Updated on 2022-09-20 GMT+08:00

Configuring a Security Group

A security group is a collection of access control rules for ECSs and DDS instances that have the same security protection requirements and are mutually trusted in a VPC.

To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access DDS instances.

To access an instance from the Internet, add an inbound rule for the security group associated with the instance.

Precautions

  • By default, an account can create up to 500 security group rules.
  • Too many security group rules will increase the first packet latency, so a maximum of 50 rules for each security group is recommended.
  • One DDS instance can be associated only with one security group.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and a project.
  3. Click in the upper left corner of the page and choose Databases > Document Database Service.
  4. On the Instances page, click the instance name. The Basic Information page is displayed.
  5. In the Network Information area on the Basic Information page, click the security group.

    Figure 1 Security Group

    You can also choose Connections in the navigation pane on the left. On the Public Connection tab, in the Security Group area, click the security group name.

  6. On the Security Group page, locate the target security group and click Manage Rule in the Operation column.
  7. On the Inbound Rules tab, click Add Rule. The Add Inbound Rule dialog box is displayed.
  8. Add a security group rule as prompted.

    Figure 2 Add Inbound Rule
    Table 1 Inbound rule settings

    Parameter

    Description

    Example Value

    Priority

    The security group rule priority.

    The priority value ranges from 1 to 100. The default priority is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.

    1

    Action

    The security group rule actions.

    A rule with a deny action overrides another with an allow action if the two rules have the same priority.

    Allow

    Protocol & Port

    The network protocol required for access. The option can be All, TCP, UDP, ICMP, or GRE.

    TCP

    Port: the port on which you wish to allow access to DDS. The default value is 8635. Available ports: 2100 to 9500, and 27017 to 27019

    8635

    Type

    IP address type. Currently, only IPv4 is supported.

    IPv4

    Source

    Specifies the supported IP address, security group, and IP address group, which allow access from IP addresses or instances in other security group. Example:
    • Single IP address: 192.168.10.10/32
    • IP address segment: 192.168.1.0/24
    • All IP addresses: 0.0.0.0/0
    • Security group: sg-abc
    • IP address group: ipGroup-test

    If you enter a security group, all ECSs associated with the security group comply with the created rule.

    0.0.0.0/0

    Description

    (Optional) Provides supplementary information about the security group rule. This parameter is optional.

    The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    -

  9. Click OK.