Additional Security TopicsPDF version

How To Set Up Access to Cloudera EDH (Microsoft Azure Marketplace)

The Cloudera Enterprise Data Hub (EDH) and Cloudera Altus Director bundles that are available on the Microsoft Azure Marketplace only support SSH access (port 22). To access Cloudera Manager (port 7180), Altus Director (port 7189), or other services, you can:
  • Set up a SOCKS (Sockets Secure protocol) proxy on your client machine. Cloudera recommends that you use this option.
  • Add inbound rules to the Network Security Group in the Azure instance after you deploy EDH or Director to Azure.

The SOCKS5 protocol is implemented as a client and server process that enables traversal of IP network firewalls. After you configure the SOCKS proxy, your browser resolves DNS lookups using the Microsoft Azure network (through the proxy server), and lets you connect to services using internal FQDNs or private IP address.

With this approach, you complete the following tasks:
  • Set up a single SSH tunnel to one of the hosts on the network and create a SOCKS proxy on the host.
  • Change the browser configuration to perform all lookups through the SOCKS proxy host.
Verify the following prerequisites before you connect to your cluster with a SOCKS proxy:
  • You must be able to reach the host that you want to proxy to from the public internet or from the network that you're connecting from.
  • The host that you proxy to must be on the same network as the Cloudera services that you're connecting to. For example, if you’re using the Cloudera EDH offering, tunnel to the Cloudera Manager host.

For the Cloudera EDH offering, use the public IP of the 0th master node VM: [dnsName]-mn0.

To start a SOCKS proxy over SSH, run the following command:
ssh -i your-key-file.pem -CND 1080
the_username_you_specified@publicIP_of_VM
The command uses the following parameters:
  • -i your-key-file.pem Specifies the path to the private key needed to SSH to the Cloudera EDH server. Omit if using SSH passwords.
  • C Sets up compression.
  • N Suppresses any command execution once established.
  • D Sets up the SOCKS proxy on a port.
  • 1080 The port to set the SOCKS proxy locally.

Follow the instructions on Microsoft's website (see SSH tunnel to endpoints in Azure VNet from Windows).

By default, Google Chrome uses system-wide proxy settings on a per-profile basis. To start Chrome without these settings, open Chrome through the command line and specify the following:
  • The SOCKS proxy port. This must be the same port that you used when you started the proxy.
  • The profile. This examples below create a new profile.

Use one of the following commands to create a profile and launch a new instance of Chrome that does not conflict with any currently running Chrome instances.

Linux
/usr/bin/google-chrome \
--user-data-dir="$HOME/chrome-with-proxy" \
--proxy-server="socks5://localhost:1080"
Mac OS X
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" \
--user-data-dir="$HOME/chrome-with-proxy" \
--proxy-server="socks5://localhost:1080"
Microsoft Windows
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" ^
--user-data-dir="%USERPROFILE%\chrome-with-proxy" ^
--proxy-server="socks5://localhost:1080"

In this Chrome session, you can use the private IP address or internal FQDN to connect to any host that is accessible by Cloudera EDH.

Warning: This method is not recommended for any purpose other than a Proof of Concept. If the data is not carefully locked down, it will be accessible to hackers and malicious entities.

On the Microsoft Azure Portal, find the Network Security Group(s) and add inbound rules for the various services. You might have to create these rules for the services.