This section describes the security group rule settings that are required to allow communication within the cluster.
PRIMECLUSTER uses several protocols/ports for communication within the cluster. By setting the rules described in this section, allow communication of protocols/ports for communication within the cluster.
In addition to the rules described in this section, you can add rules based on the security requirements of the customer to design security groups.
Design the security rules applied to the administrative LAN.
Communication source CIDR | Protocol | Port range | Description |
|---|---|---|---|
Own group | udp | 9382 | Used for the shutdown facility (SF) |
Own group | udp | 9796 | Used for the management view |
Own group | tcp | 9797 | Used for the management view |
Own group | icmp | 0-65535 | Used for clchkcluster |
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
0.0.0.0/0 | tcp | 443 | Used for forced stop and network switching |
0.0.0.0/0 | tcp | 53 | Used for forced stop and network switching |
Own group | icmp | 0-65535 | Used for clchkcluster |
Own group | udp | 9382 | Used for the shutdown facility (SF) |
Own group | udp | 9796 | Used for the management view |
Own group | tcp | 9797 | Used for the management view |
Create the security groups for the Web-Based Admin View with the following setting values.
1) When ensuring the connectivity with an instance for a client
Create the security groups for the Web-Based Admin View (cluster node side) with the following setting values.
Communication source CIDR | Protocol | Port range | Description |
|---|---|---|---|
Own group | tcp | 8081 | Used for the management view |
Own group | tcp | 9798 | Used for the management view |
Own group | tcp | 9799 | Used for the management view |
Create the security groups for the Web-Based Admin View (management client side) with the following setting values.
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
Own group | tcp | 8081 | Used for the management view |
Own group | tcp | 9798 | Used for the management view |
Own group | tcp | 9799 | Used for the management view |
Also, create an inbound rule of the security group to allow a remote desktop connection from a remote control terminal of the management view client to an instance for the management view client.
2) When ensuring the connectivity using a VPN connection
Create the security groups for the Web-Based Admin View (cluster node side) with the following setting values.
Communication source CIDR | Protocol | Port range | Description |
|---|---|---|---|
CIDR of the management view client | tcp | 8081 | Used for the management view |
CIDR of the management view client | tcp | 9798 | Used for the management view |
CIDR of the management view client | tcp | 9799 | Used for the management view |
Create the security groups for the Web-Based Admin View (management client side) with the following setting values.
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
CIDR of an instance for the management view (cluster node) | tcp | 8081 | Used for the management view |
CIDR of an instance for the management view (cluster node) | tcp | 9798 | Used for the management view |
CIDR of an instance for the management view (cluster node) | tcp | 9799 | Used for the management view |
Design the security rules applied to instance access in introduction and maintenance.
Communication source CIDR | Protocol | Port range | Description |
|---|---|---|---|
CIDR of the access source | tcp | 22 | Used for the remote access by SSH |
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
0.0.0.0/0 | tcp | 80 | Used for installing dependent packages |
0.0.0.0/0 | tcp | 443 | Used for installing dependent packages |
Design the security rules applied to the cluster interconnect.
This setting is not necessary in a single-node cluster.
Communication source CIDR | Protocol | Port range | Description |
|---|---|---|---|
Own group | 123 | 0-65535 | Used for the heartbeat |
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
Own group | 123 | 0-65535 | Used for the heartbeat |
Design the security rules applied to the public LAN.
Add the rules that are required for application operations and the following outbound rule.
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
CIDR of the monitoring destination of the business network | icmp | 0-65535 | Used for monitoring the business network |
This rule is required when using the network monitoring function.
For details, refer to "6.7.3.6 Setting Up Takeover Network Resources" in "PRIMECLUSTER Installation and Administration Guide."
When monitoring a virtual router, the monitored virtual router and the public LAN of all cluster nodes must be on the same subnet.
Set the security rules applied to the network for data synchronization.
Communication source CIDR | Protocol | Port range | Description |
|---|---|---|---|
Own group | tcp | 3260 | Used for mirroring among servers |
Communication target CIDR | Protocol | Port range | Description |
|---|---|---|---|
Own group | tcp | 3260 | Used for mirroring among servers |
