Security Groups
The platform groups nodes with different roles in a cluster into different security groups, so different types of nodes can have different network access permissions. When a cluster is created, security groups are automatically created for three roles: compute nodes, login/submit nodes, and head nodes. You can add inbound (Ingress) rules to control inbound access. Security groups within the same cluster are authorized to each other by default, so nodes can access each other. Security groups control whether to allow access requests from public networks or private networks.
Permissions
Only administrators can edit security groups. Regular users do not have permission to edit security groups.
Limits
To ensure usability and a good user experience, the platform applies the following limits to security groups:
-
You cannot create additional security groups. Security groups are created together with the cluster.
-
Default security group rules cannot be modified. You can add and delete custom rules.
-
Maximum custom security group rules: 30 (excluding default rules for each node type).
-
When a cluster is released, the system automatically deletes all security groups associated with it.
-
Security group rules for task-created clusters cannot be added/edited/deleted.
-
Security group rules can be modified only in the platform UI.
Note: For task-created clusters, subnet/security group is restricted to using the system private subnet.
Security group list
Field descriptions:
- Security group name: Composed of the cluster name and node type, joined by
_. - Security group type: Compute node / Login-submit node / Head node.
- Cluster name: Cluster the security group belongs to.
- Inbound rule count: Number of inbound rules.
- Username: Creator of the security group.
Action: Edit security group
Default security group rules
Security groups have outbound and inbound rules. The platform provides default rules. If you have no special requirements, you can use the defaults.
-
Outbound rules: unrestricted by default; users cannot modify.
-
Inbound rules: all inbound traffic is denied except for the default rules listed below.
| Type | Protocol | Port | Source |
|---|---|---|---|
| PRIVATE | ALL | -1 | Head node security group ID |
| PRIVATE | ALL | -1 | Compute node security group ID |
| PRIVATE | ALL | -1 | Login/submit node security group ID |
| PRIVATE | TCP | 8020 | VPC CIDR |
| PRIVATE | TCP | 9400 | VPC CIDR |
| PRIVATE | TCP | 9182 | VPC CIDR |
| PRIVATE | TCP | 9100 | VPC CIDR |
| PRIVATE | TCP | 8060 | VPC CIDR |
| PRIVATE | TCP | 8040 | VPC CIDR |
| PRIVATE | TCP | 8010 | VPC CIDR |
| PRIVATE | TCP | 25057-25058 | VPC CIDR |
| PRIVATE | TCP | 5000-5001 | VPC CIDR |
| PRIVATE | TCP | 50023 | VPC CIDR |
| PRIVATE | TCP | 7000 | VPC CIDR |
| PRIVATE | TCP | 6817 | VPC CIDR |
| PRIVATE | TCP | 5900-5999 | VPC CIDR |
| PRIVATE | TCP | 4003-4004 | VPC CIDR |
| PRIVATE | TCP | 3389 | VPC CIDR |
| PRIVATE | TCP | 22 | VPC CIDR |
| PRIVATE | TCP | 2000 | 0.0.0.0/0 |
| PRIVATE | ALL | -1 | Head security group ID |
Note: For None clusters: one compute-node security group is created. For Fsched clusters: three security groups are created (login/submit, head, compute). When a cluster is released, its security groups are deleted. For released clusters, security groups are shown for reference only.
Security group rule list
Fields:
-
Type: Protocol category:
- TCP
- UDP
- ICMP
- SSH (TCP/22)
- RDP (TCP/3389)
- All (all protocols)
-
PRIVATE: Default system rule. Cannot be modified or deleted.
-
Protocol: L4 protocol auto-generated based on the selected type.
-
Port: Port range 0 to 65535. For TCP/UDP, admins can set a single port or a port range (for example
8000-9000). For ALL, port is-1. -
Source: Source IP address. Supported formats:
- Single IP, for example
192.168.0.100/32. - CIDR block, for example
192.168.0.0/24. 0.0.0.0/0to allow all.
- Single IP, for example
Actions: Add/edit/delete custom (non-default) security group rules.