Configuring a Private Subnet¶
This section explains how to configure a private subnet for your clusters:
- Configuring a Cluster in a VPC with Public and Private Subnets (AWS)
- Configuring a Private Subnet for Oracle OCI Clusters
Configuring a Private Subnet for Oracle OCI Clusters¶
Proceed as follows:
Create a Qubole support ticket to get a tunnel IP address and public key to allow Qubole access to the Bastion host you are going to create.
To create a Bastion node, launch an instance using the Oracle-Linux-7.3 image. This instance must be in the same VCN as the private subnet.
Add the public key provided by Qubole support to the authorized key list of user
opcon the Bastion node. To do this, append the public key to
/home/opc/.ssh/authorized_keyson the Bastion node.
Run the following commands in the
bashshell on the Bastion node.
useradd ec2-user -p '' mkdir -p /home/ec2-user/.ssh cp /home/opc/.ssh/authorized_keys /home/ec2-user/.ssh/ chown -R ec2-user:ec2-user /home/ec2-user/.ssh # Need to open port 7000 to private subnet CIDR block using firewall if required. firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=<private subnet cidr block> port=7000 protocol=tcp accept' firewall-cmd --reload bash -c 'echo "GatewayPorts yes" >> /etc/ssh/sshd_config' sudo service sshd restart
If your private subnet does not already exist, create it in the same VCN where you launched the Bastion host.
At a minimum, the subnet should have these rules:
- A stateful rule to allow ingress via all protocols to all ports from the private subnet’s CIDR block.
- A stateful rule to allow ingress via all protocols to all ports from the Bastion node’s private IP address.
- A stateful rule to allow egress via all protocols and all ports to destination 0.0.0.0/0
Configure the Bastion host’s security list. This list should have these rules at a minimum:
- A stateful rule to allow ingress via TCP to port 22 for ssh access from the tunnel server IP address specified by Qubole support.
- A stateful rule to allow ingress via TCP protocols to port 22 for ssh access from the public IP address of the Bastion node.
- A stateful rule to allow ingress via TCP to port 7000 for metastore access from the private subnet’s CIDR block (see step 5 above).
- A stateful rule to allow egress via all protocols and all ports to destination 0.0.0.0/0.
Create a Qubole support ticket to provide your Bastion host’s public IP address. Qubole will enable private subnet support for your clusters.