Creating an EC2 security group
An EC2 Security Group acts as a firewall that allows you to choose which protocols and ports are open in your cluster. You must specify a security group in the same region as your instances.
You can specify the protocols and ports either by a range of IP addresses or by security group. To protect your cluster, you should define a security group. Be aware that specifying a Source IP of 0.0.0.0/0 allows every IP address access by the specified protocol and port range.
If you need more help, click an informational icon or a link to the Amazon EC2 User Guide.
- Sign in to the AWS console.
From the Amazon EC2 console navigation bar, select the same region as where you
will launch the DataStax Community AMI.
- Open the Security Groups page.
Create a security group with a name and description of your choice, then save
it. It is recommended that you include the region name in the description.
Note: Creating and saving the securing group allows you to create rules based on the group. After the security group is saved it is available in the Source field drop-list.
Create rules for the security group using the following table:
Ports Port number Type Protocol Source Description Public ports 22 SSH TCP 0.0.0.0/0 SSH port 8888 Custom TCP Rule TCP 0.0.0.0/0 OpsCenter website. The opscenterd daemon listens on this port for HTTP requests coming directly from the browser. Cassandra inter-node ports 1024 - 65355 Custom TCP Rule TCP Your security group JMX reconnection/loopback ports. For a safer alternative, see description and note for port 7199.Note: Cassandra 1.2 or earlier only. Because JMX connects on port 7199, handshakes, and then uses any port within the 1024+ range, use SSH to execute commands remotely to connect to JMX locally or use the DataStax OpsCenter. 7000 Custom TCP Rule TCP Your security group Cassandra inter-node cluster communication. 7001 Custom TCP Rule TCP Your security group Cassandra SSL inter-node cluster communication. 7199 Custom TCP Rule TCP Your security group Cassandra JMX monitoring port. After the initial handshake, the JMX protocol requires that the client reconnects on a randomly chosen port (1024+).Note: Starting with Java 7u4, you can specify the port used by JMX rather than a randomly assigned port. The standard RMI (Remote Method Invocation) registry port for JMX is set by the com.sun.management.jmxremote.port property. Use the com.sun.management.jmxremote.rmi.port property to specify the port used by JMX. Cassandra client ports 9042 Custom TCP Rule TCP 0.0.0.0/0 Cassandra client port. 9160 Custom TCP Rule TCP 0.0.0.0/0 Cassandra client port (Thrift). OpsCenter inter-node ports 61620 Custom TCP Rule TCP Your security group OpsCenter monitoring port. The opscenterd daemon listens on this port for TCP traffic coming from the agent. 61621 Custom TCP Rule TCP Your security group OpsCenter agent port. The agents listen on this port for SSL traffic initiated by OpsCenter.
The completed port rules should look similar to this:Warning: The security configuration shown in this example opens up all externally accessible ports to incoming traffic from any IP address (0.0.0.0/0). The risk of data loss is high. If you desire a more secure configuration, see the Amazon EC2 help on security groups.