Understanding Firewall Configuration for HPC Networks
Firewall configuration in Microsoft HPC Pack takes place during the installation of HPC Pack on a node, and when you configure networking during the configuration process of the head node.
During the installation of HPC Pack on a node, the Windows Firewall rules that are required by the type of node that is being created (head node, compute node, broker node, or workstation node) are added and enabled on the node. These rules allow inbound and outbound communication between nodes in the cluster, and depending on the network topology that you choose, these rules also allow communication with the enterprise network. The Windows Firewall rules that are added affect all the network adapters that are installed on each node.
To further manage firewall settings, HPC Pack can include and exclude individual network adapters from Windows Firewall. These settings affect the network adapters on all nodes. After a network adapter is excluded from Windows Firewall, communication to and from the node is completely open through that adapter, independently of the Windows Firewall rules that are enabled or disabled on the node.
The Firewall Setup page of the Network Configuration Wizard helps you to specify which network adapters will be included or excluded from Windows Firewall, based on the HPC network to which those network adapters are connected. You can also specify that you do not want HPC Pack to manage network adapter exclusions at all.
Note
If you let HPC Pack manage network adapter exclusions for you, HPC Pack constantly monitors the network adapter exclusions on the nodes, and attempts to restore them to the settings that you have selected.
The following table explains the selections that are available to you on the Firewall Setup page of the Network Configuration Wizard. For more information about firewall configuration on your HPC cluster, see Appendix 1: HPC Cluster Networking in the Getting Started Guide.
Selection | Description |
---|---|
Automatically apply firewall settings to the networks and the nodes in the cluster | - Create network adapter exclusions based on your selection for each HPC network listed. - Actively monitor network adapter exclusions, and correct changes that not follow your selection for each HPC network. - ON for an HPC network: do not exclude from Windows Firewall the network adapter that is connected to that HPC network. - OFF for an HPC network: exclude from Windows Firewall the network adapter that is connected to that HPC network. |
Do not manage firewall settings | - Do not make any changes to the current network adapter exclusions (if any). - Do not monitor or try to correct changes to the network adapter exclusions. |
Caution
You must use a Windows Firewall configuration that complies with the security policies of your organization.
Important
When you use the Network Configuration Wizard to make changes to the firewall settings, these changes will be propagated to all existing nodes in the cluster, but it can take up to 5 minutes for the changes to take effect on the nodes.
Additional considerations
If an HPC cluster includes a private or an application network, the default selection is to create network adapter exclusions on those networks (that is, the default setting for those HPC networks is OFF). This provides the best performance and manageability experience. If you are using private and application networks, and intra-node security is important to you, isolate the private and application networks behind the head node.
If your client applications require specific Windows Firewall rules, and you select not to exclude the network adapter that the application will use for communication, you must configure those rules in Windows Firewall. You can include a task in the Node Templates to run a command that configures the Windows Firewall rules.