Help Center/ GaussDB/ User Guide/ Instance Management/ Configuring Security Group Rules for a GaussDB Instance
Updated on 2025-08-18 GMT+08:00
View PDF

Configuring Security Group Rules for a GaussDB Instance

Scenarios

A security group is a collection of access control rules for ECSs and GaussDB instances that are within the same VPC, have the same security requirements, and are mutually trusted.

To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access the GaussDB instances.

  • When you attempt to connect to a GaussDB instance through a private network, check whether the ECS and GaussDB instance are in the same security group.
    • If they are in the same security group, they can communicate with each other by default. No security group rule needs to be configured.
    • If they are in different security groups, you need to configure security group rules for the ECS and GaussDB instance, respectively.
      • GaussDB instance: Configure an inbound rule for the security group with which the GaussDB instance is associated.
      • ECS: The default security group rule allows all outgoing data packets. In this case, you do not need to configure a security group rule for the ECS. If not all outbound traffic is allowed in the security group, you need to configure an outbound rule for the ECS to allow all outbound packets.
  • When you attempt to connect to a GaussDB instance using an EIP, you need to configure an inbound rule for the security group associated with the instance.

Precautions

The default security group rule allows all outbound data packets. This means that ECSs and GaussDB instances associated with the same security group can access each other by default. After a security group is created, you can add security group rules to control the access from and to the GaussDB instance.

  • By default, you can create up to 500 security group rules.
  • Ensure that each security group has no more than 50 rules.
  • To access a GaussDB instance from resources outside the security group, configure an inbound rule for the security group associated with the instance.

  • Outbound rules typically do not apply to DB instances. The rules are used only when a DB instance acts as a client.

  • If a DB instance resides in a VPC but is not publicly accessible, you can also use a VPN connection to connect to it.

  • If you need to change the security group when creating a distributed instance, ensure that the TCP ports in the inbound rule include the following: 40000-60480, 20050, 5000-5001, 2379-2380, 6000, 6500, and <database_port>-(<database_port> + 100). (For example, if the database port is 8000, the security group must contain ports 8000 to 8100.) Additionally, ensure that the outbound rules allow all outbound traffic.
  • If you need to change the security group when creating a centralized instance, ensure that the TCP ports in the inbound rule include the following: 20050, 5000-5001, 2379-2380, 6000, 6500, and <database_port>-(<database_port> + 100). (For example, if the database port is 8000, the TCP ports for the security group must include 8000-8100.)
  • The default value of Source is 0.0.0.0/0, indicating that all IP addresses can access the GaussDB instance as long as they are associated with the same security group as the instance.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and project.
  3. Click in the upper left corner of the page and choose Databases > GaussDB.
  4. On the Instances page, click the name of the target instance to go to the Basic Information page.
  5. Configure security group rules.

    In the Security Group field of the Connection Information area, click the security group name.

  6. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, configure the required parameters and click OK.

    You can click + to add more inbound rules.

    Table 1 Inbound rule parameter description

    Parameter

    Description

    Example Value

    Protocol & Port

    Network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.

    TCP (Custom ports)

    Port: port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.

    When connecting to your instance through a private network, enter the port of the used to connect to your instance.

    Type

    IP address type.

    • IPv4
    • IPv6

    IPv4

    Source

    Source of the security group rule. The value can be a security group or an IP address. Examples:

    • xxx.xxx.xxx.xxx/32 (IPv4 address)
    • xxx.xxx.xxx.0/24 (subnet)
    • 0.0.0.0/0 (any IP address)

    0.0.0.0/0

    Description

    Provides supplementary information about the security group rule. This parameter is optional.

    The description can contain up to 255 characters and cannot contain angle brackets (<) or (>).

    -

Parent Topic: Instance Management