Security groups are an important means for network security isolation. They are used to set network access control for Elastic Compute Service (ECS) instances in a cluster. This topic describes how to add an ECS instance to a security group and add security group rules.

Background information

When you create a cluster, you must create a security group or select an existing security group. You can add security group rules to control outbound and inbound network access for all ECS instances in the security group.

We recommend that you add ECS instances to different security groups and configure access control policies for each security group based on the use scenarios of the ECS instances. In this topic, for easy understanding, the security groups that exist before you use E-MapReduce (EMR) are called user security groups, and the security groups created when you create EMR clusters are called EMR security groups.

Usage notes

  • When you add security group rules, you must allow only access from specific IP addresses. To prevent attacks, you are not allowed to set the IP address to 0.0.0.0.
  • When you configure inbound and outbound rules for applications, follow the principle of least privilege. You can allow only access from the current public IP address when you configure a security group rule.

    To obtain your current public IP address, visit http://myip.ipip.net/.

Create a security group

When you create an EMR cluster, you can create a security group or select an existing security group.
Notice Do not use an advanced security group that is created in the ECS console.

Add an instance to a security group

Note
  • An ECS instance of the classic network type must be added to a security group of the classic network type in the same region.
  • An ECS instance of the virtual private cloud (VPC) type must be added to a security group in the same VPC.
  1. Go to the Cluster Overview page.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
  2. In the Instance Info section, select an instance group. In the instance information table on the right, click the ECS ID of an instance.
  3. On the Instances page, click the Security Groups tab.
  4. On the Security Groups tab, click Add to Security Group.
    In the Add to Security Group dialog box, select a security group from the Security Group drop-down list.

    If you want to add the ECS instance to multiple security groups at a time, click Join Multiple Security Groups after you select a security group. The security group is added to the box that appears. Then, perform the same operations to add other security groups to the box.

  5. Click OK.
    Repeat Step 2 to Step 5 until all the ECS instances in the EMR cluster are added to security groups.

Add a security group rule

  1. Obtain the public IP address of your on-premises machine.
    For security purposes, we recommend that you allow only access from the current public IP address when you configure a security group rule. To obtain your current public IP address, visit http://myip.ipip.net/.
  2. Go to the Cluster Overview page of your EMR cluster.
    1. Log on to the Alibaba Cloud EMR console.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. Click the Cluster Management tab.
    4. On the Cluster Management page, find your cluster and click Details in the Actions column.
    5. In the Network Info section of the Cluster Overview page, click the link of Security Group ID.
  3. On the Security Group Rules page, add security group rules.
    1. On the Inbound tab of the Security Group Rules page, click Add Rule.
    2. Specify Port Range.
    3. Set Authorization Object to the public IP address obtained in Step 1.
      Notice To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
    4. Click Save.
      For more information about security group rules, see Add security group rules.