with each other. If your instances only have private addresses, ensure that the necessary external systems such as NTP and DNS servers are routable from those nodes.

For further information on the ports and protocols specified here, see Pexip Infinity port usage and firewall guidance.