Inbound restriction for security group for Amazon FSx for Lustre?


The Amazon FSx for Lustre console invites developers to open TCP ports 988, 1021-1023: " The VPC Security Groups associated with your file system’s network interfaces must allow inbound Lustre traffic (TCP ports 988, 1021-1023)"

Shall this be open to the world? Is there a way to restrict source? Or is there already a mechanism in place to verify that this "inbound Lustre traffic" coming to the FS is legit?

Is this inbound Lustre traffic user traffic on the FS (eg a SageMaker training instance) ? or is it used for some backend admin or S3-FS communication?

asked 4 years ago1146 views
1 Answer
Accepted Answer

The inbound traffic requirements are for the file system's network interfaces, so they apply for the communication between the file system and the client compute instances from which you're mounting and accessing the file system (not for any back-end communication behind the file system.

Re: restricting the source, as is standard with Security Groups, you can limit the source of the inbound rules to only the restricted sources you want to allow (based on CIDR blocks, Security Groups, Prefix Lists).

answered 4 years ago
profile picture
reviewed 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions