EMR uses Tencent Cloud VPC as the underlying network. Security groups in EMR are used as virtual firewalls to control the access between the internal nodes in a cluster and access from external nodes to internal nodes. This document provides a practical tutorial for using security groups in Elastic MapReduce (EMR) to help you select security group policies.
Security Groups
A security group is a virtual firewall for stateful data packet filtering. As an important network isolation approach provided by Tencent Cloud, it is used to control network access to CVM instances (nodes). When creating an EMR cluster, you can select an existing security group. If there is no existing security group, EMR will automatically create one for you. If the number of security groups has reached the upper limit and you want to create a new one, delete those you no longer use. You can view existing security groups in the VPC console. Use Limits and Rules
For use limits and quotas of security groups, see the Security Group Limits section in Use Limits Overview. A security group rule consists of:
Source: IP address of the source data (inbound) or target data (outbound).
Protocol type and protocol port: protocol type such as TCP and UDP.
Policy: allow or reject access requests.
Rules for Selecting a Security Group
By default, Select an existing security group is selected and an EMR security group is selected. You can create a new EMR security group or select a non-EMR security group.
1. When an EMR security group is created, port 30002 and the necessary private network IP ranges will be opened by default. If remote login is enabled, port 22 will also be opened. The security group is named in the format of "emr-xxxxxxxx_yyyyMMdd". Do not modify its name.
2. Select an existing security group available in the current region for the current instance. A security group starting with "emr" is recommended, as EMR service has been activated and necessary policies are running properly for such security groups. Security groups not starting with "emr" may lack necessary inbound and outbound rules. This may cause cluster creation failure or cluster unavailability.
3. When you scale out a cluster, the new nodes will inherit the security group policy that was selected during the cluster’s creation by default.
Details of EMR Security Group Policies
Inbound Rules for Allowing Traffic from the Private Network (VPC IP Ranges)
When you create an EMR cluster and use a non-EMR security group, the inbound rules should allow traffic from the private network IP ranges. Otherwise, the cluster cannot be created. For example, if the selected Virtual Private Cloud (VPC) IP range belongs to the IP range A, the inbound rules should be configured to allow traffic from the IP range A.
Inbound rules
Inbound Rules for Allowing the Ping Service
When you use a non-EMR security group and need to allow the Ping service, the inbound rules should include the following policies:
|
0.0.0.0/0 | ICMP | ACCEPT | Open local ICMP. |
Inbound Rules for Accessing the WebUI
When you use a non-EMR security group, to ensure normal access to the cluster service WebUI, the inbound rules should include the following policies:
|
0.0.0.0/0 | TCP:13000 | ACCEPT | Port 13000, Hue port. |
0.0.0.0/0 | TCP:30002 | ACCEPT | Open port 30002. |
Inbound Rules for Allowing Linux SSH Login
When you use a non-EMR security group and need to enable Linux SSH remote login, the inbound rules should include the following policies:
|
0.0.0.0/0 | TCP:22 | ACCEPT | Open port 22 for remote login. |
Outbound rules
|
| | | Opens all outbound ports. |