Security groups control network access for Elastic Compute Service (ECS) instances in an E-MapReduce (EMR) cluster. This topic describes how to add an ECS instance to a security group and add security group rules.
Security group types
Every EMR cluster uses two types of security groups:
EMR security groups: Created automatically when you create an EMR cluster.
User security groups: Security groups that exist in your account before you use EMR. Use these to control access from external sources, such as your on-premises machine or other services.
For information about creating a security group, see Create a security group.
Limits
| Network type | Requirement |
|---|---|
| Classic network | The ECS instance must be added to a classic network security group in the same region. |
| Virtual private cloud (VPC) | The ECS instance must be added to a security group in the same VPC. |
Security group rules for EMR clusters
Before you add or modify rules, be aware of the following constraints:
Do not deny access from 100.64.0.0/10 or internal Object Storage Service (OSS) virtual IP address (VIP) ranges. EMR uses these ranges for control services. Blocking them will cause cluster failures. See Internal OSS endpoints and VIP ranges for the full list.
All ECS instances in the cluster must be able to communicate with each other over the internal network. Rules that break internal communication will prevent the cluster from providing services.
Do not use an advanced security group created in the ECS console for EMR clusters.
When you configure inbound and outbound rules for applications, follow the principle of least privilege. Allow access only from the current public IP address.
We recommend that you add ECS instances in different node groups to separate user security groups, and configure rules based on the access requirements of each group.
If EMR cannot work as expected due to network connection failures caused by improper security group policies, you shall assume all liabilities for the losses and consequences.
Add an instance to a security group
Go to the Nodes tab.
Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
In the top navigation bar, select the region where your cluster resides and select a resource group.
On the EMR on ECS page, find the cluster and click Nodes in the Actions column.
Navigate to the Security Groups tab of the ECS console.
On the Nodes tab, click the
icon to the left of the node group.Click the ID of the node in the Node Name/ID column.
On the page that appears, click the Security Groups tab.
Click Add to Security Group.
In the Add to Security Group dialog box, select a security group from the Security Group drop-down list. To add the instance to multiple security groups, click Join Multiple Security Groups after selecting the first group, then add the remaining groups in the same way.
Click OK.
Repeat steps 2–4 for each ECS instance in the cluster.
Add a security group rule
Get the public IP address of your on-premises machine by visiting http://myip.ipip.net/.
ImportantUse your current public IP address as the authorization source. Setting the source to
0.0.0.0/0exposes your cluster to external attacks and is not allowed.Go to the Security Group Details tab.
Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
In the top navigation bar, select the region where your cluster resides and select a resource group.
On the EMR on ECS page, find the cluster and click its name.
On the Basic Information tab, in the Security section, click the link next to Cluster Security Group.
On the Security Group Details tab, click Add Rule. Set the following parameters. Keep all other parameters at their default values. For full parameter descriptions, see Add a security group rule.
Parameter Value Port Range The port used to access the ECS instance Authorization Object The public IP address obtained in step 1. Do not set this to 0.0.0.0/0.Click Save.