An EC2 Security Group acts as a firewall that allows you to choose which protocols
and ports are open in your cluster.
You can specify the protocols and ports either by a range
of IP addresses or by security group. The default EC2 security group opens all ports and
protocols only to computers that are members of the default group. This means you must
define a security group for your Cassandra cluster. Be aware that specifying a Source IP
of 0.0.0.0/0 allows every IP address access by the specified protocol and port
In your Amazon EC2 Console Dashboard, under
Resources, select .
Fill out the name and description and then click Yes,
Under Security Group, click the
Inboound tab and add rules for the ports:
For Create a new rule, select Custom
For Port range, see the table below.
For Source, see the table below.
To create rules that open a port to other nodes in the same security
group, in the Source field, enter the letters
sg, and then select your security
||OpsCenter website. The opscenterd daemon listens on this port for HTTP requests
coming directly from the browser.
Cassandra inter-node ports
||JMX reconnection/loopback ports. See description for port 7199.
||Cassandra inter-node cluster communication.
||Cassandra JMX monitoring port. After the initial handshake, the JMX protocol
requires that the client reconnects on a randomly chosen port (1024+).
||Cassandra client port (Thrift).
Cassandra OpsCenter ports
||OpsCenter monitoring port. The opscenterd daemon listens
on this port for TCP traffic coming from the agent.
||OpsCenter agent port. The agents listen on this port for
SSL traffic initiated by OpsCenter.
Note: Generally, when you have firewalls between machines, it is difficult to
run JMX across a network and maintain security. This is because JMX connects
on port 7199, handshakes, and then uses any port within the 1024+ range.
Instead use SSH to execute commands remotely to connect to JMX locally or
use the DataStax OpsCenter.
After you are done adding the above port rules, your completed port rules
should look similar to this:
This security configuration shown in the above example
opens up all externally accessible ports to incoming traffic from any IP
address (0.0.0.0/0). The risk of data loss is high. If you desire a more
secure configuration, see the Amazon EC2 help on security groups.