Security groups are an important means for network security isolation. Security groups
are used to configure network access control for Elastic Compute Service (ECS) instances
in a cluster. This topic describes how to add an ECS instance to a security group
and add security group rules.
Background information
When you create a cluster, you must create a security group or select an existing
security group. You can add security group rules to control outbound and inbound network
access for all ECS instances in the security group.
We recommend that you add ECS instances to different security groups and configure
access control policies for each security group based on the use scenarios of the
ECS instances. In this topic, the security groups that exist before you use E-MapReduce
(EMR) are referred to as user security groups, and the security groups that are created
when you create EMR clusters are referred to as EMR security groups.
Create a security group
When you create an EMR cluster, you can create a security group or select an existing
security group.
Notice Do not use an advanced security group that is created in the ECS console.
Add an instance to a security group
Note
- An ECS instance of the classic network type must be added to a security group of the
classic network type in the same region.
- An ECS instance of the virtual private cloud (VPC) type must be added to a security
group in the same VPC.
- Go to the Cluster Overview page.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the Instance Info section, click Master Instance Group (MASTER) or Core Instance Group (CORE). Then, click the ID in the ECS ID column for an ECS instance.
- On the Instances page, click the Security Groups tab.
- On the Security Groups tab, click Add to Security Group.
- In the Add to Security Group dialog box, select a security group from the Security Group drop-down list.
If you want to add the ECS instance to multiple security groups at the same time,
click Join Multiple Security Groups after you select a security group. The security group is added to the box that appears.
Then, perform the same operations to add other security groups to the box.
- Click OK.
Repeat
Step 2 to
Step 6 until all the ECS instances in the EMR cluster are added to security groups.
Add a security group rule
- Obtain the public IP address of your on-premises machine.
For security purposes, we recommend that you allow access only from the current public
IP address when you configure a security group rule. To obtain your current public
IP address, visit
http://myip.ipip.net/.
- Go to the Cluster Overview page of your EMR cluster.
- Log on to the Alibaba Cloud EMR console.
- In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
- Click the Cluster Management tab.
- On the Cluster Management page, find your cluster and click Details in the Actions column.
- In the Network Info section of the Cluster Overview page, click the link of Security Group ID.
- On the Security Group Rules page, add security group rules.
Configure the
Port Range and
Authorization Object parameters. Retain the default values of the other parameters. For more information,
see
Add security group rules.
| Parameter |
Description |
| Port Range |
Set this parameter to the port that is used to access the ECS instance. |
| Authorization Object |
Set this parameter to the public IP address that is obtained in Step 1.
Notice To prevent attacks from external users, you are not allowed to set Authorization Object to 0.0.0.0/0.
|
- Click Save.