Defining Security Rules

An administrator must configure security rules to control network traffic to and from Big Data Service resources.

Creating Ingress Rules (and Open Ports)

You must open certain ports on Big Data Service clusters to allow access to services like Apache Ambari, Hue, and JupyterHub. Configure these ports in the security ingress rules that apply to a cluster.

For information on creating an ingress rule, see Security Rules with the following content specific for Big Data Service:
  1. In the Add Ingress Rules dialog box, set the following options to open port 22 for SSH access (if it isn't already open):
    • Stateless: Leave this box unchecked. This makes the rule stateful, which means that any response to the incoming traffic is allowed back to the originating host, regardless of any egress rules applicable to the instance.
    • Source Type: Select CIDR.
    • Source CIDR: Enter 0.0.0.0/0, which indicates that traffic from all sources on the internet is allowed.
    • IP Protocol: Select TCP.
    • Source Port Range: Accept the default All.
    • Destination Port Range: Enter 22, to allow access through SSH.
    • Description: Add an optional description.
  2. At the bottom of the dialog box, click +Another Ingress Rule, and enter the values for another rule. Do this for as many times as necessary, to create all the rules you need, and then click Add Ingress Rules.

    For additional information on Ingress rule destination port ranges and rule examples, see Ingress Rule Destination Port Ranges

Ingress Rule Destination Port Ranges

For a typical set of ingress rules for a cluster, create rules with the specified Destination Port Ranges:
  • SSH - port 22
  • Apache Ambari - port 7183
  • Hue - port 8888
  • JupyterHub - port 8000
  • Web Resource Manager - port 8090
  • Spark History Server - port 18088

The ingress rules look similar to the following:

Creating Egress Rules

When creating a cluster, you have the option to use a NAT gateway or not. Whether you choose that option affects how you can control outbound traffic.

  • If you choose the NAT gateway option when creating a cluster, all nodes have full outbound access to the public internet. You can't limit that access in any way (for example by restricting egress to only a few IP ranges).

  • If you choose not to create a NAT gateway when creating a cluster, you can create a NAT gateway on the VCN you're using to access the cluster. You can also edit policies on this NAT gateway to limit egress to specified IP ranges.

  • If you map the VM IPs onto public IPs then a NAT gateway isn't needed.

For information on creating an egress rule, see Security Rules.