Security Group Configuration

All Velostrata Cloud Edge Components are deployed into a dedicated security group (sgVelostrata). For simplicity, we describe a deployment in which all workload VMs are deployed into the same security group (sgWorkloads). However, in general you may set up multiple security groups to create boundaries between different applications and services.

The sgVelostrata security group allows inbound access for Velostrata Secure Datapath connections (SSL TCP/9111) and management connections (HTTPS) initiated by the Velostrata Virtual Appliance on-premises. These connections come through the VPN. It also allows inbound access for iSCSI (TCP/3260) and optionally Syslog for boot logging (UDP/514) from the workload Virtual Machines in sgWorkloads. Velostrata components within sgVelostrata can communicate between themselves.

Outbound access to the internet from sgVelostrata is required for connections to the Velostrata Telemetry Service (HTTPS).

Note: No outbound access to corporate network or to sgWorkloads is required and, thus can be blocked at the corresponding VPN and sgWorkloads policies for better security control.

sgVelostrata Inbound Rules

sgWorkloads Inbound Rules

Note: The rules below are the minimum required. Additional rules may be required to allow access by clients or other Virtual Machines from corporate or from other network security groups in Azure.