[Yandex Cloud documentation](../../../index.md) > [Yandex MetaData Hub](../../index.md) > Apache Hive™ Metastore > Step-by-step guides > Configuring security groups

# Configuring Apache Hive™ Metastore cluster security groups

If your cloud network uses [security groups](../../../vpc/concepts/security-groups.md), they can hinder the Apache Hive™ Metastore cluster performance. In which case you need to configure the security group assigned to the Apache Hive™ Metastore cluster by [adding](../../../vpc/operations/security-group-add-rule.md) the following rules for incoming traffic to it:

* For incoming service traffic:

   * **Port range**: `30000-32767`
   * **Protocol**: `TCP`
   * **Source**: `Security group`
   * **Security group**: `Current`

* For incoming traffic from clients over Thrift:

   * **Description**: `thrift`
   * **Port range**: `9083`
   * **Protocol**: `TCP`
   * **Source**: `CIDR`
   * **CIDR blocks**: `0.0.0.0/0`

* For incoming traffic from clients over REST:

   * **Description**: `iceberg rest (4.2+)`
   * **Port range**: `9001`
   * **Protocol**: `TCP`
   * **Source**: `CIDR`
   * **CIDR blocks**: `0.0.0.0/0`

* For incoming load balancer traffic:
   * **Protocol**: `Any`
   * **Source**: `Load balancer healthchecks`

If you plan to use multiple security groups for a cluster, enable all traffic between these groups.

{% note info %}

You can specify more granular rules for your security groups, e.g., to allow traffic only in specific subnets.

{% endnote %}

_Apache® and [Apache Hive™](https://hive.apache.org/) are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries._