Configuring App Security Groups for Email Notifications

Page last updated:

This topic describes configuring App Security Groups (ASGs) to give network access to the Notifications Service.

Overview

To allow the Notifications Service to have network access, you must create ASGs. Without ASGS, you cannot use the Notifications Service.

For more information, see App Security Groups.

Prerequisite

Before configuring ASGs for the Notifications Service, you must first set up the Notifications Service. To set up the Notifications Service, see Getting Started with the Notifications Service.

Configure Network Connections

The Notifications Service is deployed as a suite of apps to the notifications-with-ui space in the system org. It requires the following outbound network connections:

Destination Ports Protocol Reason
SMTP_SERVER 587 (default) tcp (default) This service is used to send out email notifications.
LOAD_BALANCER_IP 80, 443 tcp This service accesses the load balancer.
ASSIGNED_NETWORK 3306 tcp This service requires access to internal services. ASSIGNED_NETWORK is the CIDR of the network assigned to this service.

Note: The SMTP server port and protocol are dependent on how you configure your server.

Create a SMTP Server ASG

To create an ASG for your SMTP server:

  1. Navigate to the Ops Manager Installation Dashboard and click the Pivotal Application Service (PAS) tile.

  2. Select Email Notifications.

  3. Record the values in the Address of SMTP Server and Port of SMTP Server fields.

  4. Using the Address of SMTP Server you obtained in the previous step, find the IP addresses and protocol of your SMTP server from the service you are using. You might need to contact your service provider for this information.

  5. Create a smtp-server.json file. For destination, enter the IP address of your SMTP server.

    [
        {
            "protocol": "tcp",
            "destination": SMTP_SERVER_IPS,
            "ports": "587"
        }
    ]
    
  6. Create an ASG called smtp-server by running:

    cf create-security-group smtp-server smtp-server.json
    

Create a Load Balancer ASG

Note: If you already have an ASG set up for a load balancer, you do not need to do this step. To check which groups you have set up, see App Security Groups.

If you are using the internal HAProxy as your load balancer, follow this procedure. If you are using an external load balancer, you must obtain your HAProxy IPs from the service you are using.

To create an ASG for a load balancer:

  1. Select Networking in the PAS tile.

  2. Record the values in the HAProxy IPs field.

  3. Create a load-balancer-https.json file. For destination, use the HAProxy IPs you recorded above.

    [
        {
            "protocol": "tcp",
            "destination": "10.68.196.250",
            "ports": "80,443"
        }
    ]
    
  4. Create an ASG called load-balancer-https by running:

    cf create-security-group load-balancer-https load-balancer-https.json
    

Create an Assigned Network ASG

Note: If you use external services, the IP addresses, ports, and protocols depend on the service.

To create an ASG for an assigned network:

  1. Select Assign AZs and Networks in the PAS tile.

  2. Record the network selected in the Network dropdown.

  3. Record the CIDR in the Create Networks pane of the BOSH Director tile for the network you identified in the previous step. Ensure the subnet mask allows the space to access p-mysql, p-rabbitmq, and p-redis.

  4. Create a file assigned-network.json. For the destination, enter the CIDR you recorded above.

    [
        {
            "protocol": "tcp",
            "destination": "10.68.0.0/20",
            "ports": "3306,5672,6379"
        }
    ]
    
  5. Create an ASG called assigned-network by running:

    cf create-security-group assigned-network assigned-network.json
    

Bind the ASGs

After creating your ASGs, you must bind them to the Notifications Service.

To bind your ASGs to the Notifications Service:

  1. Target the system org by running:

    cf target -o system
    
  2. Create a notifications-with-ui space by running:

    cf create-space notifications-with-ui
    ``
    
  1. Bind the ASGs you created in this topic to thenotifications-with-ui space by running:

    cf bind-security-group smtp-server system notifications-with-ui
    cf bind-security-group load-balancer-https system notifications-with-ui
    cf bind-security-group assigned-network system notifications-with-ui