Use a node endpoint to access an EMR cluster - E-MapReduce

If IP address changes occur because of auto scaling activities or node failures, you cannot access an E-MapReduce (EMR) cluster by using a specific IP address. This may affect the business continuity. In this case, you can use a node endpoint of an E-MapReduce (EMR) cluster to access the EMR cluster from other services that reside in the same virtual private cloud (VPC) or a different VPC as the EMR cluster. This topic describes how to use a node endpoint of an EMR cluster to access the EMR cluster from a service.

Prerequisites

An EMR cluster is created, and the endpoint of a node is obtained. Example endpoint: master-1-1.<Cluster-ID>.<Region-ID>.emr.aliyuncs.com).
The service from which you want to access an EMR cluster is deployed and can be logged on to. For example, a Container Service for Kubernetes (ACK) cluster or an Elastic Compute Service (ECS) is created and can be logged on to.
The network and security group rule are configured to allow the related traffic to pass through. We recommend that you configure the ICMP protocol and destination service ports, such as 80 or 8088.

Scenario 1: A service and the desired cluster reside in the same VPC

If the service from which you want to access an EMR cluster and the EMR cluster reside in the same VPC, a node endpoint of the cluster can be automatically resolved based on DNS PrivateZone without additional configuration. For more information about DNS PrivateZone, see What is Alibaba Cloud DNS PrivateZone? You can perform the following steps to use a node endpoint of an EMR cluster to access the EMR cluster from the service.

Step 1: Obtain the endpoint of the master node

Log on to the master node of the EMR cluster in SSH mode. For more information, see Log on to a cluster.
Run the hostname -f command to obtain the endpoint of the master node.

Step 2: Use the node endpoint to access the EMR cluster

Log on to the service from which you want to access the EMR cluster. In this example, you need to log on to the desired ECS instance.
Run the ping master-1-1.<Cluster-ID>.<Region-ID>.emr.aliyuncs.com command to access the EMR cluster.
If information in the preceding figure is returned, the node endpoint is successfully resolved, and the VPC of the ECS instance and the VPC of the EMR cluster are connected.

Note

If the node endpoint fails to be resolved, you can check whether the security group rule allows ICMP traffic or whether the desired service port is enabled.
Make sure that the DNS configuration of the service from which you want to access an EMR cluster is not changed. By default, the DNS service provided by Alibaba Cloud VPC is used.

Scenario 2: A service and the desired cluster reside in different VPCs

When the service from which you want to access an EMR cluster and the EMR cluster reside in different VPCs, you must connect the VPCs and configure the private zone. For more information about DNS PrivateZone, see What is Alibaba Cloud DNS PrivateZone? You can perform the following steps to use a node endpoint of an EMR cluster to access the EMR cluster from the service:

Step 1: Create a VPC peering connection

Log on to the VPC peering connection console. In the top navigation bar, select the region where the requester VPC is located, which is China (Beijing) in this example. In the left-side navigation pane, click VPC Peering Connection.
If you have not used VPC peering connection before, click Activate CDT on the VPC Peering Connection page, and then click OK in the dialog box.
Note
To create a VPC peering connection across accounts, ensure that the accepter has enabled the Cloud Data Transfer (CDT) feature.
Go to the VPC Peering Connection page, click Create VPC Peering Connection, and set the parameters as follows:
Inter-region scenarios allow you to select the Link Type based on business latency requirements.
- Gold (default): Meet general requirements for latency and connection quality.
- Platinum: Best suited for scenarios that require lower latency and more stable connections, such as securities trading and real-time gaming.
Note
- You can create four types of VPC peering connections: intra-region same-account, inter-region same-account, intra-region cross-account, and inter-region cross-account.
- When the accepter account is Same-Account, the system automatically establishes the connection after the requester initiates the request. No action is required from the accepter.
- When the accepter account is Cross-Account, the accepter needs to accept the peering request before the VPC peering connection can be created. The accepter may reject the request and terminate the VPC peering connection process. The steps that need to be taken by the accepter are as follows :
  Log on to the VPC console with the accepter account. In the left-side navigation pane, click VPC Peering Connection.
  Find the target VPC peering connection on the VPC Peering Connection page. Currently, the status of the connection is Accepting. Decide whether to accept the request:
  Accept: The status changes from Accepting to Updating.
  When the status changes to Activated, it indicates the connection is ready for use.
  Reject: The status changes from Accepting to Rejected.
  A Rejected VPC peering connection cannot be used. You can Delete it from either the requester or the accepter end.
  If the accepter takes no action on a cross-account VPC peering connection request, the connection status changes to Expired after 7 days.

Step 2: Configure routes

After a VPC peering connection has been created and Activated, you need to add route entries that point to the peer VPC on both ends to enable the connection.

Find the VPC peering connection on the VPC Peering Connection page and click Configure Route in either the Requester VPC or Accepter VPC column.

Configure the IPv4 or IPv6 route entries for both the requester and accepter VPCs. Below is an example of configuring an IPv4 route entry.

Parameter description

Parameter	Description
VPC	The requester VPC instance is automatically displayed.
Route Table	Select the route table associated with the VPC from the drop-down list.
Destination CIDR Block	Configure an IPv4 route for the VPC peering connection Select IPv4 as the destination CIDR block type and enter the IPv4 CIDR block of the accepter VPC. Configure an IPv6 route for the VPC peering connection Select IPv6 as the destination CIDR block type and enter the IPv6 CIDR block of the accepter VPC.
Next Hop	The peering connection is automatically displayed.

Note

For cross-account peering connections, log on to the VPC consol with the accepter account. Enter the IPv4 or IPv6 CIDR block of the requester VPC to add a route for the accepter VPC.

Step 3: Associate the VPC of a service with the private zone to which the cluster VPC belongs

EMR does not allow you to associate the VPC of a service with the private zone to which a cluster VPC belongs. You must submit a ticket on the official website to contact the EMR product after-sales team to associate the VPC of a service with the private zone to which the cluster VPC belongs. After association, the resolution capability of the EMR cluster is empowered to the VPC of the service.

Step 4: Use the node endpoint to access the EMR cluster

Log on to the service from which you want to access the EMR cluster. In this example, you need to log on to the desired ECS instance.
Run the ping master-1-1.<Cluster-ID>.<Region-ID>.emr.aliyuncs.com command to access the EMR cluster.

If information in the preceding figure is returned, the node endpoint is successfully resolved, and the VPC of the ECS instance and the VPC of the EMR cluster are connected.

Note

If the node endpoint fails to be resolved, you can check whether the security group rule allows ICMP traffic or whether the desired service port is enabled.
Make sure that the DNS configuration of the service from which you want to access an EMR cluster is not changed. By default, the DNS service provided by Alibaba Cloud VPC is used.

FAQ

What do I do if the node endpoint cannot be resolved?

Check whether the IP addresses of Alibaba Cloud DNS servers are used. The default IP addresses of Alibaba Cloud DNS servers are 100.100.2.136 and 100.100.2.138. If the default IP addresses of Alibaba Cloud DNS servers are not used, modify the /etc/resolv.conf file.
Log on to the Alibaba Cloud DNS PrivateZone console and check whether the private zone of the EMR cluster is associated with the VPC of the service from which you want to access an EMR cluster. If the private zone of the EMR cluster is not associated with the VPC of the service, fix the error by referring to the operations in Scenario 2: A service and the desired cluster reside in different VPCs.

What do I do if the network is not connected?

Use tracert or telnet to test network connectivity and check whether the security group rule is configured to allow traffic over the desired service port. For more information about security groups, see Manage security groups.