Vantage Security Groups | Teradata VantageCloud Enterprise on AWS (DIY) - Security Groups for Teradata Vantage - Teradata® VantageCloud Enterprise on AWS

VantageCloud Enterprise on AWS (DIY) Installation and Administration Guide - 2.4

Deployment
VantageCloud
Edition
Enterprise
Product
Teradata® VantageCloud Enterprise on AWS
Release Number
2.4
Published
April 2024
Language
English (United States)
Last Update
2024-07-15
dita:mapPath
kma1662437965174.ditamap
dita:ditavalPath
nat1649317391363.ditaval
dita:id
jnv1467245119674
Product Category
Cloud

When configuring a security group for Vantage, set up the port ranges listed here for each Vantage instance so Vantage can be locked down to the local host. Port 1025 is blocked in the local instance until the DBC password is changed. If you are deploying a Teradata ecosystem, do not delete or modify the self-reference rule that is created for internal security group communication.

By default, NTP uses the Amazon Time Sync Service on a local IP. If you must use different NTP servers, make sure the VPC ACL setting is not blocking UDP port 123 for outbound traffic.

When deploying a Vantage MPP instance using AWS CloudFormation, access is restricted to IP addresses in the CIDR block specified in the Remote Access From parameter. If you have other Teradata software instances residing outside that IP range, you can edit the security group after deploying to add the necessary IP addresses. Teradata software instances that may need access to the Vantage MPP instance include:
  • Teradata Data Mover (DIY)
  • Teradata Data Stream Controller (DIY)
  • Teradata Query Service (DIY)
  • Teradata Server Management (DIY)
  • Teradata Viewpoint (DIY)

If you are not deploying a Vantage MPP instance using a Teradata ecosystem solution template or deploying Vantage separately, you must add inbound TCP 22 and UDP 1001-1002 ports.

Direction Protocol Port Range Description
Inbound TCP 22 SSH
TCP 1025 Vantage Service to AWS
  3015 Access to the CNS subsystem
TCP 64432 If using mainframe connectivity
UDP 1001-1002 If using non-traditional deployment methods (internal only)
Outbound UDP 123 NTP, required when not using Amazon Time Sync Service