Help Center> GaussDB> User Guide> Instance Modifications> Configuring Security Group Rules
Updated on 2024-05-07 GMT+08:00

Configuring Security Group Rules

Scenarios

A security group is a collection of access control rules for ECSs and GaussDB instances that are within the same VPC, have the same security requirements, and are mutually trusted.

If you have applied for the whitelist of not specifying a security group when creating an instance, skip this section. The security group information will not be displayed in the DB instance information area.

To ensure database security and reliability, you need to configure security group rules to allow specific IP addresses and ports to access the GaussDB instances.

  • When you attempt to connect to a GaussDB instance through a private network, check whether the ECS and GaussDB instance are in the same security group.
    • If they are in the same security group, they can communicate with each other by default. No security group rule needs to be configured.
    • If they are in different security groups, you need to configure security group rules for the ECS and GaussDB instance, respectively.
      • GaussDB instance: Configure an inbound rule for the security group with which the GaussDB instance is associated.
      • ECS: The default security group rule allows all outbound data packets. In this case, you do not need to configure a security rule for the ECS. If not all outbound traffic is allowed in the security group, you need to configure an outbound rule for the ECS to allow all outbound packets.
  • When you attempt to connect to a GaussDB instance using an EIP, you need to configure an inbound rule for the security group associated with the instance.

This section describes how to configure an inbound rule for a GaussDB instance.

For details about the requirements of security group rules, see Adding a Security Group Rule in the Virtual Private Cloud User Guide.

Precautions

The default security group rule allows all outbound data packets. This means that ECSs and GaussDB instances associated with the same security group can access each other by default. After a security group is created, you can add security group rules to control the access from and to the GaussDB instance.

  • By default, you can create up to 500 security group rules.
  • Ensure that each security group has no more than 50 rules.
  • To access a GaussDB instance from resources outside the security group, configure an inbound rule for the security group associated with the instance.
  • All Kunpeng ECS flavors do not support inconsecutive ports.

    If you use inconsecutive port numbers in a security group rule of a Kunpeng ECS, this rule and rules configured after this one do not take effect.

    For example, if you configure security group rule A with inconsecutive ports 22, 24 and then configure security group rule B with port 9096, both rule A and rule B do not take effect.

  • Outbound rules typically do not apply to DB instances. The rules are used only when a DB instance acts as a client.

  • If a DB instance resides in a VPC but is not publicly accessible, you can also use a VPN connection to connect to it.

  • If you need to change the security group when creating a distributed instance, ensure that the TCP ports in the inbound rule include the following: 40000-60480, 20050, 5000-5001, 2379-2380, 6000, 6500, and <database port>-(<database port> + 100). (For example, if the database port is 8000, the TCP ports for the security group must include 8000-8100.)
  • If you need to change the security group when creating a primary/standby instance, ensure that the TCP ports in the inbound rule include the following: 20050, 5000-5001, 2379-2380, 6000, 6500, and <database port>-(<database port> + 100). (For example, if the database port is 8000, the TCP ports for the security group must include 8000-8100.)

To ensure data and instance security, use permissions properly. You are advised to use the principle of least privilege for database access. Set the accessible IP address to the remote server's address or the remote server's smallest subnet address to control the access scope of the remote server.

The default value of Source is 0.0.0.0/0, indicating that all IP addresses can access the GaussDB instance as long as they are associated with the same security group as the instance.

For details about the requirements of security group rules, see Adding a Security Group Rule in the Virtual Private Cloud User Guide.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and project.

  3. Click in the upper left corner of the page and choose Databases > GaussDB.
  4. On the Instances page, click the instance name to go to the Basic Information page.
  5. Configure security group rules.

    In the Connection Information area, click the security group.

  6. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, configure the required parameters and click OK.

    You can click + to add more inbound rules.

    Table 1 Inbound rule parameter description

    Parameter

    Description

    Example Value

    Protocol & Port

    Network protocol. Currently, the value can be All, TCP, UDP, ICMP, GRE, or others.

    TCP (Custom ports)

    Port: port or port range over which the traffic can reach your ECS. The value ranges from 1 to 65535.

    When connecting to your instance through a private network, enter the port of the ECS used to connect to your instance.

    Type

    IP address type.

    • IPv4
    • IPv6

    IPv4

    Source

    Source of the security group rule. The value can be a security group or an IP address. For example,

    • xxx.xxx.xxx.xxx/32 (IPv4 address)
    • xxx.xxx.xxx.0/24 (subnet)
    • 0.0.0.0/0 (any IP address)

    0.0.0.0/0

    Description

    Provides supplementary information about the security group rule. This parameter is optional.

    The description can contain up to 255 characters and cannot contain angle brackets (<) or (>).

    -