Configuring Security Group Rules
A security group is a collection of access control rules for ECSs and GeminiDB Mongo instances that have the same security protection requirements and are mutually trusted in a VPC.
This section describes how to create a security group to enable specific IP addresses and ports to access GeminiDB Mongo API.
This section describes how to configure security group rules when you connect to a GeminiDB Mongo instance through a private or public network.
Precautions
- By default, you can create up to 500 security group rules.
- Too many security group rules will increase the first packet latency, so a maximum of 50 rules for each security group is recommended.
- One security group can be associated with only one GeminiDB Mongo instance.
- For details about how to configure security group rules, see Table 1.
Table 1 Parameter description Scenario
Description
Connecting to an instance over a private network
Check whether the ECS and GeminiDB Mongo instance are in the same security group.- If the ECS and GeminiDB Mongo instance are in the same security group, they can communicate with each other by default. No security group rule needs to be configured.
- If the ECS and GeminiDB Mongo instance are in different security groups, configure security group rules for the ECS and DB instance, respectively.
- GeminiDB Mongo instance: Configure inbound rules for the security group associated with the instance. For details, see Procedure.
- ECS: The default security group rule allows all outbound data packets, so you do not need to configure a security rule for the ECS. If not all outbound traffic is allowed in the security group, configure an outbound rule for the ECS.
Connecting to an instance over a public network
To access a GeminiDB Mongo instance over a public network, add an inbound rule for the security group associated with the instance. For details, see Procedure.
Procedure
- Log in to the management console.
- In the service list, choose Databases > GeminiDB Mongo API.
- On the Instances page, click the instance.
- Configure security group rules.
Method 1
In the Network Information area on the Basic Information page, click the security group.
Figure 1 Security Group
Method 2
On the Basic Information page, choose Connections in the navigation pane on the left. In the Security Group area on the right, click the name of the security group. The Security Group page is displayed.
Figure 2 Security Group
- Add an inbound rule.
- Click the Inbound Rules tab.
Figure 3 Inbound rules
- Click Add Rule. The Add Inbound Rule dialog box is displayed.
Figure 4 Adding a rule
- In the displayed dialog box, set required parameters.
Table 2 Inbound rule settings Parameter
Description
Example Value
Protocol & Port
- The network protocol required for access. Available options: All, TCP, UDP, ICMP, or GRE
- Port: The port (1 to 65535) for accessing the ECS.
TCP
Type
IP address type. This parameter is available after IPv6 is enabled.
- IPv4
- IPv6
IPv4
Source
The IP address, IP address group, or security group that the rule applies to, which allows access from IP addresses or instances in other security group. Example:- Single IP address: xxx.xxx.xxx.xxx/32 (IPv4)
- Subnet: xxx.xxx.xxx.0/24
- All IP addresses: 0.0.0.0/0
- sg-abc (security group)
0.0.0.0/0
Description
(Optional) Provides supplementary information about the security group rule.
The description can contain up to 255 characters and cannot contain angle brackets (<>).
-
- Click the Inbound Rules tab.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
