Note: Please go to docs.rightscale.com to access the current RightScale documentation set. Also, feel free to Chat with us!
Home > Guides > Dashboard Users Guide > Settings > Account > Concepts > About Firewalls > Configure a Stateless Firewall for RightLink Compatibility

Configure a Stateless Firewall for RightLink Compatibility

Overview

The RightLink management agent makes outbound HTTPS connections to the RightScale infrastructure in order to receive configuration instructions. Optional RightScale features such as monitoring and frozen package repositories make outbound connections using other protocols.

When RightLink resides behind a stateless firewall that performs egress filtering, the firewall must be configured to allow outbound and inbound packets associated with these protocols.

Prerequisites

This information applies to the following environment:

  • Compute instances that use RightLink v6.0 or later
  • Network devices that perform layer-3 (network) packet filtering, including:
    • AWS VPC Network ACLs (NACLs)
    • Most switches and routers

This information does not apply to:

  • Compute instances that use RightLink v5.x
  • Stateful firewalls and other devices that perform layer-4 filtering (e.g. TCP connection tracking)
  • Ingress-only firewalls

Screenshots in this document depict the AWS Console UI, but the firewall rules and overall procedure can be applied to any stateless firewall through any management interface.

Goal

After completing this how-to, you will have configured your firewall for compatibility with RightScale-managed compute instances. You will be able to launch Servers and ServerArray instances, see audit entries, see instance state changes and use optional features such as monitoring and NTP synchronization, all without exposing your instances to unwanted network traffic.

Procedure

Note RightScale-Operated Networks

RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.

Network/CIDR Location Description
54.225.248.128/27 US-East us-3 cluster and island1 resources
54.244.88.96/27 US-West us-4 cluster and island10 resources
54.86.63.128/26 US-East additional island1 resources
54.187.254.128/26 US-West additional island10 resources
54.217.243.218/32
54.217.243.226/32
Europe

island2 resources. Can be removed after April 30, 2015.

Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland.

54.246.247.16/28  Europe  Only required for workloads in AWS EU-West and EU-Central. 

54.248.220.136/32

54.248.220.137/32

Japan

island8 resources. Can be removed after April 30 2015.  

Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney

54.248.220.128/28 Japan Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney. 

54.251.98.164/32

54.251.106.120/32

Singapore

island5 resources. Can be removed after April 30 2015.  

Only required  for workloads in AWS AP-Singapore.

54.255.255.208/28 Singapore Only required for workloads in AWS AP-Singapore. 

Enable RightLink Communication

RightLink communicates with the RightScale infrastructure using HTTPS (tcp/443) and HTTP (tcp/80). Your firewall should allow outbound (request) packets to RightScale using these protocols, and inbound (response) packets from RightScale to your instances' ephemeral ports.

NOTE: Due to ephemeral port selection, the destination port of inbound packets cannot be predicted. Consider using a stateful firewall or security group to enforce additional constraints on inbound traffic.

 

Example configuration for an AWS VPC Network ACL that allows only RightLink traffic:

AWS VPC NACL - Outbound Rules

AWS VPC NACL - Inbound Rules


Optional: Enable Time Synchronization

Good time synchronization is important in networking, and particularly important in the cloud because virtualization environments can introduce clock drift. RightLink version previous to 6.3 used OS facilities to synchronize time via NTP protocol (udp/123), first attempting to use the OS' NTP settings and then contacting RightScale-operated NTP servers as proper time synchonization was important to RightLink startup. Starting with RightLink 6.3, this requirement was dropped as proper system time is no longer required. 

If your base images have suitable NTP settings for your network environment, or if you wish to skip NTP synchronization, no firewall changes are required. Otherwise, your firewall should allow instances to use RightScale's NTP servers. See our NTP documentation for more information.

Optional: Enable RightScale Monitoring

RightScale optionally utilizes the collectd protocol (udp/3011) to collect monitoring metrics from your instances and raise user-defined alerts. If you wish to use RightScale monitoring, your firewall should allow instances to send UDP packets to RightScale's servers on this port.

NOTE: rules for monitoring data (udp/3011) will no longer be necessary once RightScale deploys its next-generation monitoring infrastructure in 2015Q1.
 

Mandatory+Optional Rules Example

Example configuration for an AWS VPC Network ACL that allows RightLink, time-synchronization and monitoring traffic:

AWS VPC NACL - Outbound Rules

AWS VPC NACL - Inbound Rules


What's Next

Your firewall has been configured for compatibility with RightLink. If your networking environment includes a stateful firewall in addition to a stateless firewall (e.g. AWS VPC Security Groups) then you should ensure that your stateful firewall is properly configured. You may also wish to boot some test instances to ensure that everything is working well.

To learn more about the firewall functionality of your cloud, refer to the following external links:

You must to post a comment.
Last modified
16:51, 6 Jan 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Announcements

None


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.