How Do I Select and Configure a Security Group?

Intra-VPC Access

To access a ROMA Connect instance to which MQS belongs, you must deploy your client on an ECS in the same VPC and subnet as the instance. If they are deployed in different VPCs, see Does MQS Support Cross-VPC and Cross-Subnet Access?.

In addition, before you can access the instance through your client, you must configure correct rules for the security groups of both the ECS and ROMA Connect instance to which MQS belongs.

1. You are advised to configure the same security group for the ECS and ROMA Connect instance to which MQS belongs. After a security group is created, the security group rules, by default, include a rule allowing members in the security group to access each other without any restrictions.
2. If the ECS and ROMA Connect instance belong to different security groups, add security group rules to ensure that the ECS and ROMA Connect instance can access each other.
   

   • Assume that security groups sg-ecs and sg-romaconnect are configured respectively for your ECS and ROMA Connect instance to which MQS belongs.
   • The remote end is a security group or an IP address.

   Add the following rule to the security group to which ECS belongs to ensure that the client can access MQS:

   Table 1 ECS security group rule

   Direction	Protocol	Port	Destination
   Outbound	All	All	sg-romaconnect

   To ensure that your client can access the ROMA Connect instance to which MQS belongs, add the following rule to the security group configured for the instance:

   Table 2 MQS security group rule

   Direction	Protocol	Port	Source
   Inbound	All	All	sg-ecs

Public Access

Configure security group rules based on Table 3 for the client to access the MQS instance.