Help Center/ GeminiDB/ GeminiDB DynamoDB-Compatible API/ Working with GeminiDB DynamoDB-Compatible API/ Instance Connection and Management/ Connection Information Management/ Setting Security Group Rules for a GeminiDB DynamoDB-Compatible Instance
Updated on 2025-12-30 GMT+08:00
View PDF

Setting Security Group Rules for a GeminiDB DynamoDB-Compatible Instance

A security group is a collection of access control rules for ECSs and GeminiDB DynamoDB-Compatible instances that have the same security requirements and are mutually trusted in a VPC.

To ensure database security and stability, you need to set a security group and add IP addresses and ports that can access the database before using GeminiDB DynamoDB-Compatible instances.

This section describes how to set security group rules for a GeminiDB DynamoDB-Compatible instance which is connected over a private or public network.

Usage Notes

  • By default, a tenant can create a maximum of 500 security group rules.
  • Too many security group rules will increase the first packet latency. You are advised to create a maximum of 50 rules for each security group.
  • Currently, each instance can be bound to only one security group.
  • Table 1 describes the security group rules required for connecting to an instance over a private or public network.
    Table 1 Security group rules

    Scenario

    Description

    Connecting to an instance over a private network
    When connecting to a GeminiDB DynamoDB-Compatible instance over a private network, set security group rules in either of the following ways:
    • If the ECS and GeminiDB DynamoDB-Compatible instance are in the same security group, they can communicate with each other by default. No security group rule needs to be set.
    • If they are in different security groups, you need to set security group rules for both of them.
      • Set an inbound rule for the GeminiDB DynamoDB-Compatible instance by following Procedure.
      • The default security group rule allows all outbound data packets, so you do not need to set a security rule for the ECS. If not all outbound traffic is allowed in the security group, set an outbound rule for the ECS.

    Connecting to an instance over a public network

    Set an inbound rule when connecting to a GeminiDB DynamoDB-Compatible instance over a public network by following Procedure.

Procedure

  1. Log in to the Huawei Cloud console.
  2. On the Instances page, click the target instance to go to the Basic Information page.
  3. Set security group rules.

    Method 1:

    In the Network Information area on the Basic Information page, click the security group.

    Figure 1 Security group

  4. Add an inbound rule.

    1. Click the Inbound Rules tab.
      Figure 2 Inbound rule

    2. Click Add Rule. The Add Inbound Rule dialog box is displayed.
      Figure 3 Adding a rule
    3. Add a security group rule as prompted.
      Table 2 Inbound rule settings

      Parameter

      Description

      Example Value

      Protocol & Port
      • Protocol: Currently, GeminiDB DynamoDB-Compatible API supports only TCP.
      • Port: The port (1 to 65535) for accessing the ECS.

      TCP

      Type

      IP address type. This parameter is available after IPv6 is enabled.

      • IPv4
      • IPv6

      IPv4

      Source
      Source: The source can be an IP address, a security group, or an IP address group which allows access from IP addresses or instances in other security groups. For example:
      • xxx.xxx.xxx.xxx/32 (IPv4 address)
      • xxx.xxx.xxx.0/24 (subnet)
      • 0.0.0.0/0 (any IP address)
      • sg-abc (security group)

      0.0.0.0/0

      Description

      (Optional) Provides supplementary information about the security group rule.

      The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

      -

  5. Click OK.
Parent Topic: Connection Information Management