Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Can HDCloud be created only in VPC?

avatar
author-rank vivek_sharma
Explorer

Created ‎01-01-2017 03:33 AM

It appears that HDCloud can be created only on AWS VPC. What about AWS public cloud? Is this a limitation?

2,386 Views
1 ACCEPTED SOLUTION

avatar
author-rank tmccuch author-rank
Guru

Created ‎01-02-2017 08:48 PM

@Vivek Sharma

Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a virtual private cloud (VPC), an isolated area within AWS where you can configure a virtual network, controlling aspects such as private IP address ranges, subnets, routing tables, and network gateways. HDCloud requires a VPC, and is therefore limited to the AWS private cloud.

From the Network and Security section of the current Hortonworks Data Cloud documentation:In addition to the Amazon EC2 instances created for the cloud controller and cluster nodes, Hortonworks Data Cloud deploys the following network and security AWS resources on your behalf:

  • An Amazon VPC configured with a public subnet: When deploying the cloud controller, you have two options: (1) you can specify an existing VPC, or (2) have the cloud controller create a new VPC. Each cluster is launched into a separate subnet. For more information, see Security documentation.
  • An Internet gateway and a route table (as part of VPC infrastructure): An Internet gateway is used to enable outbound access to the Internet from the control plane and the clusters, and a route table is used to connect the subnet to the Internet gateway. For more information on Amazon VPC architecture, see AWS documentation.
  • Security groups: to control the inbound and outbound traffic to and from the control plane instance. For more information, see Security documentation.
  • IAM instance roles: to hold the permissions to create certain resources. For more information, see Security documentation.

If using your own VPC, make sure that:

  • The subnet specified when creating a controller or cluster exists within the specified VPC.
  • Your VPC has an Internet gateway attached.
  • Your VPC has a route table attached.
  • The route table includes a rule that routes all traffic (0.0.0.0/0) to the Internet gateway. This routes all subnet traffic that isn't between the instances within the VPC to the Internet over the Internet gateway.

Since the subnets used by HDC must be associated with a route table that has a route to an Internet gateway, they are referred to as Public subnets. Because of this, the system is configured by default to restrict inbound network traffic to a minimal set of ports. The following security groups are created automatically:

  • The CloudbreakSecurityGroup security group is created when launching your cloud controller and is associated with your cloud controller instance. By default, this group enables HTTP (80) and HTTPS (443) access to the Cloud UI and SSH access from the remote locations specified as "Remote Access" CloudFormation parameter.
  • The ClusterNodeSecurityGroupmaster security group is created when you create a cluster and is associated with all Master node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.
  • The ClusterNodeSecurityGroupworker security group is created when you create a cluster and is associated with all Worker node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.

See the Ports section of the Security documentation for information about additional ports that may be opened on these groups.

View solution in original post

2,266 Views
5 REPLIES 5

avatar
author-rank tmccuch author-rank
Guru

Created ‎01-02-2017 08:48 PM

@Vivek Sharma

Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a virtual private cloud (VPC), an isolated area within AWS where you can configure a virtual network, controlling aspects such as private IP address ranges, subnets, routing tables, and network gateways. HDCloud requires a VPC, and is therefore limited to the AWS private cloud.

From the Network and Security section of the current Hortonworks Data Cloud documentation:In addition to the Amazon EC2 instances created for the cloud controller and cluster nodes, Hortonworks Data Cloud deploys the following network and security AWS resources on your behalf:

  • An Amazon VPC configured with a public subnet: When deploying the cloud controller, you have two options: (1) you can specify an existing VPC, or (2) have the cloud controller create a new VPC. Each cluster is launched into a separate subnet. For more information, see Security documentation.
  • An Internet gateway and a route table (as part of VPC infrastructure): An Internet gateway is used to enable outbound access to the Internet from the control plane and the clusters, and a route table is used to connect the subnet to the Internet gateway. For more information on Amazon VPC architecture, see AWS documentation.
  • Security groups: to control the inbound and outbound traffic to and from the control plane instance. For more information, see Security documentation.
  • IAM instance roles: to hold the permissions to create certain resources. For more information, see Security documentation.

If using your own VPC, make sure that:

  • The subnet specified when creating a controller or cluster exists within the specified VPC.
  • Your VPC has an Internet gateway attached.
  • Your VPC has a route table attached.
  • The route table includes a rule that routes all traffic (0.0.0.0/0) to the Internet gateway. This routes all subnet traffic that isn't between the instances within the VPC to the Internet over the Internet gateway.

Since the subnets used by HDC must be associated with a route table that has a route to an Internet gateway, they are referred to as Public subnets. Because of this, the system is configured by default to restrict inbound network traffic to a minimal set of ports. The following security groups are created automatically:

  • The CloudbreakSecurityGroup security group is created when launching your cloud controller and is associated with your cloud controller instance. By default, this group enables HTTP (80) and HTTPS (443) access to the Cloud UI and SSH access from the remote locations specified as "Remote Access" CloudFormation parameter.
  • The ClusterNodeSecurityGroupmaster security group is created when you create a cluster and is associated with all Master node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.
  • The ClusterNodeSecurityGroupworker security group is created when you create a cluster and is associated with all Worker node(s). By default, this group enables SSH access from the remote locations specified as "Remote Access" parameter when creating the cluster.

See the Ports section of the Security documentation for information about additional ports that may be opened on these groups.

2,267 Views

avatar
author-rank tmccuch author-rank
Guru

Created ‎01-02-2017 08:49 PM

@Dominika Bialek to review this answer

2,266 Views
0 Kudos

avatar
author-rank tmccuch author-rank
Guru

Created ‎01-03-2017 05:47 PM

@Vivek Sharma If this answer helps, please accept it. Otherwise, I'd be happy to answer any remaining questions you have.

Thanks! _Tom

2,266 Views
0 Kudos

avatar
author-rank Dominika author-rank
Guru

Created ‎01-03-2017 06:00 PM

Hi @Vivek Sharma What do you mean by "AWS public cloud"? You have an option to launch HDCloud in your own custom VPC that can be configured according to your needs. See https://aws.amazon.com/vpc/. What else do you need?

2,266 Views
0 Kudos

avatar
author-rank vivek_sharma
Explorer

Created ‎01-03-2017 06:20 PM

Thanks @Dominika Bialek and @Tom McCuch

By AWS public cloud, I mean EC2-Classic.

2,266 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements