EMR employs Tencent Cloud's Private Network (VPC) as its foundational network, utilizing security group settings within EMR to regulate internal node intercommunication and external node access to internal node-side virtual firewalls. This document primarily elucidates the best practices for employing security groups within EMR, assisting you in selecting an appropriate security group strategy.
Security Group
A security group functions as a stateful packet-filtering virtual firewall, employed to establish network access control for single or multiple cloud servers (nodes), serving as a crucial means of network security isolation provided by Tencent Cloud. In the absence of a security group, the creation of an EMR cluster will automatically generate a new security group for you. If the number of security groups has reached its limit and no new ones can be created, it is possible to delete some of the unused security groups. If a security group already exists, it can be directly viewed and utilized via the Private Network Console.
Usage Limitations and Regulations
For information regarding the usage limitations and quotas of security groups, please refer to the relevant restrictions on security groups in the Overview of Usage Limitations.
A security group rule consists of:
Source: IP address of the source data (inbound) or target data (outbound).
Protocol Type and Protocol Port: Protocol type, such as TCP, UDP, etc.
Policy: allow or reject the access request.
Principles for Selecting EMR Security Groups
By default, an existing security group is selected, specifically the EMR security group. However, users have the option to create a new EMR security group or select a non-EMR security group.
1. A newly created EMR security group will open ports 22 and 30001, as well as the necessary internal communication network segments. The new security group will be named in the format emr-xxxxxxxx_yyyyMMdd. Please refrain from manually altering the security group's name.
2. Select an existing security group as the security group for the current instance, supporting all available security groups in the current region. It is recommended to prioritize security groups beginning with emr-xxx, as these groups have already enabled the necessary policies for the normal operation of EMR services. Security groups not beginning with emr may lack the necessary inbound and outbound rules, leading to cluster creation failure or cluster unavailability. Please exercise caution when selecting security groups not beginning with emr.
3. When expanding nodes, the security group by default integrates the security group policy selected during the creation of the new cluster.
Details of EMR Security Group Policies
When creating a new EMR cluster using a non-EMR security group, the following inbound and outbound rules must be included, otherwise the cluster cannot be created.
Inbound rules
Source | Protocol Port | Policy | Note |
10.0.0.0/8 | ALL | ACCEPT | Unblock A network segment |
172.16.0.0/12 | ALL | ACCEPT | Unblock B network segment |
192.168.0.0/16 | ALL | ACCEPT | Unblock C network segment |
0.0.0.0/0 | ICMP | ACCEPT | Unblock local ICMP |
Outbound rules
Source | Protocol Port | Policy | Note |
0.0.0.0/0 | ALL | ACCEPT | Unblock all outbound traffic |
Inbound rules for accessing the webUI
When utilizing a non-EMR security group, to ensure normal access to the cluster service webUI, the inbound rules should encompass the following policies:
Source | Protocol Port | Policy | Note |
0.0.0.0/0 | TCP:13000 | ACCEPT | Port 13000, the hue port |
0.0.0.0/0 | TCP:30001 | ACCEPT | Unblock port 30001 |
0.0.0.0/0 | TCP:30002 | ACCEPT | Unblock port 30002 |
0.0.0.0/0 | TCP:22 | ACCEPT | Unblock the remote login port |