Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Cloudbreak Security Group for AWS

Highlighted

Cloudbreak Security Group for AWS

New Contributor

Hi

I have couple of questions:

1) I'm unable to modify the security groups directly from the AWS console for security groups created by cloudbreak. Neither does cloudbreak provide any option to modify the security group after the cluster deployment. Am I missing something?

2) I created a security group in cloudbreak that opens all ports only within my company's exit IP. The cluster creation hangs with no information in the cbd logs. Is it mandatory to open up 22 and 443 globally?

4 REPLIES 4
Highlighted

Re: Cloudbreak Security Group for AWS

Contributor
  1. All resources created by Cloudbreak can be modified on AWS site - for AWS makes no difference from where the API call or Cloudformation template is made, nor differentiates it whatsoever - so you either using a different account or IAM role as security groups created by Cloudbreak can be modified after. People often do this and open or close ports on long running clusters at the time it's needed.
  2. It's in the documentation - IMPORTANT 443 and 22 ports needs to be there in every security group otherwise Cloudbreak won't be able to communicate with the provisioned cluster - http://sequenceiq.com/cloudbreak-docs/latest/aws/#infrastructure-templates under Security groups.
Highlighted

Re: Cloudbreak Security Group for AWS

New Contributor

Hi Janos,

Thanks for your reply.

Reg. point 2, I understand ports 443 and 22 needs to be there in every security group but should they be opened globally i.e 0.0.0.0/0?

Re: Cloudbreak Security Group for AWS

Contributor

They should not be opened globally - they should be accessed by the Cloudbreak application. You can deploy the Cloudbreak application (with CBD) on the same VPC (and/or subnet) as where the HDP clusters are provisioned - in that case it should not be opened globally. If you use the hosted Cloudbreak application (cloudbreak.sequenceiq.com) that you will have to open globally - but it's not really recommended, as you should use your own Cloudbreak instance.

Highlighted

Re: Cloudbreak Security Group for AWS

Explorer

Hi Skanda,

Those ports don't need to be opened to all IPs. If you know what CIDR block or subnet(s) your cluster is on along with the Ambari server, then just open the ports up for that CIDR block, that should work.

Don't have an account?
Coming from Hortonworks? Activate your account here