Security Group for OpenStack
A security group defines the virtual firewall rules for your instance to control inbound and outbound traffic. When you launch GigaVUE‑FM, GigaVUE V Series Proxies, GigaVUE V Series Nodes, and UCT-V Controllers in your project, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite.
Note: When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.
GigaVUE‑FM |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
443 |
Administrator Subnet |
Allows GigaVUE-FM to accept Management connection using REST API. Allows users to access GigaVUE-FM UI securely through an HTTPS connection. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access to user-initiated management and diagnostics. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Node IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Proxy IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API. |
||||||
Inbound |
TCP |
443 |
UCT-C Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-C Controller using REST API. |
||||||
Inbound |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes. |
||||||
Inbound |
TCP |
5671 |
UCT-V Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-V Controllers. |
||||||
Inbound |
TCP |
9600 |
UCT-V Controller |
Allows GigaVUE-FM to receive certificate requests from UCT-V Controller. |
||||||
Inbound |
TCP |
9600 |
GigaVUE V Series Proxy |
Allows GigaVUE-FM to receive certificate requests from GigaVUE V Series Proxy. |
||||||
Inbound |
TCP |
9600 |
GigaVUE V Series Node |
Allows GigaVUE-FM to receive certificate requests from GigaVUE V Series Node. |
||||||
Inbound |
TCP |
5671 |
UCT-C Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-C Controllers. |
||||||
Inbound |
UDP |
2056 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller. |
||||||
Outbound (optional) |
TCP |
8890 |
GigaVUE V Series Proxy IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy. |
||||||
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node. |
||||||
Outbound |
TCP |
8443 (default) |
UCT-C Controller IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to UCT-C Controller. |
||||||
Outbound |
TCP |
80 |
UCT-V Controller IP |
Allows GigaVUE‑FM to send ACME challenge requests to UCT-V Controller. |
||||||
Outbound |
TCP |
80 |
GigaVUE V Series Node |
Allows GigaVUE‑FM to send ACME challenge requests to GigaVUE V Series Node. |
||||||
Outbound |
TCP |
80 |
GigaVUE V Series Proxy |
Allows GigaVUE‑FM to send ACME challenge requests to GigaVUE V Series Proxy. |
||||||
Outbound |
TCP |
443 |
Any IP Address |
Allows GigaVUE‑FM to reach the Public Cloud Platform APIs. |
||||||
UCT-V Controller |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM |
||||||
Inbound |
TCP |
9900 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive traffic health updates from UCT-V. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Inbound |
TCP |
80 |
GigaVUE-FM
|
Allows UCT-V Controller to receive the ACME challenge requests from the GigaVUE-FM |
||||||
Inbound |
TCP |
8300 |
UCT-V Subnet
|
Allows UCT-V Controller to receive the certificate requests from the UCT-V |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8892 |
UCT-V Subnet
|
Allows UCT-V Controller to receive the registration requests and heartbeat from UCT-V. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API. |
||||||
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM. |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
9600 |
GigaVUE‑FM IP |
Allows GigaVUE-FM to receive certificate requests from the UCT-V Controller. |
||||||
Outbound |
TCP |
9902 |
UCT-V Subnet |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs for UCT-Vs with version greater than 6.10.00. |
||||||
Outbound |
TCP |
8301 |
UCT-V Subnet |
Allows ACME validation flow from UCT-V Controller to UCT-V. |
||||||
UCT-V |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
9902 |
UCT-V Controller IP |
Allows UCT-V to receive control and management plane traffic from UCT-V Controller |
||||||
Inbound |
TCP |
8301 |
UCT-V Controller IP |
Allows UCT-V to receive the ACME challenge requests from the UCT-V Controller |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes |
||||||
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes |
||||||
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
GigaVUE V Series Node IP |
Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node |
||||||
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows UCT-V to send traffic health updates to UCT-V Controller. |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8892 |
UCT-V Controller IP |
Allows UCT-V to receive the registration requests and heartbeat to UCT-V Controller. |
||||||
Outbound |
TCP |
8300 |
UCT-V Controller IP |
Allows UCT-V to receive ACME validation flow from UCT-V Controller |
||||||
GigaVUE V Series Node |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8889 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM |
||||||
Inbound |
TCP |
8889 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
Inbound |
UDP (VXLAN) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V |
||||||
Inbound |
IP Protocol (L2GRE) |
L2GRE |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V |
||||||
Inbound |
UDPGRE |
4754 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Inbound |
TCP |
80 |
GigaVUE-FM
|
Allows GigaVUE V Series Node to receive the ACME challenge requests from the GigaVUE-FM |
||||||
Inbound |
TCP |
80 |
GigaVUE V Series Proxy IP |
Allows UCT-V to receive the ACME challenge requests from the GigaVUE V Series Proxy |
||||||
Inbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
UCT-V subnet |
Allows to securely transfer the traffic to GigaVUE V Series Nodes. |
||||||
Inbound (Optional - This port is used only for configuring AWS Gateway Load Balancer) |
UDP (GENEVE) |
6081 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from AWS Gateway Load Balancer. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM. |
||||||
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
Outbound |
UDP |
2056 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM. |
||||||
Outbound |
UDP |
2055 |
Tool IP |
Allows GigaVUE V Series Node to send NetFlow Generation traffic to an external tool. |
||||||
Outbound |
UDP |
8892 |
GigaVUE V Series Proxy |
Allows GigaVUE V Series Node to send certificate request to GigaVUE V Series Proxy IP. |
||||||
Outbound |
TCP |
514 |
Tool IP |
Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools. |
||||||
Bidirectional (optional) |
ICMP |
|
Tool IP |
Allows GigaVUE V Series Node to send health check tunnel destination traffic. |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used. |
||||||
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
Tool IP |
Allows to securely transfer the traffic to an external tool. |
||||||
GigaVUE V Series Proxy (optional) |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Inbound |
TCP |
80 |
GigaVUE-FM
|
Allows GigaVUE V Series Proxy to receive the ACME challenge requests from the GigaVUE-FM |
||||||
Inbound |
TCP |
8300 |
GigaVUE V Series Node
|
Allows GigaVUE V Series Proxy to receive certificate requests from GigaVUE V Series Node for the configured params and provides the certificate using those parameters. |
||||||
Inbound |
TCP |
8892 |
GigaVUE V Series Node IP
|
Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM |
||||||
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node |
||||||
Universal Cloud Tap - Container deployed inside Kubernetes worker node |
||||||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
42042 |
Any IP address |
Allows UCT-C to send statistical information to UCT-C Controller. |
||||||
Outbound |
UDP |
VXLAN (default 4789) |
Any IP address |
Allows UCT-C to tunnel traffic to the GigaVUE V Series Node or other destination. |
||||||
UCT-C Controller deployed inside Kubernetes worker node |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8443 (configurable) |
GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with UCT-C Controller. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
5671 |
Any IP address |
Allows UCT-C Controller to send statistics to GigaVUE-FM. |
||||||
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows UCT-C Controller to communicate with GigaVUE-FM. |
Ports to be opened for Backward Compatibility:
These ports must be opened for backward compatibility when GigaVUE-FM is running version 6.10 or later, and the fabric components are on (n-1) or (n-2) versions.
UCT-V Controller |
||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive the registration requests from UCT-V. |
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
Outbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs. |
UCT-V |
||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V Controller IP |
Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat |
GigaVUE V Series Node |
||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used. |
GigaVUE V Series Proxy (optional) |
||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to receive security parameter requests from GigaVUE V Series Node. |
The following table list the Network Firewall or Security Group requirements when using OVS Mirroring.
Direction |
Protocol |
Port |
CIDR |
Purpose |
UCT-V OVS Controller |
||||
Inbound |
TCP |
9900 |
GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with UCT-V OVS Controllers |
UCT-V OVS Agent |
||||
Inbound |
TCP |
9901 |
UCT-V OVS Controller IP |
Allows UCT-V OVS Controllers to communicate with UCT-V OVS Agents |
Note: The Security Group Rules table lists only the ingress rules. Make sure the egress ports are open for communication. Along with the ports listed in the Security Group Rules table, make sure the suitable ports required to communicate with Service Endpoints such as Identity, Compute, and Cloud Metadata are also open.