A newly created ApsaraDB for HBase cluster blocks all incoming connections by default. This means you cannot use open source components such as Apache HBase, Ganglia, and Hadoop Distributed File System (HDFS) to perform operations on the cluster, nor can you read data from or write data to the cluster. To allow clients to connect, add their IP addresses to the cluster's allowlist or associate an Elastic Compute Service (ECS) security group with the cluster. You can use both methods simultaneously.
Choose an access control method
| Method | Controls access by | Use when |
|---|---|---|
| Allowlist | IP address or CIDR block | You need to grant access to specific IP addresses, including on-premises clients or public IPs |
| ECS security group | ECS instance group | ECS instances in the same VPC need access, and you want to manage access at the instance-group level |
You can configure both methods at the same time. Clients in the allowlist and ECS instances in the associated security group can all access the cluster.
Configure an allowlist
Prerequisites
Before you begin, ensure that you have:
An ApsaraDB for HBase cluster
The IP addresses or CIDR blocks of the clients that need access
Add IP addresses to the allowlist
Log on to the ApsaraDB for HBase console.
In the top navigation bar, select the region where the cluster is deployed.
On the Clusters page, click the ID of the cluster.
In the left-side navigation pane, click Access Control.
On the Whitelist Setting tab, click Modify Whitelist.
In the Modify Whitelist dialog box, enter the IP addresses or CIDR blocks and click OK.
The default allowlist contains only 127.0.0.1, which blocks all external clients. To allow public access, enter the public IP address of each client. To find the public IP address of an on-premises client, search for it from that machine.Entering 0.0.0.0, 0.0.0.0/0, or leaving the field blank allows access from all IP addresses, which poses a significant security risk. Enter only the specific IP addresses that require access.
Associate a security group
A security group acts as a virtual firewall that controls inbound and outbound traffic for ECS instances in the group. After you associate a security group with an ApsaraDB for HBase cluster, all ECS instances in that group can access the cluster.
Prerequisites
Before you begin, ensure that you have:
An ApsaraDB for HBase cluster of Standard Edition or Performance-enhanced Edition (security groups are not supported on other editions)
ECS instances that are in the same virtual private cloud (VPC) as the HBase cluster
At most three security groups to associate (each cluster supports up to three)
Add a security group
Log on to the ApsaraDB for HBase console.
In the top navigation bar, select the region where the cluster is deployed.
On the Clusters page, click the ID of the cluster.
In the left-side navigation pane, click Access Control.
Click the Security Group tab.
Click Add Security Group.
In the Add Security Group dialog box, select the security group and click OK.