Security Groups
Galera replication uses the following port for communication:
- 443 - For TLS connections between the CA and the RA/VA.
To create a security group that allows for TLS traffic within the VPCs, follow the steps below.
In this example, the VPC internal address space is 172.16.0.0/16 in US-East-1 and the address space in US-East-2 is 172.31.0.0/16.
- Create a Security Group called "TLS 443 Traffic to US-East" with the following rules:
![](../../__attachments/550535379/worddav30bfc2680c9d2183e51c3dc00ddff87b.png?inst-v=dfc4e44a-8630-44f6-bac3-fc4119d148d8)
![](../../__attachments/550535379/worddav3546eacc2ac4f25846fa607d3d724318.png?inst-v=dfc4e44a-8630-44f6-bac3-fc4119d148d8)
This will allow any connections outbound to any address and any inbound connection on port 443 from any address on the 172.16.0.0/16 and 172.31.0.0/16 subnets. The same rule in the other VPC will also need the same rule configured. These rules may be tightened as required for the organization.
- To apply these Security Groups to the EJBCA Enterprise Cloud Nodes in each of the VPCs, right-click the node, select Networking and then Change Security Groups.
![](../../__attachments/550535379/worddaveab7c99fb67b590b8c7c7cb6bb711cca.png?inst-v=dfc4e44a-8630-44f6-bac3-fc4119d148d8)
- Apply the security group to the instance so that it can communicate with the other nodes in the cluster:
![](../../__attachments/550535379/worddavea0656caec133a6e276dddd511db1cdb.png?inst-v=dfc4e44a-8630-44f6-bac3-fc4119d148d8)