Configuring Security Group Rules
Scenarios
A security group is a collection of access control rules for ECSs and GaussDB(for MySQL) instances that are within the same VPC, have the same security requirements, and are mutually trusted. To ensure database security and reliability, you need to configure security group rules to allow only specific IP addresses and ports to access the GaussDB(for MySQL) instances.
When you attempt to connect to a GaussDB(for MySQL) instance through a private network, check whether the ECS and GaussDB(for MySQL) instance are in the same security group.
- If they are in the same security group, they can communicate with each other by default. No security group rule needs to be configured.
- If they are in different security groups, you need to configure security group rules for the ECS and GaussDB(for MySQL) instance, respectively.
- GaussDB(for MySQL) instance: Configure an inbound rule for the security group with which the GaussDB(for MySQL) instance is associated.
- ECS: The default security group rule allows all outbound data packets. In this case, you do not need to configure a security group rule for the ECS. If not all outbound traffic is allowed in the security group, you may need to configure an outbound rule for the ECS to allow all outbound packets.
This section describes how to configure an inbound rule for a GaussDB(for MySQL) instance.
For details about the requirements of security group rules, see Adding a Security Group Rule in the Virtual Private Cloud User Guide.
Precautions
The default security group rule allows all outbound data packets. This means that ECSs and GaussDB(for MySQL) instances associated with the same security group can access each other by default. After a security group is created, you can configure security group rules to control access to and from GaussDB(for MySQL) instances associated with that security group.
- By default, you can create up to 500 security group rules.
- Too many security group rules will increase the first packet latency. You are advised to create up to 50 rules for each security group.
- One instance can be associated with only one security group.
- To access a GaussDB(for MySQL) instance from resources outside the security group, you need to configure an inbound rule for the security group associated with the instance.
To ensure data and instance security, use permissions properly. You are advised to use the minimum access permission, change the default database port 3306, and set the accessible IP address to the remote server's address or the remote server's minimum subnet address to control the access scope of the remote server.
The default value of Source is 0.0.0.0/0, indicating that all IP addresses can access the GaussDB(for MySQL) instance as long as they are associated with the same security group as the instance.
Procedure
- Log in to the management console.
- Click in the upper left corner and select a region and project.
- Click in the upper left corner of the page and choose Databases > GaussDB(for MySQL).
- On the Instances page, click the instance name to go to the Basic Information page.
- Configure security group rules.
In the Network Information area, click the security group name under Security Group.
Figure 1 Configuring security group rules
- On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters and click OK.
You can click to add more inbound rules.
Figure 2 Adding inbound rules
Table 1 Inbound rule parameter description Parameter
Description
Example Value
Protocol & Port
Network protocol for which the security group rule takes effect.
- Currently, the value can be All, TCP (All ports), TCP (Custom ports), UDP (All ports), UDP (Custom ports), ICMP, GRE, or others.
- All: indicates all protocol ports are supported.
TCP (Custom ports)
Port: the port over which the traffic can reach your DB instance.
When connecting to the instance through a private network, enter the port of the instance.
- Individual port: Enter a port, such as 22.
- Consecutive ports: Enter a port range, such as 22-30.
- All ports: Leave it empty or enter 1-65535.
Type
Currently, only IPv4 and IPv6 are supported.
IPv4
Source
Source of the security group rule. The value can be a security group or an IP address.
xxx.xxx.xxx.xxx/32 (IPv4 address)
xxx.xxx.xxx.0/24 (subnet)
0.0.0.0/0 (any IP address)
0.0.0.0/0
Description
Supplementary information about the security group rule. This parameter is optional.
The description can contain up to 255 characters and cannot contain angle brackets (<>).
-
Operation
You can replicate or delete a security group rule. However, if there is only one security group rule, you cannot delete it.
-
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot