diff --git a/upi/aws/cloudformation/03_cluster_security.yaml b/upi/aws/cloudformation/03_cluster_security.yaml index 51a8e0d819..b6080b6e55 100644 --- a/upi/aws/cloudformation/03_cluster_security.yaml +++ b/upi/aws/cloudformation/03_cluster_security.yaml @@ -134,6 +134,62 @@ Resources: ToPort: 6081 IpProtocol: udp + MasterIngressIpsecIke: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt MasterSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId + Description: IPsec IKE packets + FromPort: 500 + ToPort: 500 + IpProtocol: udp + + MasterIngressIpsecNat: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt MasterSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId + Description: IPsec NAT-T packets + FromPort: 4500 + ToPort: 4500 + IpProtocol: udp + + MasterIngressIpsecEsp: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt MasterSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId + Description: IPsec ESP packets + IpProtocol: esp + + MasterIngressWorkerIpsecIke: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt MasterSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId + Description: IPsec IKE packets + FromPort: 500 + ToPort: 500 + IpProtocol: udp + + MasterIngressWorkerIpsecNat: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt MasterSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId + Description: IPsec NAT-T packets + FromPort: 4500 + ToPort: 4500 + IpProtocol: udp + + MasterIngressWorkerIpsecEsp: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt MasterSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId + Description: IPsec ESP packets + IpProtocol: esp + MasterIngressInternal: Type: AWS::EC2::SecurityGroupIngress Properties: @@ -274,6 +330,62 @@ Resources: ToPort: 6081 IpProtocol: udp + WorkerIngressIpsecIke: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt WorkerSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId + Description: IPsec IKE packets + FromPort: 500 + ToPort: 500 + IpProtocol: udp + + WorkerIngressIpsecNat: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt WorkerSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId + Description: IPsec NAT-T packets + FromPort: 4500 + ToPort: 4500 + IpProtocol: udp + + WorkerIngressIpsecEsp: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt WorkerSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId + Description: IPsec ESP packets + IpProtocol: esp + + WorkerIngressMasterIpsecIke: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt WorkerSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId + Description: IPsec IKE packets + FromPort: 500 + ToPort: 500 + IpProtocol: udp + + WorkerIngressMasterIpsecNat: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt WorkerSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId + Description: IPsec NAT-T packets + FromPort: 4500 + ToPort: 4500 + IpProtocol: udp + + WorkerIngressMasterIpsecEsp: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !GetAtt WorkerSecurityGroup.GroupId + SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId + Description: IPsec ESP packets + IpProtocol: esp + WorkerIngressInternal: Type: AWS::EC2::SecurityGroupIngress Properties: diff --git a/upi/gcp/03_firewall.py b/upi/gcp/03_firewall.py index ec6400be93..ad5523141c 100644 --- a/upi/gcp/03_firewall.py +++ b/upi/gcp/03_firewall.py @@ -94,6 +94,11 @@ def GenerateConfig(context): 'allowed': [{ 'IPProtocol': 'udp', 'ports': ['4789', '6081'] + },{ + 'IPProtocol': 'udp', + 'ports': ['500', '4500'] + },{ + 'IPProtocol': 'esp', },{ 'IPProtocol': 'tcp', 'ports': ['9000-9999'] diff --git a/upi/openstack/security-groups.yaml b/upi/openstack/security-groups.yaml index 532bac9ed7..68b8894c4b 100644 --- a/upi/openstack/security-groups.yaml +++ b/upi/openstack/security-groups.yaml @@ -93,6 +93,22 @@ port_range_min: 6081 port_range_max: 6081 + - name: 'Create master-sg rule "IPsec IKE"' + os_security_group_rule: + security_group: "{{ os_sg_master }}" + protocol: udp + remote_ip_prefix: "{{ os_subnet_range }}" + port_range_min: 500 + port_range_max: 500 + + - name: 'Create master-sg rule "IPsec NAT-T"' + os_security_group_rule: + security_group: "{{ os_sg_master }}" + protocol: udp + remote_ip_prefix: "{{ os_subnet_range }}" + port_range_min: 4500 + port_range_max: 4500 + - name: 'Create master-sg rule "ovndb"' os_security_group_rule: security_group: "{{ os_sg_master }}" @@ -230,6 +246,22 @@ port_range_min: 6081 port_range_max: 6081 + - name: 'Create worker-sg rule "IPsec IKE"' + os_security_group_rule: + security_group: "{{ os_sg_worker }}" + protocol: udp + remote_ip_prefix: "{{ os_subnet_range }}" + port_range_min: 500 + port_range_max: 500 + + - name: 'Create worker-sg rule "IPsec NAT-T"' + os_security_group_rule: + security_group: "{{ os_sg_worker }}" + protocol: udp + remote_ip_prefix: "{{ os_subnet_range }}" + port_range_min: 4500 + port_range_max: 4500 + - name: 'Create worker-sg rule "worker ingress internal (TCP)"' os_security_group_rule: security_group: "{{ os_sg_worker }}"