Security groups are an important means for network security isolation. Security groups are used to configure network access control for Elastic Compute Service (ECS) instances in an E-MapReduce (EMR) cluster. This topic describes how to add an ECS instance to a security group and add security group rules.

Background information

When you create an EMR cluster, you must select an existing security group or create a new security group. You can add security group rules to control outbound and inbound network access for all ECS instances in the security group. We recommend that you add ECS instances to different security groups and configure security group rules for each security group based on the use scenarios of the ECS instances. In this topic, the security groups that exist before you use EMR are referred to as user security groups, and the security groups that are created when you create EMR clusters are referred to as EMR security groups.

For more information about how to create a security group, see Create a security group.

Limits

  • An ECS instance of the classic network type must be added to a security group of the classic network type in the same region.
  • An ECS instance of the virtual private cloud (VPC) type must be added to a security group in the same VPC.

Precautions

  • When you add security group rules, you must specify the IP addresses that can be used for access. To prevent attacks, we recommend that you do not specify 0.0.0.0/0.
  • When you configure inbound and outbound rules for applications, follow the principle of least privilege. You can allow access only from the current public IP address when you configure a security group rule. To obtain the current public IP address, visit http://myip.ipip.net/.
  • Do not use an advanced security group that is created in the ECS console.

Add an instance to a security group

  1. Go to the EMR on ECS page.
    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. On the EMR on ECS page, find the cluster that you want to manage and click Nodes in the Actions column.
  2. Go to the Security Groups tab of the ECS console.
    1. On the Nodes tab, click the add icon to the left of the desired node group.
    2. Click the ID of the ECS instance in the Node Name/ID column.
    3. On the page that appears, click the Security Groups tab.
  3. On the Security Groups tab, click Add to Security Group.
  4. In the Add to Security Group dialog box, select a security group from the Security Group drop-down list.
    If you want to add the ECS instance to multiple security groups at a time, click Join Multiple Security Groups after you select a security group. The security group is added to the box that appears. Then, perform the same operations to add other security groups to the box.
  5. Click OK.
    Repeat Step 2 to Step 4 until all the ECS instances in the EMR cluster are added to security groups.

Add a security group rule

  1. Obtain the public IP address of your on-premises machine.
    For security purposes, we recommend that you allow access only from the current public IP address when you configure a security group rule. To obtain the current public IP address, visit http://myip.ipip.net/.
  2. Go to the Security Groups page.
    1. Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
    2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
    3. On the EMR on ECS page, find the cluster that you want to manage and click the name of the cluster.
    4. In the Security section of the Basic Information tab, click the link to the right of Cluster Security Group.
  3. On the Security Group Rules tab of the page that appears, click Add Rule.
    Configure the Port Range and Authorization Object parameters. Retain default values for other parameters. For more information, see Add a security group rule.
    Parameter Description
    Port Range Set this parameter to the port that is used to access the ECS instance.
    Authorization Object Set this parameter to the public IP address obtained in Step 1.
    Important To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
  4. Click Save in the Actions column.