Help Center> Database Security Service> User Guide> Enabling and Using Database Audit (by Installing Agents)> Step 4: Add a Security Group Rule
Updated on 2024-04-16 GMT+08:00
View PDF

Step 4: Add a Security Group Rule

Configure TCP (port 8000) and UDP (ports 7000 to 7100) in the security group inbound rule of the database audit instance to allow the agent to communicate with the audit instance.

This section describes how to configure TCP (port 8000) and UDP (ports 7000 to 7100) for a security group.

You can configure security group rules before or after installing an agent.

Prerequisites

  • You have purchased a database audit instance and the Status is Running.
  • You have added an agent to your database.

Adding a Security Group Rule

  1. Log in to the management console.
  2. Select a region, click , and choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
  3. In the navigation tree on the left, choose Database Audit > Databases.
  4. In the Instance drop-down list, select the instance whose security group rule is to be added.
  5. Record the IP address of the agent node.

    Click next to the database to view the information of its agent, and record Installing Node IP Address, as shown in Figure 1.
    Figure 1 Installing Node IP Address

  6. Click Add Security Group Rule.
  7. In the displayed dialog box, record the security group name (for example, default) of the database audit instance, as shown in Figure 2.

    Figure 2 Adding a security group rule

  8. Click Go to VPC.
  9. In the security group list, enter the group name default in the search box in the upper right corner of the list, and click or press Enter. The group information is displayed in the list.
  10. Click the group name default.
  11. Click the Inbound Rules tab.

    Check whether TCP (port number 8000) and UDP protocols (port number from 7000 to 7100) are configured in the inbound rules of the security group for the IP address of the installing node in 5.
    • If the inbound rules of the security group have been configured for the installing node, go to Downloading an Agent.
    • If no inbound rules of the security group have been configured for the installing node, go to 12.

  12. Add an inbound rule for the installing node.

    1. On the Inbound Rules tab, click Add Rule.
      Figure 3 Adding rules
    2. In the Add Inbound Rule dialog box, add TCP (port number 8000) and UDP protocols (port number from 7000 to 7100) for the installing node IP address in Figure 1. See Figure 4.

      The source can be an IP address, an IP address segment, or a security group. Examples:

      • IP address: 192.168.10.10/32
      • IP address segment: 192.168.52.0/24
      • All IP addresses: 0.0.0.0/0
      • Security group: sg-abc
      Figure 4 Add Inbound Rule dialog box
    3. Click OK.

      After adding a security group rule, download and install the agent on a database or application, depending on the add mode you chose. Database audit can be enabled only if the audited object is connected to the database audit instance.