Altus Administration

As an Altus administrator, you must have administrative rights to the accounts in AWS where Altus users create clusters and run jobs. You must be familiar with the AWS platform and able to set up AWS services and resources for use by Altus users and create policies and roles for those services and resources. You must also be aware of the limits that AWS sets for the resources available to you in AWS.

In Altus, you manage user access to the services and resources in AWS accounts. You also manage the access keys and resources in Altus. When users reach the maximum limit for resources in your Altus account, you can request Cloudera to raise the limits through the Cloudera support portal.

AWS Account Requirements

Cloudera Altus creates clusters and runs jobs in your AWS account on your behalf. To enable Altus to perform its tasks in your AWS account successfully, ensure that your AWS account has resources and services configured to meet Altus requirements.

AWS Resources and Services

Altus accesses the following resources in your AWS account:
  • VPC
  • EC2 Instances
  • Regions and availability zones
  • Security group
Use the following guidelines to ensure that Altus can use the resources in your AWS account to create clusters and run jobs:
VPC
Altus supports EC2-VPCs.

You can use an existing AWS account or create an AWS account for Altus workloads. If you use an existing account created after December 4, 2013, you can use the default VPC provided with the AWS account. The default VPC is an EC2-VPC. For more information, see the AWS documentation about the default VPC.

If you use an existing account created before December 4, 2013, use EC2-VPC, not EC2-Classic.

The VPC must have the following configuration:
  • Connected to an Internet gateway.
  • Has at least one public subnet configured with auto-assigned public IPs, and the subnet routes default traffic through the Internet gateway.
  • Has Amazon-managed DNS turned on.

Verify the limits of the VPC and subnets available in your AWS account to ensure that you have enough resources to create clusters in Altus. For more information about VPC limits, see AWS Limits.

EC2 Instances
If you use the default VPC provided with the AWS account, the VPC is limited to 20 EC2 instances. If you require a larger number of instances, you can contact Amazon to request an increase in your instance limit.

Verify the limits of the EC2 instances in your AWS account to ensure that you are able to create clusters in Altus. For more information about VPC limits, see AWS Limits.

Altus supports c4, m4, and r4 instance types.

Regions and Availability Zones
You can deploy clusters in any AWS region that Altus supports. Typically, you deploy clusters into the same region that contains the S3 buckets that you want to access for input and output data.

For more information about the AWS regions supported by Altus, see Supported AWS Regions.

Security Group
You must define a security group with the following configuration:
  • Inbound: Allows all traffic from itself and SSH traffic from the following IP addresses:

    52.88.35.116/32

    52.37.120.7/32

    50.112.20.144/32

  • Outbound: Allows all traffic to all destinations.

Verify the security group limits in your AWS account to ensure that you can configure security groups for Altus. For more information about security group limits, see AWS Limits.

To connect to a CDH cluster and Cloudera Manager, you must also configure the security group inbound rules to allow SSH access from the IP address of your machine or a range of IP addresses used by your organization. For more information, see SSH Connection.

AWS Permissions

As an Altus administrator, you must be able to perform the following tasks in your AWS account:
  • Create policies and roles in IAM.
  • Perform administrative tasks in subnets, security groups, EC2, VPC, S3, and Security Token Service (STS).

AWS Administrator privileges provides all the permissions you need to create the resources for Altus.

If you are not a member of the Administrators group in your AWS account, you must have the following privileges in AWS:
ec2:AssociateRouteTable
ec2:AttachInternetGateway
ec2:AuthorizeSecurityGroupIngress
ec2:CreateInternetGateway
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateVpc
ec2:CreateVpcEndpoint
ec2:CreateTags
ec2:DescribeAccountAttributes
ec2:DescribeAvailabilityZones
ec2:DescribeInternetGateways
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcEndpoints
ec2:DescribeVpcs
ec2:ModifySubnetAttribute
ec2:ModifyVpcAttribute
iam:AddRoleToInstanceProfile
iam:AttachRolePolicy
iam:CreateInstanceProfile
iam:CreateRole
iam:GetRole
iam:PassRole
iam:PutRolePolicy
s3:CreateBucket
s3:GetObject
s3:PutObject
Additionally, if you use the Environment Quickstart to create an Altus environment, you need the following CloudFormation permissions:
cloudformation:CreateStack
cloudformation:CreateUploadBucket
cloudformation:GetTemplateSummary

Supported AWS Regions

Cloudera Altus supports the following AWS regions:
Region Name Location
us-east-1 US East (N. Virginia) Region
us-east-2 US East (Ohio) Region
us-west-1 US West (N. California) Region
us-west-2 US West (Oregon) Region
ap-south-1 Asia Pacific (Mumbai) Region
ap-northeast-1 Asia Pacific (Tokyo) Region
ap-northeast-2 Asia Pacific (Seoul) Region
ap-southeast-1 Asia Pacific (Singapore) Region
ap-southeast-2 Asia Pacific (Sydney) Region
ca-central-1 Canada (Central) Region
eu-central-1 EU (Frankfurt) Region
eu-west-1 EU (Ireland) Region
eu-west-2 EU (London) Region
sa-east-1 South America (São Paulo) Region

AWS Limits

When you create your AWS account, AWS sets limits to the resources available to you. The limits can vary by region. To view the limit set by Amazon for your account, log in to AWS and go to EC2 > Limits.

The EC2 Service Limits page lists the limits to the resources available to you in your EC2 instance, including limits to the number of instances and hosts.

The Networking Limits section on the page lists the VPC, subnet, and security group limits for your AWS account.

If you require more resources than the limit set by Amazon, you can request Amazon to raise the limit of a resource. On the EC2 Service Limits page, click Request limit increase for the resource that you want to increase and create an AWS support case for a Service Limit Increase.

Altus Resource Limits

Altus sets limits to the number of resources that you can create. You can request Altus to raise the limits through the support page on the Altus console.

For more information about raising the Altus resource limits, see Creating a Support Case.

Altus sets limits for the following resources:
Resource Description Limits
User accounts Number of users allowed in your Altus account. 100
Machine user accounts Number of machine users allowed in your Altus account. 100
Access key Number of access keys allowed in your Altus account. 200
Altus environment Number of Altus environments allowed in your Altus account. 10
Cluster Number of clusters allowed in your Altus account. 20
Job Number of jobs allowed in a cluster. 1000