Allow traffic from external slurmdbd to slurmctld's

Add ingress rule in the external dbd client security group to allow connections initiated from the slurmdbd. Such connections may be established from the slurmdbd's side when the slurmdbd drops and then recovers: in this case it is the slurmdbd attempting to re-establish the connectivity between itself and all the slurmctld's it was previously connected to. Remove useless egress rules from security groups (all outgoing traffic is enabled by default at the moment). Signed-off-by: Jacopo De Amicis <[email protected]>
aws · Jan 15, 2024 · f62a4f6 · f62a4f6
1 parent 4e3a5e8
commit f62a4f6
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/cloudformation/external-slurmdbd/external_slurmdbd/external_slurmdbd_stack.py b/cloudformation/external-slurmdbd/external_slurmdbd/external_slurmdbd_stack.py
@@ -204,20 +204,21 @@ def _add_management_security_groups(self):
             description="Allow SSH access to slurmdbd instance (server)",
             vpc=self.vpc,
         )
+
         client_sg = ec2.SecurityGroup(
             self,
             "SSHClientSecurityGroup",
             description="Allow SSH access to slurmdbd instance (client)",
             vpc=self.vpc,
         )
+
         server_sg.add_ingress_rule(
             peer=client_sg, connection=ec2.Port.tcp(22), description="Allow SSH access from client SG"
         )
-        client_sg.add_egress_rule(
-            peer=server_sg, connection=ec2.Port.tcp(22), description="Allow SSH access to server SG"
-        )
+
         return server_sg, client_sg
 
+    # FIXME: make the ingress rules more configurable
     def _add_slurmdbd_accounting_security_groups(self):
         slurmdbd_server_sg = ec2.SecurityGroup(
             self,
@@ -239,10 +240,10 @@ def _add_slurmdbd_accounting_security_groups(self):
             description="Allow Slurm accounting traffic from the cluster head node",
         )
 
-        slurmdbd_client_sg.add_egress_rule(
+        slurmdbd_client_sg.add_ingress_rule(
             peer=slurmdbd_server_sg,
-            connection=ec2.Port.tcp(6819),
-            description="Allow Slurm accounting traffic to the slurmdbd instance",
+            connection=ec2.Port.tcp_range(6820, 6829),
+            description="Allow traffic coming from slurmdbd instance",
         )
 
         return slurmdbd_server_sg, slurmdbd_client_sg