Configuring Application Security Groups for Email Notifications

Page last updated:

To allow the Notifications Service to have network access you need to create Application Security Groups (ASGs).

Note: Without Application Security Groups the service is not usable.

Prerequisite

Review the Getting Started with the Notifications Service topic to ensure you have setup the service.

Configure Network Connections

The Notifications Service is deployed as a suite of applications to the notifications-with-ui space in the system org, and requires the following outbound network connections:

Destination Ports Protocol Reason
SMTP_SERVER 587 (default) tcp (default) This service is used to send out email notifications
LOAD_BALANCER_IP 80, 443 tcp This service will access the load balancer
ASSIGNED_NETWORK 3306 tcp This service requires access to internal services. ASSIGNED_NETWORK is the CIDR of the network assigned to this service.

Note: The SMTP Server port and protocol are dependent on how you configure your server.

Create a SMTP Server ASG

  1. Navigate to the Ops Manager Installation Dashboard and click the Pivotal Elastic Runtime tile > Settings tab.

  2. Record the information in the Address of SMTP Server and Port of SMTP Server fields.

  3. Using the Address of SMTP Server information you obtained in the previous step, find the IP addresses and protocol of your SMTP Server from the service you are using. You might need to contact your service provider for this information.

  4. Create a smtp-server.json file. For destination, you must enter the IP address of your SMTP Server.

    [
        {
            "protocol": "tcp",
            "destination": SMTP_SERVER_IPS,
            "ports": "587"
        }
    ]
    
  5. Create a security group called smtp-server:

    cf create-security-group smtp-server smtp-server.json
    

Create a Load Balancer ASG

Note: If you already have a ASG setup for a Load Balancer, you do not need to perform this step. Review your ASGs to check which groups you have setup.

If you are using the built-in HAProxy as your load balancer, follow this procedure. If you are using an external load balancer, you must obtain your HAProxy IPs from the service you are using.

  1. Record the HAProxy IPs in the Pivotal Elastic Runtime Tile > Settings > Networking tab.

  2. Create a load-balancer-https.json file. For destination, use the HAProxy IPs you recorded above.

    [
        {
            "protocol": "tcp",
            "destination": "10.68.196.250",
            "ports": "80,443"
        }
    ]
    
  3. Create a security group called load-balancer-https:

    $ cf create-security-group load-balancer-https load-balancer-https.json
    

Create an Assigned Network ASG

Note: If you use external services, the IP addresses, ports, and protocols depend on the service.

  1. Navigate to the Ops Manager Installation Dashboard > Pivotal Elastic Runtime tile > Settings > Assign AZs and Networks section.

  2. Navigate to the network selected in the dropdown.

  3. Record the Ops Manager Director tile > Settings tab > Create Networks > CIDR for the network identified in the previous step. Ensure the subnet mask allows the space to access p-mysql, p-rabbitmq, and p-redis.

  4. Create a file assigned-network.json. For the destination, enter the CIDR you recorded above.

    [
        {
            "protocol": "tcp",
            "destination": "10.68.0.0/20",
            "ports": "3306,5672,6379"
        }
    ]
    
  5. Create a security group called assigned-network:

    $ cf create-security-group assigned-network assigned-network.json
    

Bind the ASGs

  1. Target the system org:

    $ cf target -o system
    
  2. Create a notifications-with-ui space:

    $ cf create-space notifications-with-ui
    

  3. Bind the ASGs you created in this topic to thenotifications-with-ui space:

    $ cf bind-security-group smtp-server system notifications-with-ui
    $ cf bind-security-group load-balancer-https system notifications-with-ui
    $ cf bind-security-group assigned-network system notifications-with-ui
    

Create a pull request or raise an issue on the source for this page in GitHub