For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
URLs that pcluster head/compute node will need to visit?
I am using pcluser command to create a head/compute node for HPC, and am wondering whether we have a complete list of the URLs that a node will need to visit at node provision. My customer is implementing an allowlist-based outbound internet visiting, but if -- as I've tested -- such an outbound internet is missing, the CloudFormation stack will get stuck at the HeadNodeWaitCondition until timeout.
The node I am provision is quite simple, with only a Grafana module supposed to be installed.
- Topics
- Compute
- Language
- English
- Newest
- Most votes
- Most comments
When provisioning AWS ParallelCluster nodes, especially in environments with restricted internet access, several AWS service endpoints need to be accessible. While a complete list may vary depending on your specific configuration, here are some key endpoints that your ParallelCluster nodes typically need to access:
-
iam.amazonaws.com: This is used for initial validation of the cluster.
-
sts.amazonaws.com: The AWS Security Token Service (STS) endpoint is required. It's important to note that you should use the regional endpoint for STS calls.
-
EC2 endpoints: For managing and interacting with EC2 instances.
-
S3 endpoints: For accessing Amazon S3, which is often used for storing and retrieving data.
-
CloudFormation endpoints: For managing the CloudFormation stack that ParallelCluster uses.
-
Systems Manager endpoints: If you're using AWS Systems Manager for instance management.
-
DynamoDB endpoints: Used by ParallelCluster for certain operations.
-
CloudWatch endpoints: For logging and monitoring.
-
Elastic File System (EFS) endpoints: If you're using EFS for shared storage.
-
FSx endpoints: If you're using Amazon FSx for shared file systems.
Additionally, if you're installing Grafana, you may need to allow access to Grafana's download and update servers.
To avoid issues like the CloudFormation stack getting stuck at HeadNodeWaitCondition, it's crucial to ensure that all necessary endpoints are accessible. You can use VPC endpoints for many AWS services to keep traffic within the AWS network. For services without VPC endpoints, you'll need to allow outbound internet access to their specific URLs.
Remember that the exact list of required endpoints can vary based on your specific ParallelCluster configuration, installed applications, and AWS services used. It's recommended to start with a broader allowlist and then narrow it down based on observed traffic patterns and any errors encountered during cluster creation and operation.
Sources
Securing HPC on AWS – isolated clusters | AWS HPC Blog
pcluster describe-cluster - AWS ParallelCluster
