Networking in Managed Service for Trino

When creating a cluster, you can specify the following network settings:

• Network and subnet within it.

  There are some requirements in place for the subnet because the cluster dedicates special IP addresses.

• Security groups to allow only specific outbound traffic.

Cluster IP addressesCluster IP addresses

The Managed Service for Trino cluster dedicates special IP addresses in its subnet. The cluster uses these addresses to connect to other Yandex Cloud resources. You can add a catalog and configure it to connect to your cloud resources supported by Managed Service for Trino connectors.

By default, the cluster's IP addresses only work within the internal network. To give your cluster access to resources on the internet, configure a NAT gateway.

Managed Service for Trino clusters use dynamic IP addresses which may change, e.g., during maintenance. So if you need to identify cluster addresses, use subnet ranges instead of specific IP addresses. For example, if you are using Yandex Cloud Interconnect to connect a Managed Service for Trino cluster to your on-prem infrastructure, we recommend whitelisting the whole subnet range in your firewall settings.

Requirements for cluster subnetsRequirements for cluster subnets

Make sure your Managed Service for Trino cluster subnet meets the following conditions:

• The cluster's IP range does not overlap with the 10.248.0.0/13 service IP range Yandex Cloud uses to manage Managed Service for Trino cluster components.

  If this condition is not met, you will get an error when creating the cluster.

  This requirement also applies to networks in your on-premise infrastructure if it is connected to the Managed Service for Trino cluster via Yandex Cloud Interconnect. From a Trino cluster, you will not be able to connect to resources with IPs from the 10.248.0.0/13 range.

• The subnet range includes at least 2 × N vacant IP addresses, where N is the total number of instances of all Managed Service for Trino cluster components. Let's assume your cluster consists of a coordinator and four workers. Then, N = 5, and the subnet must have at least ten vacant addresses.

  If you have enabled autoscaling for workers, use the maximum possible number of cluster workers in your calculations.

Security groupsSecurity groups

Security groups do not restrict inbound traffic to the Managed Service for Trino cluster and do not affect the Trino web interface availability. You do not need to configure any inbound traffic rules.

You can use security groups to configure outbound traffic rules, e.g., when setting up a new catalog.

If you have not assigned any security group to your Managed Service for Trino cluster, the default security group will be automatically assigned.