Recommended subnet configurations for CDP Public Cloud for AWS.

  • It’s recommended to have 3 private subnets and 3 public subnets, such that each private-public subnet pair is in a different availability zone (AZ). Even if a region has two AZs instead of three, it’s recommended that three private subnets are created, two in the same AZ. This is required to prevent cross AZ routing of traffic and to maintain Quorum-based consistency required by some services.
    • Note that a subnet becomes ‘private’ or ‘public’ based on the routing devices it is associated with in the route tables. This is described in Gateways and Route Tables.
    • The private subnets will be where the compute workloads will be launched by CDP. This ensures that these nodes are working in an isolated and secure environment that does not have internet connectivity.
    • The public subnet is needed to host a NAT gateway as this will allow the compute nodes to reach out to the CDP Control Plane over the internet. More on this will be described in Gateways and Route Tables.
  • The CIDR block for the subnets should be sufficiently large for supporting all the experiences you intend to run. Refer to Determining the CIDR Range for understanding how to compute the CIDR block range.
  • The CIDR block for the subnets should not overlap with known AWS EKS ranges for pods/services. Several EKS based CDP experiences in Overlay networks
  • In addition, you may want to ensure that the CIDR ranges assigned to the Subnets will not overlap with any of your on-premise network CIDR ranges, as this may be a requirement for setting up connectivity from your on-premise network to the subnets.
  • Since Cloudera recommends ‘Fully Private’ configuration, the ‘Auto-assign public IPs’ option must be disabled for the private subnets.
  • A subnet can be associated with a Network ACL (NACL). However, since Cloudera works with Fully Private configuration where communication is always initiated from EC2 nodes within the subnets, a NACL is generally not useful for this configuration.
  • Tag private subnets with a tag ‘’. The key is the string and the value is ‘1’. Cloud Controller Manager and AWS Load Balancer Controller both require private subnets to have this tag for discovery. Private ELBs created in these subnets by EKS. This is applicable when CDP is supporting EKS versions < 1.20 (which is currently the case).