Updated on 2024-10-30 GMT+08:00

Configuring Security Group Rules for Nodes

A security group is a collection of access control rules for ECSs and GeminiDB Redis instances that have the same security protection requirements and are mutually trusted in a VPC.

To ensure database security and reliability, configure security group rules to allow specific IP addresses and ports to access the GeminiDB Redis instances.

This section describes how to configure security group rules for a GeminiDB Redis instance that is connected through a private or a public network.

Precautions

  • Each account can create up to 500 security group rules by default.
  • Too many security group rules will increase the first packet latency, so a maximum of 50 rules for each security group is recommended.
  • One security group can be associated with only one GeminiDB Redis instance.
  • For details about how to configure security group rules, see Table 1.
    Table 1 Parameter description

    Scenario

    Description

    Connecting to an instance over a private network

    Configure security group rules as follows:
    • If a GeminiDB Redis instance and the ECS used for accessing the instance are in the same security group, they can communicate with each other by default. No security group rules need to be configured.
    • If the instance and the ECS are not in the same security group, configure security group rules, respectively.
      • Configure inbound rules for the security group associated with the GeminiDB Redis instance. For details, see Procedure.
      • There is no need to configure security rules for the ECS because the default security group rule of the ECS allows all outbound data packets. If not all outbound traffic is allowed in the security group, configure an outbound rule for the ECS. For details, see Configuring a Security Group Rule.

    Connecting to an instance over a public network

    If you connect to a GeminiDB Redis instance through a public network, configure inbound rules for the security group associated with the GeminiDB Redis instance. For details, see Procedure.

Procedure

  1. Log in to the GeminiDB console.
  2. In the service list, choose Databases > GeminiDB Redis API.
  3. On the Instances page, locate the instance that you want to configure security group rules for and click its name.
  4. Configure security group rules.

    On the Basic Information page, choose Node Management in the navigation pane on the left. In the Security Group area on the right, click the name of the security group.

    Figure 1 Security group

  5. Add Inbound Rule

    1. Click the Inbound Rules tab.
      Figure 2 Inbound rules

    2. Click Add Rule. The Add Inbound Rule dialog box is displayed.
      Figure 3 Adding a rule
    3. Add a security group rule as prompted.
      Table 2 Inbound rule settings

      Parameter

      Description

      Example Value

      Protocol & Port

      • The network protocol required for access. Available options: All, TCP, UDP, ICMP, or GRE
      • Port: The port or port range that allows the access to the ECS. Range: 1 to 65535 Common ports are listed in Common Ports Used by ECS.

      TCP

      Type

      IP address type. This parameter is available after IPv6 is enabled.

      • IPv4
      • IPv6

      IPv4

      Source

      The IP address, IP address group, or security group that the rule applies to, which allows access from IP addresses or instances in another security group. Examples:
      • IPv4 single IP address: 192.168.10.10/32
      • Subnet: 192.168.1.0/24
      • All IP addresses: 0.0.0.0/0
      • sg-abc (security group)

      For more information about IP address groups, see IP Address Group.

      0.0.0.0/0

      Description

      (Optional) Provides supplementary information about the security group rule.

      The description can contain up to 255 characters and cannot contain angle brackets (<>).

      -

  6. Click OK.