Creating a Cluster on AWS
Also available as:
PDF

Cluster security groups

This section lists ports used by Cloudbreak-manged clusters.

The following tables lists the default and recommended cluster security group settings:

Note
Note

By default, when creating a cluster, a new network, subnet, and security groups are created automatically. The default experience of creating network resources such as network, subnet and security group automatically is provided for convenience. We strongly recommend that you review these options and for production cluster deployments leverage your existing network resources that you have defined and validated to meet your enterprise requirements.

Note
Note

Depending on the cluster components that you are planning to use, you may need to open additional ports required by these components.

External ports

Source Target Protocol Port Description
Cloudbreak Ambari server TCP 9443
  • This port is used by Cloudbreak to maintain management control of the cluster.
  • The default security group opens 9443 from anywhere. You should limit this CIDR further to only allow access from the Cloudbreak host. This can be done by default by restricting inbound access from Cloudbreak to cluster.
* All cluster hosts TCP 22
  • This is an optional port for end user SSH access to the hosts.
  • You should review and limit or remove this CIDR access.
* Ambari server TCP 8443
  • This port is used to access the gateway (if configured).
  • You should review and limit this CIDR access.
  • If you do not configure the gateway, this port does not need to be opened. If you want access to any cluster resources, you must open this port explicitly on the security groups for their respective hosts.
* Ambari server TCP 443
  • This port is used to access Ambari directly.
  • If you are configuring the gateway, you should access Ambari through the gateway; In this case you do not need to open this port.
  • If you do not configure the gateway, to obtain access to Ambari, you can open this port on the security group for the respective host.

Internal ports

In addition to the ports described above, Cloudbreak uses certain ports for internal communication within the subnet. By default, Cloudbreak opens ports 0-65535 to the subnet's internal CIDR (such as 10.0.0.0/16). Use the following table to limit this CIDR:

Source Target Protocol Port Description
Salt-bootstrap Gateway instance (Ambari server instance) TCP 7070 Salt-bootstrap service launches and configures Saltstack.
Salt-master All hosts in the cluster TCP 4505, 4506 Salt-minions connect to the Salt-master(s).
Consul server All hosts in the cluster TCP, UDP 8300, 8301 Consul agents connect to the Consul server.
Consul agent (all hosts in the cluster) All hosts in the cluster TCP, UDP 8300, 8301 Consul agents connect to other Consul agents (Gossip protocol).
Prometheus node exporter Gateway instance (Ambari server instance) TCP 9100 Prometheus server scrapes metrics from the node exporters.
Ambari server All hosts in the cluster Refer to Default network port numbers for Ambari in Ambari documentation. Ambari agents connect to the Ambari server.

When creating data lakes and their attached clusters, you must also open the following internal port:

Source Target Protocol Port Description
Data lake cluster Clusters attached to the data lake TCP 6080 Used for communication between the data lake and attached clusters.