Updated on 2023-10-18 GMT+08:00

Configuring Security Group Rules

Scenarios

A security group is a collection of access control rules for ECSs and instances that have the same security requirements and are mutually trusted in a VPC.

To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access instances.

When you attempt to access an instance through an EIP, you need to configure an inbound rule for the security group associated with the instance.

Precautions

The default security group rule allows all outbound data packets. If an ECS and an instance are in the same security group, they can access each other. When a security group is created, you can configure security group rules to control access to and from instances associated with that security group.

  • By default, you can create up to 500 security group rules.
  • Too many security group rules will increase the first packet latency. You are advised to create up to 50 rules for each security group.
  • To access an instance from resources outside the security group, you need to configure an inbound rule for the security group associated with the instance.

To ensure data and instance security, use permissions properly. You are advised to use the minimum access permission, change the default database port 3306, and set the accessible IP address to the remote server's address or the remote server's minimum subnet address to control the access scope of the remote server.

If you use 0.0.0.0/0, all IP addresses can access instances associated with the security group.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and a project.
  3. Click in the upper left corner of the page, choose Database > GaussDB(for MySQL).
  4. On the Instances page, click the instance name to go to the Basic Information page.
  5. Configure security group rules.

    In the Network Information area on the Basic Information page, click the security group name next to the Security Group field.

  6. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, configure required parameters and click OK.

    You can click + to add more inbound rules.

    Table 1 Inbound rule parameter description

    Parameter

    Description

    Example Value

    Protocol & Port

    Network protocol for which the security group rule takes effect.

    • Currently, the value can be All, TCP (All ports), TCP (Custom ports), UDP (All ports), UDP (Custom ports), ICMP, GRE, or others.
    • All: indicates all protocol ports are supported.

    TCP (Custom ports)

    Port: the port over which the traffic can reach your DB instance.

    When connecting to the DB instance through a public network, enter the port of the DB instance.

    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • All ports: Leave it empty or enter 1-65535.

    Address

    Source of the security group rule. The value can be a security group or an IP address.

    xxx.xxx.xxx.xxx/32 (IPv4 address)

    xxx.xxx.xxx.0/24 (subnet)

    0.0.0.0/0 (any IP address)

    0.0.0.0/0

    Description

    Supplementary information about the security group rule. This parameter is optional.

    The description can contain up to 255 characters and cannot contain angle brackets (<>).

    -

    Operation

    You can replicate or delete a security group rule. However, if there is only one security group rule, you cannot delete it.

    -