Main Content

Global Cluster Access and Security Groups

Set Cluster Access

Cluster Access settings control which computers can access your Amazon cluster from the Internet. To access the Cluster Access setting in the Cloud Center, click Global Cluster Access beneath Preferences in the navigator. Cluster access comprises a list of IP ranges for the computers that can access your cloud cluster. Your access might already be set up for your Amazon Web Services account, or you might have to create or modify them here.

Global Cluster Access settings. You can add or remove IP Addresses to connect to the cluster.

The IP addresses in the listing must be those of the machines as seen from the Internet, which is often different from their local IP addresses. To be sure you get the proper IP address, see your administrator, or use one of the many available websites that can return this information to you.

The format for an access listing is a 4-field IP address, optionally followed by a slash (/) and a value identifying the number of bits of the address to use for matching starting from the left of the address. There are eight bits per field in the IP address. For example, suppose the IP address of your machine is 123.123.234.56. The format to allow only that exact IP address access to your cluster is:

123.123.234.56/32

The /32 indicates 32 bits, which requires matching on all four fields of the address. (If no field matching bits are specified, the default is 32, matching the entire address exactly.)

Matching only part of the address allows a range of IP addresses to access your cluster. This might be useful when accessing the cluster from different client machines on the same network, or if your client machine has an assigned IP address that might change.

For example, if you want to allow other machines from your network to access your cluster if their IP addresses start with 123.123, regardless of what the last two fields are, you could format the address this way:

123.123.0.0/16

Caution

Make your address formats as strict as possible, using as many fields and bits as you can. Address formats that are too open can increase the risk of unauthorized access to your cluster. A format that uses no bits for matching (e.g., 0.0.0.0/0, or 123.123.234.56/0) allows all machines on the Internet to access your cluster.

The computer you are currently accessing the Cloud Center from is automatically added to the access list.

To add machines to the allowed listing, add the IP address or range in the blank field and click Add. To remove an allowed address, click Remove next to the address in the list. You can have up to eight rules in your list; if you already have eight when you add a rule, the oldest is deleted.

When you start a cluster, Cloud Center creates a security group called cluster-access-<identifier> if it does not already exist. Whether the group already exists or is new, Cloud Center then opens the necessary ports for cluster communications. See also Server Sockets Accessed by Client for information about port usage.

The cluster access rules listed are propagated to security groups when an associated cluster is started. You can also apply updates to the cluster access rules to security groups for online clusters, replacing any previous rule set.

The cluster access list is saved between sessions, and is the same for all clusters that share the same network configuration. Clusters configured for Amazon Virtual Private Cloud (VPC) will share a security group per VPC. The security group associated with your cluster is identified on the Cluster Details page when the cluster is online.

Do not modify the security groups created and managed by Cloud Center. You can manage additional security group rules via a separate security group that you attach once the cluster machines are online.

Cluster Summary on the Cluster Details page showing the Security Group associated with your cluster under More Details.

Server Sockets Accessed by Client

MATLAB® Parallel Server™ and the Cloud Center require the client to contact servers listening on certain sockets within the cloud. If you limit access to remote ports from your client machines, make sure you allow access to the following remote ports for communication with the cluster resources:

TCP PortsUsage
443Web access to Cloud Center, online licensing, and Amazon Web Services
22SSH

Make sure that you allow access to the following additional remote ports:

TCP PortsUsage
27355-27486Access to MATLAB Job Scheduler on head node

MATLAB/Cloud Center includes support for up to 32 workers per machine.

In addition, all ports are open for communication between machines within the same cloud cluster, as defined by rules in your AWS security group.

Security Within Clusters

Users with access to a cluster can perform all supported cluster activity. More specifically, anyone with access to the cluster can see or manipulate all the files, processes, and jobs in the cluster, regardless of ownership. If security is a concern, consider limiting who has access to shared clusters or providing users with their own clusters.

Related Topics