Default security group settings on AWS

Depending on what you chose during environment creation, Cloudera can create security groups for your environment automatically or you can provide your own security groups.

Environment security groups

Depending on what you chose during environment creation, Cloudera can create security groups for your environment automatically or you can provide your own security groups.

  • If you choose to use your own security groups, you are asked to create Knox and Default security groups as described in the Security groups documentation.
  • If you choose for Cloudera to create all security groups required for an environment, the following security groups are created:

Data Lake: master

AWS naming convention: ${environment-name}-${random-id}-ClusterNodeSecurityGroupmaster-${random-id}

Protocol Port Range Source Description
TCP 22 Your CIDR This is an optional port for end user SSH access to cluster hosts. You should open it to your organization’s CIDR.
TCP 443 Your CIDR and Cloudera CIDR This port is used to access the Data Lake and Cloudera Data Hub cluster UIs via Knox gateway. You should open it to your organization’s CIDR in order to access cluster UIs.

This port is also required if you are planning to spin up Cloudera AI workbenches since HTTPS access to Cloudera AI workbenches is available over port 443. If you are not planning to use the Cloudera AI service, you do not need to open this port.

When Cluster Connectivity Manager is enabled, you only need to set this to your CIDR.

TCP 9443 Cloudera CIDR This port is used by Cloudera to maintain management control of clusters and data lakes.

This port is not used when Cluster Connectivity Manager is enabled.

TCP, UDP 0-65535 Your VPC’s CIDR (for example 10.10.0.0/16) and your subnet’s CIDR (for example 10.0.2.0/24). This is required for internal communication within the VPC.
ICMP N/A Your internal VPC CIDR (for example 10.10.0.0/16). This is required for internal communication within the VPC.

Data Lake: IDBroker

AWS naming convention: ${environment-name}-${random-id}-ClusterNodeSecurityGroupidbroker-${random-id}

Azure naming convention: idbroker${dl-name}${numeric-id}sg

Protocol Port Range Source Description
TCP 22 Your CIDR

This is an optional port for end user SSH access to cluster hosts.

TCP, UDP 0-65535 Your VPC’s CIDR (for example 10.10.0.0/16) and your subnet’s CIDR (for example 10.0.2.0/24). This is required for internal communication within the VPC.
ICMP N/A Your internal VPC CIDR (for example 10.10.0.0/16). This is required for internal communication within the VPC.

FreeIPA

AWS naming convention: ${environment-name}-freeipa-${random-id}-ClusterNodeSecurityGroupmaster-${random-id}

Protocol Port Range Source Description
TCP 22 Your CIDR This is an optional port for end user SSH access to cluster hosts. You should open it to your organization’s CIDR.
TCP 9443 Cloudera CIDR This port is used by Cloudera to maintain management control of clusters and data lakes.

This port is not used when Cluster Connectivity Manager is enabled.

TCP, UDP 0-65535 Your VPC’s CIDR (for example 10.10.0.0/16) and your subnet’s CIDR (for example 10.0.2.0/24). This is required for internal communication within the VPC.
ICMP N/A Your internal VPC CIDR (for example 10.10.0.0/16). This is required for internal communication within the VPC.

Database

AWS naming convention: dsecg-dbsvr-${random-id}

Protocol Port Range Source Description
TCP 5432 Your VPC’s CIDR (for example 10.10.0.0/16) This port is used for communication between the Data Lake and its attached database.

Cloudera Data Hub security groups

Depending on what you chose during environment creation, Cloudera can create security groups for your Data Hub clusters automatically or it can use your pre-created security groups:

  • If during environment creation, you provided your own security groups, Cloudera uses these security groups when deploying clusters.
  • If during environment creation you chose for Cloudera to create new security groups, new security groups are created for each Cloudera Data Hub cluster as follows:

Cloudera Data Hub: master

AWS naming convention: ${cluster-name}-${random-i}-ClusterNodeSecurityGroupmaster-${random-id}

Protocol Port Range Source Description
TCP 22 Your CIDR This is an optional port for end user SSH access to cluster hosts. You should open it to your organization’s CIDR.
TCP 443 Your CIDR and Cloudera CIDR This port is used to access the Data Lake and Cloudera Data Hub cluster UIs via Knox gateway. You should open it to your organization’s CIDR in order to access cluster UIs.

When Cluster Connectivity Manager is enabled, you only need to set this to your CIDR.

TCP 9443 Cloudera CIDR This port is used by Cloudera to maintain management control of clusters and data lakes.

This port is not used when Cluster Connectivity Manager is enabled.

TCP, UDP 0-65535 Your VPC’s CIDR (for example 10.10.0.0/16) and your subnet’s CIDR (for example 10.0.2.0/24). This is required for internal communication within the VPC.
ICMP N/A Your internal VPC CIDR (for example 10.10.0.0/16). This is required for internal communication within the VPC.

Cloudera Data Hub: worker

AWS naming convention: ${cluster-name}-${random-id}-ClusterNodeSecurityGroupworker-${random-id}

Protocol Port Range Source Description
TCP 22 Your CIDR This is an optional port for end user SSH access to cluster hosts.
TCP, UDP 0-65535 Your VPC’s CIDR (for example 10.10.0.0/16) and your subnet’s CIDR (for example 10.0.2.0/24). This is required for internal communication within the VPC.
ICMP N/A Your internal VPC CIDR (for example 10.10.0.0/16). This is required for internal communication within the VPC.

Cloudera Data Hub: compute

AWS naming convention: ${cluster-name}-${random-id}-ClusterNodeSecurityGroupcompute-${random-id}

Protocol Port Range Source Description
TCP 22 Your CIDR This is an optional port for end user SSH access to cluster hosts.
TCP, UDP 0-65535 Your VPC’s CIDR (for example 10.10.0.0/16) and your subnet’s CIDR (for example 10.0.2.0/24). This is required for internal communication within the VPC.
ICMP N/A Your internal VPC CIDR (for example 10.10.0.0/16). This is required for internal communication within the VPC.

Cloudera Data Warehouse security groups

Cloudera always creates new security groups when Cloudera Data Warehouse are deployed.

Cloudera AI security groups

Cloudera always creates new security groups when Cloudera AI workbenches are deployed.

Cloudera Data Engineering security groups

Cloudera always creates new security groups when Cloudera Data Engineering clusters are deployed.

Cloudera DataFlow security groups

Cloudera always creates new security groups when Cloudera DataFlow environments are enabled.