Securing DataStax Enterprise ports

Lock down all unnecessary ports, and create IP security rules that allow internode and client communications.

All network security starts with strict and proper firewall rules on interfaces that are exposed to the internet, allowing only the absolute minimum traffic in or out of the internal network. Firewall security is especially important when running your infrastructure in a public cloud. Wherever you host your clusters, DataStax strongly recommends using a firewall on all nodes in your cluster.

Begin with a restrictive configuration that blocks all traffic except SSH. Then, open up the following ports in compliance with your security requirements to allow communication between the nodes. If these ports are not opened, the node acts as a standalone database server rather than joining the cluster when you start DataStax Enterprise (DSE) on a node.

If the cluster uses SSL only, close any non-SSL ports that have dedicated SSL ports. To ensure communication is not disabled to any non-SSL clients, DataStax recommends testing the configuration in a staging environment before enabling the firewall in production environments.

Important: Do not restrict traffic between DSE Analytics nodes. Traffic between DSE Analytics nodes must be unrestricted to allow communication between DSE Spark Master and Worker nodes.

cassandra-env.sh

The location of the cassandra-env.sh file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra-env.sh
Tarball installations installation_location/resources/cassandra/conf/cassandra-env.sh

spark-env.sh

The default location of the spark-env.sh file depends on the type of installation:
Package installations /etc/dse/spark/spark-env.sh
Tarball installations installation_location/resources/spark/conf/spark-env.sh

cassandra.yaml

The location of the cassandra.yaml file depends on the type of installation:
Package installations /etc/dse/cassandra/cassandra.yaml
Tarball installations installation_location/resources/cassandra/conf/cassandra.yaml

dse.yaml

The location of the dse.yaml file depends on the type of installation:
Package installations /etc/dse/dse.yaml
Tarball installations installation_location/resources/dse/conf/dse.yaml

Procedure

Open the following ports:
Port Service Configurable in
Public facing ports
22 SSH (default) See your OS documentation on sshd.
DataStax Enterprise public ports
(random) Spark port for the driver to listen on. Used for communicating with the executors and the standalone Master. To explicitly set the port, set the spark.driver.port property in the Spark driver. If an application is already using the designated port, it will increment the port number up to the setting of the spark.port.maxRetries property. For example, if spark.port.port is set to 11000 and spark.port.maxRetries is set to 10, it will attempt to bind to port 11000. If that fails it will increment the port number and retry, stopping at port 11010. Ensure traffic is unrestricted between DSE Analytics nodes.
(random) Spark port for all block managers to listen on. These ports exist on both the driver and the executors. To explicitly set the port, set the spark.blockManager.port property. If an application is already using the designated port, it will increment the port number up to the setting of the spark.port.maxRetries property. For example, if spark.blockManager.port is set to 11000 and spark.port.maxRetries is set to 10, it will attempt to bind to port 11000. If that fails it will increment the port number and retry, stopping at port 11010. Ensure traffic is unrestricted between DSE Analytics nodes.
(local hostname) Spark port for communicating with the executors and the standalone Master. Ensure traffic is unrestricted between DSE Analytics nodes.
4040 Spark application web site port. If an application is already using the designated port, it will increment the port number up to the setting of the spark.port.maxRetries property. For example, if spark.port.maxRetries is set to 10, it will attempt to bind to port 4041, and repeat until it reaches port 4050.
5598, 5599 Public/internode ports for DSE File System (DSEFS) clients. dse.yaml
7080 Spark Master console port. spark-env.sh
7081 Spark Worker web site port. spark-env.sh
8182 The gremlin server port for DSE Graph. See Graph configuration.
8983 DSE Search (Solr) port and Demo applications web site port (Portfolio, Search, Search log, Weather Sensors)
8090 Spark Jobserver REST API port. See Spark Jobserver.
9042 DSE database native clients port. Enabling native transport encryption in client_encryption_options provides the option to use encryption for the standard port, or to use a dedicated port in addition to the unencrypted native_transport_port. When SSL is enabled, port 9142 is used by native clients instead. cassandra.yaml
9091 The DataStax Studio server port. See DataStax Studio documentation. Configure in dse_studio_install_dir/configuration.yaml.
9077 AlwaysOn SQL WebUI port. See Configuring AlwaysOn SQL.
9142 DSE client port when SSL is enabled. Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption for native_transport_port. Setting native_transport_port_ssl to a different value from native_transport_port will use encryption for native_transport_port_ssl while keeping native_transport_port unencrypted. See Securing client to cluster connections.
9999 Spark Jobserver JMX port. Required only if Spark Jobserver is running and remote access to JMX is required.
18080 Spark application history server web site port. Only required if Spark application history server is running. Can be changed with the spark.history.ui.port setting. See Spark history server.
OpsCenter public ports
8888 OpsCenter web site port. The opscenterd daemon listens on this port for HTTP requests coming directly from the browser. See OpsCenter ports reference. opscenterd.conf
Inter-node ports
DSE database inter-node communication ports
5599 Private port for DSEFS inter-node communication port. Must not be visible outside of the cluster. dse.yaml
7000 DSE inter-node cluster communication port. cassandra.yaml
7001 DSE SSL inter-node cluster communication port. cassandra.yaml
7199 DSE JMX metrics monitoring port. DataStax recommends allowing connections only from the local node. Configure SSL and JMX authentication when allowing connections from other nodes. cassandra-env.sh

See JMX options in Tuning Java Virtual Machine.

1024 - 65355 JMX reconnection/loopback ports. See the description for port 7199.

See JMX options in Tuning Java Virtual Machine.

DataStax Enterprise inter-node ports
7077 Spark Master inter-node communication port. dse.yaml
8609 Port for inter-node messaging service. dse.yaml
10000 Spark SQL Thrift server port. Only required if Spark SQL Thrift server is running. Set with the -p option with the Spark SQL Thrift server.