Configuring your Google VPC network | Pexip Infinity Docs

Configuring your Google VPC network

All Google Compute Engine (GCE) VM instances belong to a Google Virtual Private Cloud (VPC) network. You need to configure the VPC network to control access to the VM instances that will host your Pexip Infinity nodes in your Google Cloud Platform (GCP) deployment.

Google Cloud VPN for private / hybrid cloud deployments

For a private or hybrid cloud deployment, you must configure the Google Cloud virtual private network (VPN) to connect your on-premises network to the Google VPC network.

Google assigns a default range of private addresses to your VPC regions. You must ensure that the IP address ranges for the VPC regions in which you deploy your VM instances do not overlap with any subnets you use in your corporate network. If you do have overlapping subnets, you can create new subnets for each region in your Google VPC network, and then select that subnetwork when deploying your instance. See https://cloud.google.com/compute/docs/vpc/#subnet-ranges for information about the default VPC subnets per region.

For full information about how to configure the Google Cloud VPN, see https://cloud.google.com/compute/docs/vpn/overview.

A VPN is not required for public cloud deployments as you can access all of your nodes via their public IP addresses.

Enabling communication between

Pexip Infinity

nodes

To allow Pexip Infinity nodes to communicate, there must be a firewall rule in place to allow UDP and IPsec ESP protocol traffic between nodes. This applies to all deployment options (private, public and hybrid).

By default, the Google VPC network has a firewall rule called “default-allow-internal”. This rule allows TCP, UDP and ICMP traffic between private addresses on the internal network, but it does not allow ESP traffic.

To modify this firewall rule to also allow ESP traffic:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select the

    default-allow-internal

    rule.

  3. Select

    Edit

    .

  4. Change Protocols and ports from “tcp:0-65535; udp:0-65535; icmp” to “tcp:0-65535; udp:0-65535; icmp; esp”.

  5. Select

    Save

    .

Note that this change adds ESP to the existing rule but does not remove or restrict any of the other default protocols and ports. This is because the default-allow-internal rule applies to all instances in your GCP project, and if you have something other than Pexip Infinity running (e.g. a reverse proxy, or something completely unrelated) then you probably want to allow UDP and TCP traffic to work.

Inter-node communication requirements for multiple VPCs

In a basic deployment, your Pexip Infinity platform will be deployed within a single VPC.

In larger deployments you may choose to deploy your Conferencing Nodes across multiple VPCs — in which case there must be a directly routable path (no NAT) between all nodes that allows UDP port 500 (IKE), and IP Protocol 50 (IPsec ESP) to pass between all nodes in both directions.

Controlling access to the

Management Node

We recommend that you lock down access to the Management Node to just the management stations that will administer your Pexip Infinity platform. This applies to all deployment options (private, public and hybrid), but is particularly important in public cloud deployments.

To create a new firewall rule to restrict access to the Management Node:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select

    Create firewall rule

    .

  3. Complete the following fields (leave all other settings as default):

    Name
    Enter a name for the rule, for example “pexip-allow-management”.

    Direction of traffic
    Select

    Ingress

    .

    Action on match
    Select

    Allow

    .

    Targets
    Select

    Specified target tags

    .

    Target tags
    Enter a tag name, for example “pexip-management”. You will use this name later when you create your

    Management Node

    VM instance to associate that instance with these firewall rules (see Deploying a Management Node in Google Cloud Platform).

    Source filter
    Select

    IP ranges

    .

    Source IP ranges

    Enter the <IP address/subnet> of the management station/browsers that require access to the Management Node.

    Note that on a corporate network accessing a public cloud deployment, this should be the external public IP address of the corporate network and not the private address of the machine that is hosting the browser.

    Protocols and ports

    Enter tcp:443

    Note that you may need to include tcp:22 to allow SSH access if you intend to restrict or remove the default-allow-ssh rule.

  4. Select

    Create

    .

Controlling access to

Conferencing Node

s for installation/provisioning

We recommend that you lock down access to the provisioning interface on your Conferencing Nodes to just the management stations that will administer your Pexip Infinity platform. This applies to all deployment options (private, public and hybrid), but is particularly important in public and hybrid cloud deployments for nodes with an external IP address.

To create a new firewall rule to restrict access to the provisioning interface of a Conferencing Node:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select

    Create firewall rule

    .

  3. Complete the following fields (leave all other settings as default):

    Name
    Enter a name for the rule, for example “pexip-allow-provisioning”.

    Direction of traffic
    Select

    Ingress

    .

    Action on match
    Select

    Allow

    .

    Targets
    Select

    Specified target tags

    .

    Target tags
    Enter a tag name, for example “pexip-provisioning”. You will use this name later when you create your

    Conferencing Node

    VM instances to associate those instances with these firewall rules (see Deploying a Conferencing Node in Google Cloud Platform).

    Source filter
    Select

    IP ranges

    .

    Source IP ranges

    Enter the <IP address/subnet> of the management station/browsers that require access to the Conferencing Nodes.

    Note that on a corporate network accessing a public cloud deployment, this should be the external public IP address of the corporate network and not the private address of the machine that is hosting the browser.

    Protocols and ports
    Enter

    tcp:8443

  4. Select

    Create

    .

Controlling access to

Conferencing Node

s for conference participants

A wider, more general access is typically required to the protocols and ports required to access conferences hosted on your Conferencing Nodes.

To create a new firewall rule to allow access to the conferencing-related ports and protocols of a Conferencing Node:

  1. From the GCP project console, go to VPC network > Firewall rules.
  2. Select

    Create firewall rule

    .

  3. Complete the following fields (leave all other settings as default):

    Name
    Enter a name for the rule, for example “pexip-allow-conferencing”.

    Direction of traffic
    Select

    Ingress

    .

    Action on match
    Select

    Allow

    .

    Targets
    Select

    Specified target tags

    .

    Target tags
    Enter a tag name, for example “pexip-conferencing”. You will use this name later when you create your

    Conferencing Node

    VM instances to associate those instances with these firewall rules (see Deploying a Conferencing Node in Google Cloud Platform).

    Source filter
    Select

    IP ranges

    .

    Source IP ranges

    Enter 0.0.0.0/0

    For a private deployment, the Source IP ranges should be restricted to the corporate intranet IP addresses.

    Protocols and ports

    Enter tcp:80; tcp:443; tcp:1720; tcp:5060; tcp:5061; tcp:33000-39999; tcp:40000-49999; udp:1719; udp:33000-39999; udp:40000-49999

    Note that if you have enabled SIP UDP then udp:5060 must also be included.

  4. Select

    Create

    .

After you have configured your firewall rules, your ingress rules will look similar to this: