Security groups are an important means for network security isolation. Security groups
are used to configure network access control for Elastic Compute Service (ECS) instances
in an E-MapReduce (EMR) cluster. This topic describes how to add an ECS instance to
a security group and add security group rules.
Background information
When you create an EMR cluster, you must select an existing security group or create
a new security group. You can add security group rules to control outbound and inbound
network access for all ECS instances in the security group. We recommend that you
add ECS instances to different security groups and configure security group rules
for each security group based on the use scenarios of the ECS instances. In this topic,
the security groups that exist before you use EMR are referred to as user security
groups, and the security groups that are created when you create EMR clusters are
referred to as EMR security groups.
For more information about how to create a security group, see Create a security group.
Limits
- An ECS instance of the classic network type must be added to a security group of the
classic network type in the same region.
- An ECS instance of the virtual private cloud (VPC) type must be added to a security
group in the same VPC.
Precautions
- When you add security group rules, you must specify the IP addresses that can be used
for access. To prevent attacks, we recommend that you do not specify 0.0.0.0/0.
- When you configure inbound and outbound rules for applications, follow the principle
of least privilege. You can allow access only from the current public IP address when
you configure a security group rule. To obtain the current public IP address, visit
http://myip.ipip.net/.
- Do not use an advanced security group that is created in the ECS console.
Add an instance to a security group
- Go to the EMR on ECS page.
- Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- On the EMR on ECS page, find the cluster that you want to manage and click Nodes in the Actions column.
- Go to the Security Groups tab of the ECS console.
- On the Nodes tab, click the icon to the left of the desired node group.
- Click the ID of the ECS instance in the Node Name/ID column.
- On the page that appears, click the Security Groups tab.
- On the Security Groups tab, click Add to Security Group.
- In the Add to Security Group dialog box, select a security group from the Security Group drop-down list.
If you want to add the ECS instance to multiple security groups at a time, click Join Multiple Security Groups after you select a security group. The security group is added to the box that appears.
Then, perform the same operations to add other security groups to the box.
- Click OK.
Repeat
Step 2 to
Step 4 until all the ECS instances in the EMR cluster are added to security groups.
Add a security group rule
- Obtain the public IP address of your on-premises machine.
For security purposes, we recommend that you allow access only from the current public
IP address when you configure a security group rule. To obtain the current public
IP address, visit
http://myip.ipip.net/.
- Go to the Security Groups page.
- Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- On the EMR on ECS page, find the cluster that you want to manage and click the name of the cluster.
- In the Security section of the Basic Information tab, click the link to the right of Cluster Security Group.
- On the Security Group Rules tab of the page that appears, click Add Rule.
Configure the
Port Range and
Authorization Object parameters. Retain default values for other parameters. For more information, see
Add a security group rule.
Parameter |
Description |
Port Range |
Set this parameter to the port that is used to access the ECS instance. |
Authorization Object |
Set this parameter to the public IP address obtained in Step 1.
Important To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
|
- Click Save in the Actions column.