Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring security groups

Written by
Updated at September 25, 2025

Security group settings affect cluster connections. Make sure the rules allow the required traffic.

Alert

When setting up security groups, do not change the rules for control plane traffic. This may cause the cluster to fail.

Rule settings depend on the connection method you select:

  • To connect to the subcluster hosts with public access from cloud networks and the internet, configure cluster security groups to allow inbound traffic from any IP address on port 22. To do this, create the following rule for inbound traffic:

    • Port range: 22.
    • Protocol: TCP.
    • Source: CIDR.
    • CIDR blocks: 0.0.0.0/0.

  • To connect to a cluster from a jump host VM:

    1. Configure the security group where the VM is located to allow connections to the VM and traffic between the VM and subcluster hosts. To do this, create the following rules:

      • For inbound traffic:

        • Port range: 22.
        • Protocol: TCP.
        • Source: CIDR.
        • CIDR blocks: 0.0.0.0/0.

      • For outbound traffic:

        • Port range: 22.
        • Protocol: TCP.
        • Destination name: CIDR.
        • CIDR blocks: Address range of the subnet in which the cluster hosts are located. If subclusters are in different subnets, create this rule for each subnet.

    2. Configure the cluster security groups to allow inbound traffic from the security group where the VM is located on port 22. To do this, create the following rule for inbound traffic:

      • Port range: 22.
      • Protocol: TCP.
      • Source: Security group.
      • Security group: Security group assigned to the VM.

To use UI Proxy, add rules to the subcluster host's security group that allow inbound traffic via port 443:

  • Port range: 443.
  • Protocol: TCP.
  • Source: CIDR.
  • CIDR blocks: 0.0.0.0/0.

If the connection is established via a jump host VM, add rules to the subcluster host's security group that allow connections via this VM:

  • For inbound traffic:

    • Port range: 443.
    • Protocol: TCP.
    • Source: CIDR.
    • CIDR blocks: 0.0.0.0/0.

  • For outbound traffic:

    • Port range: 443.
    • Protocol: TCP.
    • Destination name: CIDR.
    • CIDR blocks: Address range of the subnet in which the subcluster host is located.

If you are using port forwarding, add rules to the intermediate VM security group that allow inbound and outbound traffic via the ports of the required components:

  • Port range: <component_port>.

    Port numbers for Yandex Data Processing components are shown in the table:

    Service Port
    HBase Master 16010
    HBase REST 8085
    HDFS Name Node 9870
    Hive Server2 10002
    Livy 8998
    MapReduce Application History 19888
    Oozie 11000
    Spark History 18080
    YARN Application History 8188
    YARN Resource Manager 8088
    Zeppelin 8890

  • Protocol: TCP.

  • Source: CIDR.

  • CIDR blocks: 0.0.0.0/0.

Note

You can specify more granular rules for your security groups, such as allowing traffic only within specific subnets.

Security groups must have correct configurations for all subnets where cluster hosts will be located.

For more information about security groups, see Security groups.

Previous
Connecting to a cluster
Next
Getting an FQDN of a host