Configuring Security Group Rules
Scenarios
A security group is a collection of access control rules for ECSs and instances that have the same security requirements and are mutually trusted in a VPC. To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access instances.
Check whether the ECS and instance are in the same security group.
- If they are in the same security group, they can communicate with each other by default. No security group rule needs to be configured.
- If they are in different security groups, you need to configure security group rules for the ECS and instance, respectively.
- Instance: Configure an inbound rule for the security group to which the instance is associated.
- ECS: The default security group rule allows all outbound data packets. In this case, you do not need to configure a security group rule for the ECS. If not all outbound traffic is allowed in the security group, you may need to configure an outbound rule for the ECS to allow all outbound packets.
You can configure an inbound rule for an instance.
Precautions
The default security group rule allows all outbound data packets. If an ECS and an instance are in the same security group, they can access each other. When a security group is created, you can configure security group rules to control access to and from instances associated with that security group.
- By default, you can create up to 500 security group rules.
- Too many security group rules will increase the first packet latency. You are advised to create up to 50 rules for each security group.
- To access an instance from resources outside the security group, you need to configure an inbound rule for the security group associated with the instance.
To ensure data and instance security, use permissions properly. You are advised to use the minimum access permission, change the default database port 3306, and set the accessible IP address to the remote server's address or the remote server's minimum subnet address to control the access scope of the remote server.
If you use 0.0.0.0/0, all IP addresses can access instances associated with the security group.
Procedure
- Log in to the management console.
- Click in the upper left corner and select a region and a project.
- Click in the upper left corner of the page, choose .
- On the Instances page, click the instance name to go to the Basic Information page.
- Configure security group rules.
In the Network Information area on the Basic Information page, click the security group name next to the Security Group field.
- On the Inbound Rules tab, click Add Rule. In the displayed dialog box, configure required parameters and click OK.
You can click to add more inbound rules.
Table 1 Inbound rule parameter description Parameter
Description
Example Value
Protocol & Port
Network protocol for which the security group rule takes effect.
- Currently, the value can be All, TCP (All ports), TCP (Custom ports), UDP (All ports), UDP (Custom ports), ICMP, GRE, or others.
- All: indicates all protocol ports are supported.
TCP (Custom ports)
Port: the port over which the traffic can reach your DB instance.
When connecting to the instance through a private network, enter the port of the instance.
- Individual port: Enter a port, such as 22.
- Consecutive ports: Enter a port range, such as 22-30.
- All ports: Leave it empty or enter 1-65535.
Type
Currently, only IPv4 and IPv6 are supported.
IPv4
Source
Source of the security group rule. The value can be a security group or an IP address.
xxx.xxx.xxx.xxx/32 (IPv4 address)
xxx.xxx.xxx.0/24 (subnet)
0.0.0.0/0 (any IP address)
0.0.0.0/0
Description
Supplementary information about the security group rule. This parameter is optional.
The description can contain up to 255 characters and cannot contain angle brackets (<>).
-
Operation
You can replicate or delete a security group rule. However, if there is only one security group rule, you cannot delete it.
-
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.