Configuring firewall port access

If a firewall runs on the nodes in the Cassandra or DataStax Enterprise cluster, open up ports to allow communication between the nodes.

All network security starts with strict and proper firewall rules on interfaces that are exposed to the internet, allowing only the absolute minimum traffic in or out of your network. Firewall security is especially important when running your infrastructure in a public cloud. Wherever you run your clusters, DataStax strongly recommends to run a firewall on all nodes in your Cassandra or DataStax Enterprise cluster.

Begin with a restrictive configuration that blocks all traffic except SSH. Then, open up the following ports on a private DSE network to allow communication between the nodes, including certain Cassandra ports. There is no reason to open DSE ports on a public network. If these ports are not opened, the node acts as a standalone database server rather than joining the database cluster when you start Cassandra (or Hadoop in DataStax Enterprise) on a node.

Procedure

Open the following ports:
Port Description Configurable in

Public facing ports

22 SSH (default) See your OS documentation on sshd.

DataStax Enterprise public ports

 
4040 Spark application web site port. Apache Spark™
5598 Public port for DSE File System (DSEFS) clients. dse.yaml.
7080 Spark Master web site port. spark-env.sh
7081 Spark Worker web site port. spark-env.sh
8012 Hadoop Job Tracker client port. The Job Tracker listens on this port for job submissions and communications from Task Trackers; allows traffic from each analytics node in a cluster. cassandra.yaml
8182 The gremlin server port for DSE Graph. See Graph configuration.
8983 DSE Search (Solr) port and Demo applications web site port (Portfolio, Search, Search log, Weather Sensors)  
8090 Spark Jobserver REST API port. See Spark Jobserver.
9091 The DataStax Studio server port. See DataStax Studio documentation. Configure in dse_studio_install_dir/configuration.yaml.
9999 Spark Jobserver JMX port. Required only if Spark Jobserver is running and remote access to JMX is required.  
18080 Spark application history server web site port. Only required if Spark application history server is running. Can be changed with the spark.history.ui.port setting. See Spark history server.
50030 Hadoop Job Tracker web site port. The Job Tracker listens on this port for HTTP requests. If initiated from the OpsCenter, these requests are proxied through the opscenterd daemon; otherwise, they come directly from the browser. See OpsCenter ports reference. mapred-site.xml
50060 Hadoop Task Tracker web site port. Each Task Tracker listens on this port for HTTP requests coming directly from the browser and not proxied by the opscenterd daemon. See OpsCenter ports reference. mapred-site.xml

OpsCenter public ports

8888 OpsCenter web site port. The opscenterd daemon listens on this port for HTTP requests coming directly from the browser. See OpsCenter ports reference. opscenterd.conf

Inter-node ports

Cassandra inter-node communication ports

5599 Private port for DSEFS inter-node communication port. Must not be visible outside of the cluster. dse.yaml
7000 Cassandra inter-node cluster communication port. cassandra.yaml
7001 Cassandra SSL inter-node cluster communication port. cassandra.yaml
7199 Cassandra JMX metrics monitoring port. DataStax recommends allowing connections only from the local node. Configure SSL and JMX authentication when allowing connections from other nodes. See Encrypting data. cassandra-env.sh

See JMX options in Tuning Java resources.

1024 - 65355 JMX reconnection/loopback ports. See the description for port 7199.

See JMX options in Tuning Java resources.

9160 Cassandra client port (Thrift) port. OpsCenter agents makes Thrift requests to their local node on this port. Additionally, the port can be used by the opscenterd daemon to make Thrift requests to each node in the cluster. cassandra.yaml

DataStax Enterprise inter-node ports

7077 Spark Master inter-node communication port. dse.yaml
8609 Port for inter-node messaging service. dse.yaml
8984 DSE Search inter-node communication port used for releases earlier than 5.0 and during upgrades to 5.0. Deprecated for DataStax Enterprise 5.0 and later. dse.yaml
9042 CQL native clients port. cassandra.yaml
9290 Hadoop Job Tracker Thrift port. The Job Tracker listens on this port for Thrift requests coming from the opscenterd daemon.  
10000 Hive server port. hive-site.xml
10000 Spark SQL Thrift server port. Only required if Spark SQL Thrift server is running. Set with the -p option with the Spark SQL Thrift server.
There are two instances of the hive-site.xml file.

For use with Spark, the default location of the hive-site.xml file is:

Installer-Services and Package installations /etc/dse/spark/hive-site.xml
Installer-No Services and Tarball installations install_location/resources/spark/conf/hive-site.xml

For use with Hive, the default location of the hive-site.xml file is:

Installer-Services and Package installations /etc/dse/hive/hive-site.xml
Installer-No Services and Tarball installations install_location/resources/hive/conf/hive-site.xml
The default location of the spark-env.sh file depends on the type of installation:
Installer-Services and Package installations /etc/dse/spark/spark-env.sh
Installer-No Services and Tarball installations install_location/resources/spark/conf/spark-env.sh
The location of the cassandra.yaml file depends on the type of installation:
Installer-Services /etc/dse/cassandra/cassandra.yaml
Package installations /etc/dse/cassandra/cassandra.yaml
Installer-No Services install_location/resources/cassandra/conf/cassandra.yaml
Tarball installations install_location/resources/cassandra/conf/cassandra.yaml
The location of the dse.yaml file depends on the type of installation:
Installer-Services /etc/dse/dse.yaml
Package installations /etc/dse/dse.yaml
Installer-No Services install_location/resources/dse/conf/dse.yaml
Tarball installations install_location/resources/dse/conf/dse.yaml
The default location of the mapred-site.xml file depends on the type of installation:
Installer-Services and Package installations /etc/dse/hadoop/mapred-site.xml
Installer-No Services and Tarball installations install_location/resources/hadoop/conf/mapred-site.xml
The location of the cassandra-env.sh file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra-env.sh
Tarball installations install_location/resources/cassandra/conf/cassandra-env.sh