Configuring a private VPC in AWS

When you create your CDP environment, you have two options: Have CDP set up your private network and security groups or set up the VPC with your private IPs and security groups. Either way, you must enable CCM.

Have CDP set up a private VPC network and security groups

If you choose to have CDP create your private network and security groups when you are testing or sandboxing CCM, when you enable CCM, CDP performs the following:

  • Creates 3 public and 3 private subnets

  • Creates the Data Lake and Data Hub clusters in the private subnet.

The public subnets have an internet gateway attached. The private subnets have a NAT gateway attached. When CDP creates the security group, it opens two ports to the CIDR range that you specify, port 22 and port 443. Use these ports only to access these clusters. For the list of security group rules that CDP creates, see Default security group settings on AWS.

Set up your own private VPC network and security groups

If you choose to configure your own VPCs with private IPs, you will need the following:

  • At least two private subnets in at least two different availability zones (AZs).

  • Outbound traffic via the HTTP secure connection initiated by CCM to the Cloudera hosted NLBs on workload nodes.

In the AWS console, configure the following:

  1. Create one public subnet and place the NAT gateway there to allow outbound connectivity in the private subnet.

  2. Assign an internet gateway to the public subnet.

  3. All inbound traffic must be on private subnets.

  4. Create three private subnets. The private subnets must be in different availability zones (AZs).

  5. Route the private subnet to the NAT gateway.

  6. You must configure outbound traffic for CDP resources.

  7. The workload clusters containing CCM (Knox, master, or CM for Classic Cluster) must be able to reach the Network Load Balancers (NLBs). You can use port 443 to connect to the NLBs.

Create your security groups as described in Security groups.