Updated on 2024-09-25 GMT+08:00

Configuring Security Group Rules

A security group is a collection of access control rules for ECSs and DDS instances that have the same security protection requirements and are mutually trusted in a VPC.

To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access DDS instances.

You can connect to an instance by configuring security group rules in following two ways:

  • If the ECS and instance are in different security groups, you need to configure security group rules for them, separately.
    Figure 2 Different security groups
    • Instance: Configure an inbound rule for the security group associated with the instance.
    • ECS: The default security group rule allows all outbound data packets. In this case, you do not need to configure a security group rule for the ECS. If not all traffic is allowed to reach the instance, configure an outbound rule for the ECS.

This section describes how to configure an inbound rule for an instance.

Precautions

  • By default, an account can create up to 500 security group rules.
  • Too many security group rules will increase the first packet latency, so a maximum of 50 rules for each security group is recommended.
  • By default, one DDS instance is associated with only one security group.
  • DDS allows you to associate multiple security groups to a DB instance. You can apply for the service based on your service requirements. For better network performance, you are advised to select no more than five security groups.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and a project.
  3. Click in the upper left corner of the page and choose Databases > Document Database Service.
  4. On the Instances page, click the instance name. The Basic Information page is displayed.
  5. In the Network Information area on the Basic Information page, click the security group.

    Figure 3 Security Group

    You can also choose Connections in the navigation pane on the left. On the Private Connection tab, in the Security Group area, click the security group name.

    Figure 4 Security Group

  6. On the Security Group page, locate the target security group and click Manage Rule in the Operation column.
  7. On the Inbound Rules tab, click Add Rule. The Add Inbound Rule dialog box is displayed.
  8. Add a security group rule as prompted.

    Figure 5 Add Inbound Rule

    Table 1 Inbound rule settings

    Parameter

    Description

    Example

    Priority

    The security group rule priority.

    The priority value ranges from 1 to 100. The default priority is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.

    1

    Action

    The security group rule actions.

    A rule with a deny action overrides another with an allow action if the two rules have the same priority.

    Allow

    Protocol & Port

    The network protocol required for access. Available options: TCP, UDP, ICMP, or GRE

    TCP

    Port: the port on which you wish to allow access to DDS. The default port is 8635. The port ranges from 2100 to 9500 or can be 27017, 27018, or 27019.

    8635

    Type

    IP address type. Only IPv4 and IPv6 are supported.

    IPv4

    Source

    Specifies the supported IP address, security group, and IP address group, which allow access from IP addresses or instances in other security group. Example:
    • Single IP address: 192.168.10.10/32
    • IP address segment: 192.168.1.0/24
    • All IP addresses: 0.0.0.0/0
    • Security group: sg-abc
    • IP address group: ipGroup-test

    If you enter a security group, all ECSs associated with the security group comply with the created rule.

    For more information about IP address groups, see IP Address Group.

    0.0.0.0/0

    Description

    (Optional) Provides supplementary information about the security group rule. This parameter is optional.

    The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    -

  9. Click OK.