EMR uses Tencent Cloud VPC as the underlying network. Security groups in EMR are used as virtual firewalls to control the access between the internal nodes in a cluster and access from external nodes to internal nodes. This document describes the best practices of using security groups in EMR to help you choose security group policies.
A security group is a virtual firewall for stateful data packet filtering. As an important network isolation approach provided by Tencent Cloud, it is used to control network access to CVM instances (nodes). When creating an EMR cluster, you can select an existing security group. If there is no existing security group, EMR will automatically create one for you. If the number of security groups has reached the upper limit and you want to create a new one, delete those you no longer use. You can view existing security groups in the VPC console.
For use limits and quotas of security groups, see the Security Group Limits section in Use Limits Overview.
A security group rule consists of:
By default, Select an existing security group is selected and an EMR security group is selected. You can create a new EMR security group or select a non-EMR security group.
If you select a non-EMR security group when creating an EMR cluster, the following inbound and outbound rules must be included. Otherwise, the cluster creation will fail.
Source | Protocol Port | Policy | Note |
---|---|---|---|
10.0.0.0/8 | ALL | ACCEPT | Opens IP range A. |
172.16.0.0/12 | ALL | ACCEPT | Opens IP range B. |
192.168.0.0/16 | ALL | ACCEPT | Opens IP range C. |
0.0.0.0/0 | ICMP | ACCEPT | Opens local ICMP. |
Source | Protocol Port | Policy | Note |
---|---|---|---|
0.0.0.0/0 | ALL | ACCEPT | Opens all outbound ports. |
To access the cluster service WebUI normally when using a non-EMR security group, the inbound rules must include the following policies:
Source | Protocol Port | Policy | Note |
---|---|---|---|
0.0.0.0/0 | TCP:13000 | ACCEPT | Opens port 13000 and port hue. |
0.0.0.0/0 | TCP:30001 | ACCEPT | Opens port 30001. |
0.0.0.0/0 | TCP:30002 | ACCEPT | Opens port 30002. |
0.0.0.0/0 | TCP:22 | ACCEPT | Opens the remote login port. |
For more information, see Security Group.
Was this page helpful?