Before you can access the web UI of an open source component, you must configure the
IP address or CIDR block that you want to allow for access in a security group. This
topic describes how to add an Elastic Compute Service (ECS) instance to a security
group and add security group rules.
Background information
We recommend that you add ECS instances to different security groups and configure
access control policies for each security group based on the use scenarios of the
ECS instances. In this topic, for easy understanding, the security groups that exist
before you use EMR are called user security groups, and the security groups created
when you create EMR clusters are called EMR security groups.
If an ECS instance is added to multiple security groups, only the rules of one security
group take effect for the ECS instance. For example, a security group with only port
22 enabled is created when you create an EMR cluster, and all ports are enabled in
an existing user security group. If you also add the EMR cluster to the existing user
security group, all ports are enabled for the ECS instances of the cluster.
Create a security group
When you create an EMR cluster, you can create a security group or use an existing
advanced security group. By default, when you create an EMR cluster, port 22 is disabled.
If you want to enable the port, you must turn on Remote Logon in the Basic Settings step of the cluster creation process.
Add an instance to a security group
Note
- An ECS instance of the classic network type must be added to a security group of the
classic network type in the same region.
- An ECS instance of the VPC type must be added to a security group in the same VPC.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the Instance Info section, select an instance group. In the instance information table on the right,
click the ECS ID of an instance.
- On the Instances page, click the Security Groups tab.
- On the Security Groups tab, click Add to Security Group.
In the
Add to Security Group dialog box, select a security group from the
Security Group drop-down list.
If you want to add the ECS instance to multiple security groups at a time, click Join Multiple Security Groups after you select a security group. The security group is added to the box that appears.
Then, perform the same operations to add other security groups to the box.
- Click OK.
Repeat the preceding operations until all the ECS instances in the EMR cluster are
added to security groups.
Add a security group rule
- Obtain the public IP address of your on-premises machine.
For security purposes, we recommend that you allow only access from the current public
IP address when you configure a security group rule. To obtain your current public
IP address, visit
ip.taobao.com. You can view your public IP address in the lower-left corner.
- Go to the Cluster Overview page of your EMR cluster.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the Network Info section of the Cluster Overview page, click the link of Security Group ID.
- On the Security Group Rules page, add security group rules.
- On the Inbound tab of the Security Group Rules page, click Add Security Group Rule.
- Specify Port Range.
- Set Authorization Object to the public IP address obtained in Step 1.
Notice To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
- Click OK.