Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Configuring security groups

Written by
Updated at June 29, 2026

Cluster access depends on the security group configuration. Make sure the rules allow the required traffic.

Alert

When setting up security groups, do not change the rules for control plane traffic. This may cause the cluster to fail.

Rule settings depends on the connection method you select:

  • To connect to subcluster hosts with public access from cloud networks and the internet, configure cluster security groups to allow inbound traffic from any IP address on port 22. To do this, create the following inbound rule:

    • Port range: 22.
    • Protocol: TCP.
    • Source: CIDR.
    • CIDR blocks: 0.0.0.0/0.

  • To connect to a cluster from a jump host VM:

    1. Configure the VM security group to allow connections to the VM and traffic between the VM and subcluster hosts. To do this, create the following rules:

      • For inbound traffic:

        • Port range: 22.
        • Protocol: TCP.
        • Source: CIDR.
        • CIDR blocks: 0.0.0.0/0.

      • For outbound traffic:

        • Port range: 22.
        • Protocol: TCP.
        • Destination name: CIDR.
        • CIDR blocks: Address range of the subnet where the cluster hosts reside. If subclusters are in different subnets, create this rule for each subnet.

    2. Configure the cluster security groups to allow inbound traffic from the VM security group on port 22. To do this, create the following rule for inbound traffic:

      • Port range: 22.
      • Protocol: TCP.
      • Source: Security group.
      • Security group: VM security group.

To use UI Proxy, add rules to the subcluster host's security group to allow inbound traffic on port 443:

  • Port range: 443.
  • Protocol: TCP.
  • Source: CIDR.
  • CIDR blocks: 0.0.0.0/0.

If the connection is established via a jump host VM, add rules to the subcluster host's security group that allow connections via this VM:

  • For inbound traffic:

    • Port range: 443.
    • Protocol: TCP.
    • Source: CIDR.
    • CIDR blocks: 0.0.0.0/0.

  • For outbound traffic:

    • Port range: 443.
    • Protocol: TCP.
    • Destination name: CIDR.
    • CIDR blocks: Address range of the subnet where the subcluster host resides.

If using port forwarding, add rules to the jump host VM security group that allow inbound and outbound traffic on the ports of the required components:

  • Port range: <component_port>.

    Port numbers for the Yandex Data Processing components are shown in the table:

    Service Port
    HBase Master 16010
    HBase REST 8085
    HDFS Name Node 9870
    Hive Server2 10002
    Livy 8998
    MapReduce Application History 19888
    Oozie 11000
    Spark History 18080
    YARN Application History 8188
    YARN Resource Manager 8088
    Zeppelin 8890

  • Protocol: TCP.

  • Source: CIDR.

  • CIDR blocks: 0.0.0.0/0.

Note

You can specify more granular rules for your security groups, such as allowing traffic only within specific subnets.

Make sure to properly configure security groups for all subnets where the subclusters will reside.

For more information about security groups, see Security groups.

Previous
Connecting to a cluster
Next
Getting an FQDN of a host