Configuring a Private Subnet

Use these instructions to configure a private subnet for your clusters:

Tunnelling with Bastion Nodes for Private Subnets in an AWS VPC

You must whitelist IP addresses/NAT gateways to tunnel with bastion nodes for private subnets. The IP addresses/NAT gateways to be whitelisted are different in various QDS envrionments as mentioned here:

AWS US Non-SOC-compliant Environment

When you are on the https://api.qubole.com QDS environment, (as an administrator) ensure that these IP addresses have access privileges to the Bastion node for private subnets in the Virtual Private Cloud (VPC):

  • 54.204.43.32/32
  • 54.243.39.255/32
  • 23.23.178.159/32
  • 54.243.29.190/32
  • 54.243.128.178/32
  • 23.21.153.231/32
  • 23.21.191.84/32
  • 34.205.91.155/32
  • 34.205.91.156/30
  • 34.205.91.160/28
  • 34.205.91.176/29
  • 34.205.91.184/31
  • 34.205.91.186/32

AWS US SOC-compliant Environment

When you are on the https://us.qubole.com QDS environment, (as an administrator) ensure that this NAT gateway has access privileges to the Bastion node for private subnets in the VPC:

  • 52.44.223.209/32

AWS Europe Region Environment

When you are on the https://eu-central-1.qubole.com QDS environment, (as an administrator) ensure that these NAT gateways have access privileges to the Bastion node for private subnets in the VPC:

  • 18.195.234.160
  • 18.195.249.80

AWS India Region Environment

When you are on the https://in.qubole.com QDS environment, (as an administrator) ensure that this NAT gateway has access privileges to the Bastion node for private subnets in the VPC:

  • 35.154.109.184/32

Configuring a Private Subnet for Azure Clusters

Proceed as follows:

  1. If your private subnet does not already exist, create it in the same VNet where you will launch the Bastion host.

    The subnet should have rules that are no more restrictive than these (Qubole recommends setting rules that are less restrictive):

    • A rule to allow ingress via all protocols to all ports from the Bastion node’s private IP address.
    • A rule that allows all communication via all protocols to all ports on all hosts within the subnet.

    You can configure the rules by means of a Network Security Group if you prefer (see Modifying Cluster Settings for Azure).

  2. Create a Qubole support ticket to get an IP address to be whitelisted and a public key to allow Qubole access to the Bastion host you are going to create. To allow SSH access, the Bastion host and the whitelisted address must be in the same subnet.

  3. Create a Bastion node in the same VNet as the private subnet.

  4. Bring up the Bastion node. See Bringing up the Bastion Node.

  5. Configure a QDS cluster to use the private subnet and Bastion node. See Configuring a QDS Cluster to use the Private Subnet and Bastion Node.

Bringing up the Bastion Node

Do the following after bringing up your Bastion node:

  1. Modify the SSH configuration in /etc/ssh/sshd_config to set GatewayPorts to yes.
  2. After editing the SSH configuration file, restart the ssh service by running sudo /etc/init.d/sshd restart.

Adding an SSH Key to the Bastion Node

To add an SSH key to the Bastion Node, log in to the Bastion node via SSH and add the key. This allows you to log in to the Bastion Node, and thus log in to the cluster.

Configuring a QDS Cluster to use the Private Subnet and Bastion Node

Follow these instructions to create or modify a QDS cluster on Azure. Under the Advanced tab, configure the following fields:

  • Virtual Network: From the drop-down menu, choose the Vnet in which the both the Bastion host and the cluster will be launched.
  • Subnet: Choose your private subnet from the drop-down menu.
  • Bastion Node: Provide the public IP address of your Bastion node.
  • Network Security Group: If you configured rules by means of a security group, choose that group from the drop-down menu.

When you are satisfied with your changes, choose Save or Update.

Configuring a Private Subnet for Oracle OCI Clusters

Proceed as follows:

  1. Create a Qubole support ticket to get a tunnel IP address and public key to allow Qubole access to the Bastion host you are going to create.

  2. To create a Bastion node, launch an instance using the Oracle-Linux-7.3 image. This instance must be in the same VCN as the private subnet.

  3. Add the public key provided by Qubole support to the authorized key list of user opc on the Bastion node. To do this, append the public key to /home/opc/.ssh/authorized_keys on the Bastion node.

  4. Run the following commands in the bash shell on the Bastion node.

    useradd ec2-user -p ''
    mkdir -p /home/ec2-user/.ssh
    cp /home/opc/.ssh/authorized_keys /home/ec2-user/.ssh/
    chown -R ec2-user:ec2-user /home/ec2-user/.ssh
    # Need to open port 7000 to private subnet CIDR block using firewall if required.
    firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=<private subnet cidr block> port=7000 protocol=tcp   accept'
    firewall-cmd --reload
    bash -c 'echo "GatewayPorts yes" >> /etc/ssh/sshd_config'
    sudo service sshd restart
    
  5. If your private subnet does not already exist, create it in the same VCN where you launched the Bastion host.

    At a minimum, the subnet should have these rules:

    • A stateful rule to allow ingress via all protocols to all ports from the private subnet’s CIDR block.
    • A stateful rule to allow ingress via all protocols to all ports from the Bastion node’s private IP address.
    • A stateful rule to allow egress via all protocols and all ports to destination 0.0.0.0/0
  6. Configure the Bastion host’s security list. This list should have these rules at a minimum:

    • A stateful rule to allow ingress via TCP to port 22 for ssh access from the tunnel server IP address specified by Qubole support.
    • A stateful rule to allow ingress via TCP protocols to port 22 for ssh access from the public IP address of the Bastion node.
    • A stateful rule to allow ingress via TCP to port 7000 for metastore access from the private subnet’s CIDR block (see step 5 above).
    • A stateful rule to allow egress via all protocols and all ports to destination 0.0.0.0/0.
  7. Create a Qubole support ticket to provide your Bastion host’s public IP address. Qubole will enable private subnet support for your clusters.