An SSH tunnel lets you securely access the web UIs of open source components on your EMR cluster without exposing the cluster's internal network. Two methods are available: local port forwarding and dynamic port forwarding with a SOCKS proxy.
For all available methods to access open source component web UIs, see Access the web UIs of open source components.
Choose a method
| Method | Best for | Limitation |
|---|---|---|
| Local port forwarding | Accessing a single component at a time | Cannot access job details pages |
| Dynamic port forwarding | Accessing multiple components simultaneously with one tunnel | Requires browser proxy configuration |
Prerequisites
Before you begin, ensure that you have:
-
An EMR cluster. For more information, see Create a cluster.
-
A client connected to the master node of the EMR cluster. For more information, see Associate an EIP with an ECS instance.
Local port forwarding
Local port forwarding maps a port on your on-premises machine to a port on the master node, so you can access a single component's web UI via localhost.
This method does not support navigation to job details pages.
Step 1: Create an SSH tunnel
Open a terminal on your on-premises machine and run one of the following commands. This example forwards local port 8156 to port 8088 on the master node to access the YARN ResourceManager web UI. To access a different component, replace 8088 with the appropriate port number. For a list of component ports, see Common ports of open source components.
Connect using a private key file
ssh -i <private-key-file-path> -N -L <local-port>:<master-node-name>:<component-port> root@<master-node-public-ip>Connect using a username and password
ssh -N -L <local-port>:<master-node-name>:<component-port> root@<master-node-public-ip>| Parameter | Description | Example |
|---|---|---|
-i |
Path to the private key file used for authentication. See Manage SSH key pairs. | ~/.ssh/emr-key.pem |
-N |
Creates the tunnel without running a remote command. The terminal produces no output after the tunnel is established — this is expected. | — |
-L |
Enables local port forwarding. Forwards traffic from <local-port> to <master-node-name>:<component-port> via the master node. |
— |
<private-key-file-path> |
Path to the private key file. | ~/.ssh/emr-key.pem |
<local-port> |
Any unoccupied port on your machine. | 8156 |
<master-node-name> |
Name of the master node, visible on the Nodes tab of the cluster. See Obtain the public IP address and the name of a node. | master-1-1 |
<component-port> |
Port of the target open source component. | 8088 (YARN) |
<master-node-public-ip> |
Public IP address of the master node, visible on the Nodes tab. See Obtain the public IP address and the name of a node. | 203.0.113.10 |
Keep the terminal running after the tunnel is established. The -N flag means SSH only maintains the tunnel and does not run a remote command, so no output is produced. This is normal behavior.
Step 2: Access the web UI
In a browser address bar, enter http://localhost:<local-port> and press Enter.
For example, to access the YARN ResourceManager, enter http://localhost:8156.
To access multiple component web UIs at the same time, open additional terminals and repeat Step 1 with a different local port for each component.
Dynamic port forwarding
Dynamic port forwarding starts a SOCKS proxy on a local port that routes all traffic through the master node. One tunnel gives you access to any component's web UI — just change the component hostname and port in your browser.
Step 1: Create an SSH tunnel
Open a terminal on your on-premises machine and run one of the following commands. This example starts a SOCKS proxy on local port 8157.
Connect using a private key file
ssh -i <private-key-file-path> -N -D <local-port> root@<master-node-public-ip>Connect using a username and password
ssh -N -D <local-port> root@<master-node-public-ip>| Parameter | Description | Example |
|---|---|---|
-i |
Path to the private key file used for authentication. See Manage SSH key pairs. | ~/.ssh/emr-key.pem |
-N |
Creates the tunnel without running a remote command. The terminal produces no output after the tunnel is established — this is expected. | — |
-D |
Enables dynamic port forwarding. Starts a SOCKS proxy that listens on <local-port> and routes traffic to any port on the master node. |
— |
<local-port> |
Any unoccupied port on your machine. | 8157 |
<master-node-public-ip> |
Public IP address of the master node, visible on the Nodes tab. See Obtain the public IP address and the name of a node. | 203.0.113.10 |
Keep the terminal running after the tunnel is established. The -N flag means SSH only maintains the tunnel and does not run a remote command, so no output is produced. This is normal behavior.
Step 2: Configure a browser proxy
After the tunnel is running, configure Google Chrome to route traffic through the SOCKS proxy. Use either the CLI or the SwitchyOmega extension.
Option A: CLI
-
Open a terminal and go to the Google Chrome installation directory for your operating system.
Operating system Default installation directory macOS X /Applications/Google\ Chrome.app/Contents/macOSLinux /usr/bin/google-chromeWindows (64-bit) C:\Program Files\Google\Chrome\Application\Windows (32-bit) C:\Program Files (x86)\Google\Chrome\Application\ -
Launch Google Chrome with the SOCKS proxy settings. Replace
8157with the local port you configured in Step 1.macOS X
./Google\ Chrome --proxy-server="socks5://localhost:8157" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost" --user-data-dir=/tmp/Linux
chrome --proxy-server="socks5://localhost:8157" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost" --user-data-dir=/tmp/Windows
chrome --proxy-server="socks5://localhost:8157" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost" --user-data-dir=c:\\tmppath\\
Option B: SwitchyOmega extension
The SwitchyOmega extension lets you switch between direct and proxy browsing within the same browser window.
-
Add the SwitchyOmega extension to Google Chrome.
-
In the left-side navigation pane, click New profile. In the New Profile dialog box, enter a name in the Profile name field (for example,
SSH tunnel), select PAC Profile, and then click Create. -
In the PAC Script editor, paste the following script. Replace all occurrences of
8157with the local port you configured in Step 1.function regExpMatch(url, pattern) { try { return new RegExp(pattern).test(url); } catch (ex) { return false; } } function FindProxyForURL(url, host) { if (shExpMatch(url, "*localhost*")) return "SOCKS5 localhost:8157"; if (shExpMatch(url, "*emr-header*")) return "SOCKS5 localhost:8157"; if (shExpMatch(url, "*emr-worker*")) return "SOCKS5 localhost:8157"; if (shExpMatch(url, "*master*")) return "SOCKS5 localhost:8157"; if (shExpMatch(url, "*core*")) return "SOCKS5 localhost:8157"; return 'DIRECT'; } -
In the left-side navigation pane, click Apply changes.
-
In the upper-right corner of the browser, select the SSH tunnel profile you created.
Step 3: Access the web UI
In the browser address bar, enter http://<master-node-name>:<component-port> and press Enter.
For example, to access the YARN ResourceManager, enter http://master-1-1:8088.
| Parameter | Description | Example |
|---|---|---|
<master-node-name> |
Name of the master node, visible on the Nodes tab. See Obtain the public IP address and the name of a node. | master-1-1 |
<component-port> |
Port of the target open source component. See Common ports of open source components. | 8088 (YARN) |
To access multiple component web UIs at the same time, change the port number in the address bar. No additional tunnels are needed.