How Do I Configure a Security Group?
DCS Redis 3.0/4.0/5.0/6.0 and Memcached instances are deployed in different modes. Therefore, the access control method varies.
- To control access to DCS Redis 3.0, Memcached, and Redis 6.0 professional edition instances, you can use security groups. Whitelists are not supported. Security group operations are described in this section.
- To control access to DCS Redis 4.0/5.0/6.0 basic edition instances, you can use whitelists. Security groups are not supported. Whitelist operations are described in Managing IP Address Whitelist.
The following describes how to configure security groups for intra-VPC access and public access to DCS Redis 3.0, Memcached, and Redis 6.0 professional edition instances.
Intra-VPC Access to DCS Redis 3.0, Memcached, and Redis 6.0 Professional Edition Instances
To prevent cross-VPC access from increasing latency and affecting DCS instance performance, you can deploy your client on an ECS that is in the same VPC and subnet as the DCS instance.
In addition, you must configure correct rules for the security groups of both the ECS and DCS instance so that you can access the instance through your client.
- If the ECS and DCS instance are configured with the same security group, network access in the group is not restricted by default.
- If the ECS and DCS instance are configured with different security groups, add security group rules to ensure that the ECS and DCS instance can access each other.
- Suppose that the ECS on which the client runs belongs to security group sg-ECS, and the DCS instance that the client will access belongs to security group sg-DCS.
- The following uses port 6379 for DCS Redis 3.0 instances as an example. For other instances, use the actual port.
- The remote end is a security group or an IP address.
- Configuring security group for the ECS.
Add the following outbound rule to allow the ECS to access the DCS instance. Skip this rule if there are no restrictions on the outbound traffic.
- Configuring security group for the DCS instance.
To ensure that your client can access the DCS instance, add the following inbound rule to the security group configured for the DCS instance:
For the source IP address, use the specified IP address of the DCS instance. Avoid using 0.0.0.0/0 to prevent ECSs bound with the same security group from being attacked by Redis vulnerability exploits.
Public Access to DCS Redis 3.0 Instances
A client can access a DCS instance only after rules are correctly configured for the security group of the instance.
For example, for security group sg-DCS, you need to configure the following rules in the inbound direction:
Set the protocol to TCP and source IP address to 0.0.0.0/0 or a specified client address. If SSL is enabled, set the port number to 36379. If SSL is disabled, set the port number to 6379. See the following figure.
Security Group of a Migration Task
- When creating an online migration task, select a security group. Its outbound rules must allow traffic over the IP addresses and ports of the source and target Redis instances. By default, all outbound traffic is allowed.
- Backup import uses the default security group. Ensure that all outbound traffic is allowed (this is the default setting.)
Figure 2 Outbound rules of the migration security group
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot