Network Security Groups Configuration (AWS)
Overview
As part of the platform installation, a set of security groups are configured to control access at the network level ("network security groups"), in addition to the platform's application-level authentication. These groups can be reconfigured manually at any time after the installation. When the platform is created with private IPs only, security groups are usually not much of a concern. However, it's crucial to properly set up the security groups when the platform is assigned public IP addresses.
During the installation, you can provide the following, which affects the configuration of the network security groups; for more information, see the AWS installation guide:
- A CIDRs whitelist — a list of classless inter-domain routing (CIDR) addresses to be granted access to the platform's service ports.
- Iguazio access permission — allow Iguazio's support team to access the platform nodes from the Iguazio network.
- An installer CIDR — the CIDR of the machine on which you're running the platform installer. (This machine needs to connect to the platform during the installation to perform various actions.) A security groups' installer-CIDR rule can be deleted after the installation.
Security-Group Rules
The installation automatically creates two network security groups — one for the data cluster and one for the application cluster — and configures appropriate rules based on the installation parameters.
Data-Cluster Security-Group Rules
| Service | Source CIDRs | Destination Ports | Condition | Notes |
|---|---|---|---|---|
| Platform dashboard | Whitelisted CIDRs | 80, 443 | A CIDRs whitelist is provided. | Allows direct access to the platform dashboard from the data nodes. |
| Access to Iguazio support | Iguazio office | All | The Iguazio network is allowed access. | There are several ways to allow Iguazio support personnel to access the platform. One way is to allow access to the platform nodes from the Iguazio network (two /32 CIDR addresses). |
| SSH access for the installation | Installer CIDR | 22 | Always | The installer CIDR (configurable) is required because during the installation, the installer connects to the platform nodes through SSH. After the installation completes, this rule can be deleted.. |
| Inter-cluster communication | Application-cluster public IP addresses | All | Always | Allows the data and application clusters to occasionally communicate with each other through their public IP addresses. |
| All services | VPC | All | Always | Allows the platform nodes to freely communicate with each other through their private IP addresses. |
Application-Cluster Security-Group Rules
| Service | Source CIDRs | Destination Ports | Condition | Notes |
|---|---|---|---|---|
| HTTP/S ingress | Whitelisted CIDRs | 80, 443 | A CIDRs whitelist is provided. | Allows access to the platform dashboard and to various application services (such as Jupyter Notebook and Grafana) from the platform application nodes. |
| Kubernetes API server | Whitelisted CIDRs | 6443 | A CIDRs whitelist is provided. | Allows crafting a kubeconfig file and running |
| Web APIs (HTTP interface to the platform's data layer) | Whitelisted CIDRs | 8081, 8443 | A CIDRs whitelist is provided. | Accessing the platform's data layer through web-APIs service ports is much faster than through the HTTP/S ingress ports (80, 443), because the web-APIs ports are mapped directly to the platform's web-APIs service. |
| Kubernetes node ports | Whitelisted CIDRs | 30000–32000 | A CIDRs whitelist is provided. | These ports are usually used by Nuclio functions. Consuming Nuclio functions through the Kubernetes node ports is faster than through the HTTP/S ingress ports (80, 443), because it eliminates the need to go through the ingress. |
| Access to Iguazio support | Iguazio office | All | The Iguazio network is allowed access. | There are several ways to allow Iguazio support personnel to access the platform. One way is to allow access to the platform nodes from the Iguazio network (two /32 CIDR addresses). |
| SSH access for the installation | Installer CIDR | 22 | Always | The installer CIDR (configurable) is required because during the installation, the installer connects to the platform nodes through SSH. After the installation completes, this rule can be deleted.. |
| Inter-cluster communication | Data-cluster public IP addresses | All | Always | Allows the data and application clusters to occasionally communicate with each other through their public IP addresses. |
| All services | VPC | All | Always | Allows the platform nodes to freely communicate with each other through their private IP addresses. |
Adding and Removing a Security-Group Rule
You can modify the network security-group rules after the platform installation, through the AWS console and CLI, to enable or disable access to the platform. You should be able to modify most rules safely without affecting platform behavior, but do not modify the VPC CIDR or the application/data-cluster public IP addresses. For more information, see the AWS documentation.
Granting Access to IguazioSupport
If you allowed access to the platform from Iguazio's network during the installation, Iguazio's support personnel should be able to access the platform and assist you, provided the platform has public IP addresses. You can disable this access permission by simply removing the applicable rule in the security groups of both clusters (see the "Access to Iguazio support" service rules). If you'd like to provide access to Iguazio support regardless of whether the platform has public IP addresses), contact Iguazio's support team for instructions and a list of the latest CIDR addresses that you need to whitelist to allow this.