Global Cluster Access and Security Groups
Set Cluster Access
Cluster Access settings control which computers can access your Amazon cluster from the Internet. To access the Cluster Access setting in the Cloud Center, click Global Cluster Access beneath Preferences in the navigator. Cluster access comprises a list of IP ranges for the computers that can access your cloud cluster. Your access might already be set up for your Amazon Web Services account, or you might have to create or modify them here.
The IP addresses in the listing must be those of the machines as seen from the Internet, which is often different from their local IP addresses. To be sure you get the proper IP address, see your administrator, or use one of the many available websites that can return this information to you.
The format for an access listing is a 4-field IP address, optionally followed by a slash
/) and a value identifying the number of bits of the address to use
for matching starting from the left of the address. There are eight bits per field in the IP
address. For example, suppose the IP address of your machine is 220.127.116.11. The format
to allow only that exact IP address access to your cluster is:
/32 indicates 32 bits, which requires matching on all four fields
of the address. (If no field matching bits are specified, the default is 32, matching the
entire address exactly.)
Matching only part of the address allows a range of IP addresses to access your cluster. This might be useful when accessing the cluster from different client machines on the same network, or if your client machine has an assigned IP address that might change.
For example, if you want to allow other machines from your network to access your cluster if their IP addresses start with 123.123, regardless of what the last two fields are, you could format the address this way:
Make your address formats as strict as possible, using as many fields and bits as you
can. Address formats that are too open can increase the risk of unauthorized access to
your cluster. A format that uses no bits for matching (e.g.,
18.104.22.168/0) allows all machines on the
Internet to access your cluster.
The computer you are currently accessing the Cloud Center from is automatically added to the access list.
To add machines to the allowed listing, add the IP address or range in the blank field and click Add. To remove an allowed address, click Remove next to the address in the list. You can have up to eight rules in your list; if you already have eight when you add a rule, the oldest is deleted.
When you start a cluster, Cloud Center creates a security group called cluster-access-<identifier> if it does not already exist. Whether the group already exists or is new, Cloud Center then opens the necessary ports for cluster communications. See also Server Sockets Accessed by Client for information about port usage.
The cluster access rules listed are propagated to security groups when an associated cluster is started. You can also apply updates to the cluster access rules to security groups for online clusters, replacing any previous rule set.
The cluster access list is saved between sessions, and is the same for all clusters that share the same network configuration. Clusters configured for Amazon Virtual Private Cloud (VPC) will share a security group per VPC. The security group associated with your cluster is identified on the Cluster Details page when the cluster is online.
Do not modify the security groups created and managed by Cloud Center. You can manage additional security group rules via a separate security group that you attach once the cluster machines are online.
Server Sockets Accessed by Client
MATLAB® Parallel Server™ and the Cloud Center require the client to contact servers listening on certain sockets within the cloud. If you limit access to remote ports from your client machines, make sure you allow access to the following remote ports for communication with the cluster resources:
|443||Web access to Cloud Center, online licensing, and Amazon Web Services|
Make sure that you allow access to the following additional remote ports:
|27355-27486||Access to MATLAB Job Scheduler on head node|
MATLAB/Cloud Center includes support for up to 32 workers per machine.
In addition, all ports are open for communication between machines within the same cloud cluster, as defined by rules in your AWS security group.
Security Within Clusters
Users with access to a cluster can perform all supported cluster activity. More specifically, anyone with access to the cluster can see or manipulate all the files, processes, and jobs in the cluster, regardless of ownership. If security is a concern, consider limiting who has access to shared clusters or providing users with their own clusters.