Security Group Configuration
All Velostrata Cloud Edge Components are deployed into a dedicated security group (sgVelostrata). For simplicity, we describe a deployment in which all workload VMs are deployed into the same security group (sgWorkloads). However, in general you may set up multiple security groups to create boundaries between different applications and services.
The sgVelostrata security group allows inbound access for Velostrata Secure Datapath connections (SSL TCP/9111) and management connections (HTTPS) initiated by the Velostrata Virtual Appliance on-premises. These connections come through the VPN. It also allows inbound access for iSCSI (TCP/3260) and optionally Syslog for boot logging (UDP/514) from the workload Virtual Machines in sgWorkloads. Velostrata components within sgVelostrata can communicate between themselves.
Outbound access to the internet from sgVelostrata is required for connections to the AWS S3 service (HTTPS) and the Velostrata Telemetry Service (HTTPS).
Note: No outbound access to corporate network or to sgWorkloads is required, thus can be blocked at the corresponding VPN and sgWorkloads policies for better security control.
sgVelostrata Inbound Rules
sgWorkloads Inbound Rules
Note: The rules below are the minimum required. Additional rules may be required to allow access by clients or other Virtual Machines from corporate or from other security groups in AWS.