Security groups - on ECS| Alibaba Cloud Documentation Center

Before you can access the web UI of an open source component, you must configure the IP address or CIDR block that you want to allow for access in a security group. This topic describes how to add an Elastic Compute Service (ECS) instance to a security group and add security group rules.

Background information

We recommend that you add ECS instances to different security groups and configure access control policies for each security group based on the use scenarios of the ECS instances. In this topic, for easy understanding, the security groups that exist before you use EMR are called user security groups, and the security groups created when you create EMR clusters are called EMR security groups.

If an ECS instance is added to multiple security groups, only the rules of one security group take effect for the ECS instance. For example, a security group with only port 22 enabled is created when you create an EMR cluster, and all ports are enabled in an existing user security group. If you also add the EMR cluster to the existing user security group, all ports are enabled for the ECS instances of the cluster.

Create a security group

When you create an EMR cluster, you can create a security group or use an existing advanced security group. By default, when you create an EMR cluster, port 22 is disabled. If you want to enable the port, you must turn on Remote Logon in the Basic Settings step of the cluster creation process.

Add an instance to a security group

Note

An ECS instance of the classic network type must be added to a security group of the classic network type in the same region.
An ECS instance of the VPC type must be added to a security group in the same VPC.

Log on to the Alibaba Cloud EMR console.
In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
Click the Cluster Management tab.
On the Cluster Management page, find your cluster and click Details in the Actions column.
In the Instance Info section, select an instance group. In the instance information table on the right, click the ECS ID of an instance.
On the Instances page, click the Security Groups tab.
On the Security Groups tab, click Add to Security Group.
In the Add to Security Group dialog box, select a security group from the Security Group drop-down list.
If you want to add the ECS instance to multiple security groups at a time, click Join Multiple Security Groups after you select a security group. The security group is added to the box that appears. Then, perform the same operations to add other security groups to the box.
Click OK.
Repeat the preceding operations until all the ECS instances in the EMR cluster are added to security groups.

Add a security group rule

Obtain the public IP address of your on-premises machine.
For security purposes, we recommend that you allow only access from the current public IP address when you configure a security group rule. To obtain your current public IP address, visit ip.taobao.com. You can view your public IP address in the lower-left corner.
Go to the Cluster Overview page of your EMR cluster.
1. Log on to the Alibaba Cloud EMR console.
2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
3. Click the Cluster Management tab.
4. On the Cluster Management page, find your cluster and click Details in the Actions column.
5. In the Network Info section of the Cluster Overview page, click the link of Security Group ID.
On the Security Group Rules page, add security group rules.
1. On the Inbound tab of the Security Group Rules page, click Add Security Group Rule.
2. Specify Port Range.
3. Set Authorization Object to the public IP address obtained in Step 1.
  
  Notice To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
4. Click OK.
  For more information about security group rules, see Add security group rules.