Restricting access for Cloudera services that create their own security groups on Azure
The security groups that you select to use during environment registration are only used for the Data Lake, FreeIPA, Cloudera Data Hub clusters, and Operational Databases running in that environment. The Kubernetes-based Cloudera services (Cloudera Data Warehouse and Cloudera AI) create their own security groups with rules that should be restricted separately.
The following table explains where and when you can restrict these rules:
| CDP service | Type of access that can be restricted | When and where to restrict | Link to related documentation |
|---|---|---|---|
| Cloudera Data Engineering | Admin access to Kubenetes endpoints can be restricted. | Restrict admin access to Kubernetes endpoints during enabling Data Engineering via the Whitelist IPs parameter. | Enabling Cloudera Data Engineering |
| Cloudera Data Warehouse | Both admin access to Kubernetes endpoints and end user access are always set to the
same range that can be set in environment activation settings. While the access to the Kubernetes endpoints is a combination of the Cloudera Control Plane’s CIDR and your CIDR provided in environment activation settings, the access to the end user access points (JDBC, UI) is only your CIDR provided in environment activation settings. |
In Cloudera Data Warehouse environment’s activation settings. | Editing environment details |
| Cloudera AI | There are two separate options, one for admin access to Kubernetes endpoints and another for end user access. | During Cloudera AI
workbench provisioning, under Network Settings:
|
Provisioning Cloudera AI workbenches |
