Security groups are an important means for network security isolation. Security groups are used to configure network access control for Elastic Compute Service (ECS) instances in an E-MapReduce (EMR) cluster. This topic describes how to add an ECS instance to a security group and add security group rules.
Background information
When you create an EMR cluster, you must select an existing security group or create a new security group. You can add security group rules to control outbound and inbound network access for all ECS instances in the security group. We recommend that you add ECS instances to different security groups and configure security group rules for each security group based on the use scenarios of the ECS instances. In this topic, the security groups that exist before you use EMR are referred to as user security groups, and the security groups that are created when you create EMR clusters are referred to as EMR security groups.
For more information about how to create a security group, see Create a security group.
Limits
An ECS instance of the classic network type must be added to a security group of the classic network type in the same region.
An ECS instance of the virtual private cloud (VPC) type must be added to a security group in the same VPC.
Precautions
When you add security group rules, you must specify the IP addresses that can be used for access. To prevent attacks, we recommend that you do not specify 0.0.0.0/0.
When you configure inbound and outbound rules for applications, follow the principle of least privilege. You can allow access only from the current public IP address when you configure a security group rule. To obtain the current public IP address, visit http://myip.ipip.net/.
Do not use an advanced security group that is created in the ECS console.
EMR provides control services for EMR clusters based on virtual IP address (VIP) ranges. Do not deny access from the CIDR block 100.64.0.0/10 or internal Object Storage Service (OSS) VIP ranges in the security group of your cluster. For more information, see Internal OSS endpoints and VIP ranges.
If EMR cannot work as expected due to network connection failures caused by improper security group policies, you shall assume all liabilities for the losses and consequences.
When you configure security group rules for an EMR cluster, you must ensure that all ECS instances in the cluster can communicate with each other over the internal network. Otherwise, the EMR cluster cannot provide services as expected.
Add an instance to a security group
Go to the Nodes tab.
Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
On the EMR on ECS page, find the cluster that you want to manage and click Nodes in the Actions column.
Go to the Security Groups tab of the ECS console.
On the Nodes tab, click the icon to the left of the desired node group.
Click the ID of the node in the Node Name/ID column.
On the page that appears, click the Security Groups tab.
On the Security Groups tab, click Add to Security Group.
In the Add to Security Group dialog box, select a security group from the Security Group drop-down list.
If you want to add the ECS instance to multiple security groups at a time, click Join Multiple Security Groups after you select a security group. The security group is added to the box that appears. Then, perform the same operations to add other security groups to the box.
Click OK.
Add a security group rule
Obtain the public IP address of your on-premises machine.
For security purposes, we recommend that you allow access only from the current public IP address when you configure a security group rule. To obtain the current public IP address, visit http://myip.ipip.net/.
Go to the Security Group Details tab.
Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
In the top navigation bar, select the region in which your cluster resides and select a resource group based on your business requirements.
On the EMR on ECS page, find the desired cluster and click the name of the cluster.
In the Security section of the Basic Information tab, click the link to the right of Cluster Security Group.
On the Security Group Details tab of the page that appears, click Add Rule.
Configure the Port Range and Authorization Object parameters. Retain default values for other parameters. For more information, see Add a security group rule.
Parameter
Description
Port Range
Set this parameter to the port that is used to access the ECS instance.
Authorization Object
Set this parameter to the public IP address obtained in Step 1.
ImportantTo prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
Click Save.