Porticor VPD and its Network Behavior
The Porticor virtual appliance is deployed in the customer's
(private or public) cloud account. This document provides details
of the appliance's behavior, to assist in network planning, with
the emphasis on network security.
The appliance requires no incoming network connectivity for its normal operation.
The appliance accesses the Porticor Virtual Key Management (PVKM) service at pvkm.porticor.com. Communication is encrypted and authenticated, and uses HTTPS (TCP/443)
Depending on configuration, the appliance may also access Ubuntu software repositories, such as security.ubuntu.com. This is similarly over HTTPS.
In addition, the appliance makes calls to various Amazon service endpoints, including EC2, S3, Route 53 and others. Note that some of these services are in use even from non-Amazon versions of the product.
Both DNS and NTP should also be enabled (i.e. they should not be blocked by any firewalls present in the environment). They are respectively on UDP port 53 and port 123.
To support the remote access feature, you should allow outbound IPsec (UDP/4500) into ts1.i.porticor.net.
The appliance never initiates any connections into any non-Porticor servers within your cloud account.
An exception to this rule is when external logging is enabled on the appliance. Such logs are sent via syslog, i.e. using port UDP/514 (the destination and port number are configurable).
Incoming connectivity: your application servers
and orchestration scripts can access the following services on the
- A HTTPS management interface on TCP/443.
- HTTPS REST APIs on the same port.
- NFS (dynamically allocated TCP ports)
- Samba/CIFS (dynamically allocated TCP ports)
- iSCSI (TCP/3260)
This means that in normal use, application servers should be allowed to access any port on the appliance.
Amazon EC2 Security Groups
When started from the instance creation wizard (the Quick Launch option), the new instance:
- Joins the existing "default" security group. Depending on how the appliance is launched, this can be an EC2 security group or a VPC security group for the particular subnet. This group, by default, allows full access into the appliance from all instances within the same account or same VPC.
- Creates a new (EC2 or VPC) security group, which is then shared among all appliances of the same project. This security group allows incoming access into port TCP/443 (HTTPS), from any source.
Under normal circumstances, no additional network engineering is required even for VPC instances. This is true, for example, if your VPC is accessible from the corporate network via an IPsec VPN.
If you select the Advanced Launch
option, you start the appliance manually, e.g. from Amazon's
Console. As you launch the instance, you should define its security
groups as follows. Remember that EC2 (non-VPC) security groups
cannot be changed after the instance has launched!
- Add the new instance into the "default" security group, or a similar group that allows application servers full access into the instance.
- Define another security group that opens incoming HTTPS connectivity to the instance.