Help Center/ Data Replication Service/ FAQs/ Network and Security/ How Do I Configure a VPC Security Group to Allow Network Communication?
Updated on 2024-11-30 GMT+08:00

How Do I Configure a VPC Security Group to Allow Network Communication?

A VPC on the current cloud is isolated from external networks for security reasons. You cannot use an EIP outside a VPC (for example, an EIP of another cloud database or an on-premise database) to access DB instances inside the VPC. However, the DRS instance in the current VPC must be able to communicate with the source and destination databases to migrate data. Therefore, you need to set inbound or outbound rules for the security groups associated with the source database, destination database, and DRS instance. Inbound rules allow external access to the instance associated with the security group, and outbound rules allow the instance associated with the security group to access instances outside the security group.

Generally, when you create a task for migrating data to the cloud, the DRS instance and the destination database are in the same VPC by default and can communicate with each other. In this case, configure the rules of security group associated with the source database in Configuring the Security Group Associated with the Source Database to allow traffic from the DRS instance IP address and the source database port, and configure the rules of the security group associated with the DRS instance (the destination database) in Configuring the Security Group Associated with the DRS Instance to allow traffic from the IP address and port of the source database.

Similarly, when you create a task for migrating data out of the cloud, the DRS instance and the source database are in the same VPC by default and can communicate with each other. In this case, configure the rules of security group associated with the destination database in Configuring the Security Group Associated with the Destination Database to allow traffic from the DRS instance IP address and the destination database port, and configure the rules of the security group associated with the DRS instance (the source database) in Configuring the Security Group Associated with the DRS Instance to allow traffic from the IP address and port of the destination database.

This section uses RDS for MySQL as the source and destination databases.

Configuring the Security Group Associated with the DRS Instance

The outbound rules of the security group associated with the DRS instance must allow traffic from the IP addresses and ports of the source and destination databases and allow the DRS instance to access databases outside the security group.

  1. In the DRS task list, click the target task name.
  2. In the Replication Instance Details area on the Basic Information page, click the security group.

  3. On the basic information page of the security group, click the Outbound Rules tab.
  4. Click Add Rule.

    The outbound rules of the security group associated with the DRS instance must allow traffic from the IP addresses and ports of the source and destination databases. (Enter the IP addresses and ports of the destination and source databases.)

Configuring the Security Group Associated with the Destination Database

The inbound rules of the security group associated with the destination database must allow traffic from the DRS instance IP address and the destination database port and allow the DRS instance to access the destination database through the port.

  1. On the Instances page of RDS, click the target instance name.
  2. In the Connection Information area on the Basic Information page, click the security group.

  3. On the basic information page of the security group, click the Inbound Rules tab.
  4. Click Add Rule.

    The inbound rules of the security group associated with the destination database must allow traffic from the DRS instance IP address and the destination database port. (Enter the IP address of the DRS instance and the port of the destination database.)

Configuring the Security Group Associated with the Source Database

The inbound rules of the security group associated with the source database must allow traffic from the DRS instance IP address and the source database port and allow the DRS instance to access the source database through the port.

  1. On the Instances page of RDS, click the target instance name.
  2. In the Connection Information area on the Basic Information page, click the security group.

  3. On the basic information page of the security group, click the Inbound Rules tab.
  4. Click Add Rule.

    The inbound rules of the security group associated with the source database must allow traffic from the DRS instance IP address and the source database port. (Enter the IP address of the DRS instance and the port of the source database.)