Firewall Rules Overview

Overview

In this phase, you must setup firewall/network rules to enable communication across various components.

The network settings in this page provide the minimal port requirements for inter-component communication.

Production environments typically are secured by only allowing communication through the ports specified in this section.

In environments where all the components can communicate with each other via any port (typically POC environments or private datacenters), be aware that you must configure the firewall rules or security groups based on your enterprise requirements – do not expose unnecessary ports to the external network or the publicly-available internet.

For each CloudCenter component, you may configure both Ingress and Egress rules.

If you open all traffic for Egress rules (by setting the IP address range to 0.0.0.0/0) and allow all browsers to access each VM, then you do not need to follow the Egress rule port requirements for each component.

Prerequisites

You should have already completed the following tasks:

  1. Read the information provided in Virtual Appliance Overview > Modes for ports used for in each network architecture example.
  2. Understand the High Availability Best Practices – if you are configuring HA in your environment.

    The Load Balancer (LB) for each component is a third-party application from the CloudCenter perspective – Ensure that you adhere to the LB requirements identified in High Availability Best Practices when configuring the load balancer for each CloudCenter component.

  3. Follow the cloud-specific nuances identified in Phase 1: Prepare Infrastructure for each cloud.
  4. If you have already configured the ports for each component, be aware that you may need to revise your port configuration for each component based on the following information:
    1. The information provided in the Security Groups, Proxy Settings, and FirewalId sections provided later in this page.

      • CCM Firewall Rules
      • CCO Firewall Rules
      • AMQP Firewall Rules
      • Monitor Firewall Rules

Security Groups

For AWS or OpenStack, the network rules are configured using security groups.

  • All port requirements use TCP protocol. The only exception is Port 5405 as it uses the UDP protocol (see CCM Firewall Rules).
  • For all communication between the components and HTTPS access, use TLS as the SSL protocol.

Once you configure the security groups, accurately, the JSON file should pass without any errors.

Proxy Settings

If you need a proxy server to connect to the internet, be sure to configure the Proxy setting for the CCM and CCO server in Phase 4: Install Components.

FirewalId

If you configure a load balancer for any CloudCenter component, be aware that the firewalId is enabled by default and you must explicitly disable it to ensure that the CloudCenter component(s) can communicate with the load balancer.