Configuring Security Group Rules
A security group is a collection of access control rules for ECSs and DDS instances that have the same security protection requirements and are mutually trusted in a VPC.
To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access DDS instances.
You can connect to an instance by configuring security group rules in following two ways:
- If the ECS and instance are in the same security group, they can communicate with each other by default. No security group rule needs to be configured. Go to Connecting to a Cluster Instance Using Mongo Shell (Private Network).
Figure 1 Same security group
- If the ECS and instance are in different security groups, you need to configure security group rules for them, separately.
Figure 2 Different security groups
- Instance: Configure an inbound rule for the security group associated with the instance.
- ECS: The default security group rule allows all outbound data packets. In this case, you do not need to configure a security group rule for the ECS. If not all traffic is allowed to reach the instance, configure an outbound rule for the ECS.
This section describes how to configure an inbound rule for an instance.
Precautions
- By default, an account can create up to 500 security group rules.
- Too many security group rules will increase the first packet latency, so a maximum of 50 rules for each security group is recommended.
- One DDS instance can be associated only with one security group.
Procedure
- Log in to the management console.
- Click in the upper left corner and select a region and a project.
- Click in the upper left corner of the page and choose Databases > Document Database Service.
- On the Instances page, click the instance name. The Basic Information page is displayed.
- In the Network Information area on the Basic Information page, click the security group.
Figure 3 Security Group
You can also choose Connections in the navigation pane on the left. On the Private Connection tab, in the Security Group area, click the security group name.
- On the Security Group page, locate the target security group and click Manage Rule in the Operation column.
- On the Inbound Rules tab, click Add Rule. The Add Inbound Rule dialog box is displayed.
- Add a security group rule as prompted.
Figure 4 Add Inbound Rule
Table 1 Inbound rule settings Parameter
Description
Example
Priority
The security group rule priority.
The priority value ranges from 1 to 100. The default priority is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.
1
Action
The security group rule actions.
A rule with a deny action overrides another with an allow action if the two rules have the same priority.
Allow
Protocol & Port
The network protocol required for access. Available options: All, TCP, UDP, ICMP, or GRE.
TCP
Port: the port on which you wish to allow access to DDS. The default value is 8635. Available ports: 2100 to 9500, and 27017 to 27019
8635
Type
IP address type. Currently, only IPv4 is supported.
IPv4
Source
Specifies the supported IP address, security group, and IP address group, which allow access from IP addresses or instances in other security group. Example:- Single IP address: 192.168.10.10/32
- IP address segment: 192.168.1.0/24
- All IP addresses: 0.0.0.0/0
- Security group: sg-abc
- IP address group: ipGroup-test
If you enter a security group, all ECSs associated with the security group comply with the created rule.
0.0.0.0/0
Description
(Optional) Provides supplementary information about the security group rule. This parameter is optional.
The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
-
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.