1. select the ec2 instance, in the description tab there is a 'security groups' label,
choose 'view rules' to find out which security group is applied on the instance
2. select the security group from the navigation pane on the left menu,
Edit the Inbound rules (i.e. setup port, ip range, etc.)
3. make sure the default port 54310 (for name node) and port 54311 (for job tracker) are open between hadoop nodes.
For example, the internal ip of the nodes are 172.41.36.1, 172.41.36.2, 172.41.36.3 ....
Then 'allow' port 54310 & 54311 inbound from 172.41.36.0/24 (i.e. 172.41.36.0 / 255.255.255.0)
4. to view the web interfaces for jobtracker, namenode and task tracker, also allow inbound from your local laptop ip (or everywhere) on port 50070, 50030 & 50060
http://master:50070 -> Namenode daemon
http://master:50030 -> Jobtracker daemon
http://master:50060 -> Tasktracker daemon
don't worry about outbound as it is open to everything.
if the firewall is not setup properly, the start-dfs and start-mapred may still launch successfully with all the nodes started. But if you check the Namenode Daemon web interface, there is only the master node there (Node = 1). You should be seeing exactly the number of nodes available on the interface if the firewall is setup properly.