Binding or Unbinding a Public Gateway
Scenarios
In public access scenarios, you typically use an EIP to connect to a DB instance. However, binding an EIP directly to an instance increases security risk. If security rules are misconfigured or a vulnerability is exploited, an attacker may obtain your access credentials and perform malicious operations on database resources.
To mitigate this risk, DDS allows you to bind or unbind a public gateway. With a NAT gateway, public access is implemented as a one-way DNAT rule on the public NAT gateway. Only inbound traffic on the ports you configure can reach the instance's private IP address, meeting your access requirements while limiting exposure and reducing the attack surface.
If you no longer need to access the instance through an EIP, you can unbind the public gateway. Exercise caution when performing this operation after evaluating your service requirements.
Prerequisites
- Before binding a public gateway, create a public NAT gateway first and ensure that its VPC and subnet match those of the DDS instance. For details about how to create a public NAT gateway, see Buying a Public NAT Gateway.
Required Permissions
- If you bind a gateway address using a Huawei Cloud account, no additional configuration is required. If an IAM user needs to bind a gateway address for the first time, you need to assign permissions to the user.
- When binding a DNAT gateway to a DDS instance, you are advised to select IAM project authorization for policy-based authorization. Enterprise project authorization is not supported.
- You must have the following permissions to bind a gateway address:
Table 1 Role/Policy-based (IAM 3.0) Cloud Service
Permission
Document Database Service (DDS)
- dds:instance:bindPublicGateway
- dds:instance:unbindPublicGateway
- dds:instance:list
NAT Gateway (NAT)
- nat:dnatRules:create
- nat:natGateways:list
- nat:snatRules:list
- nat:dnatRules:delete
- nat:natGateways:get
- nat:dnatRules:get
- nat:dnatRules:update
- nat:dnatRules:list
If you do not have these permissions, create a custom policy.
Table 2 Identity policy-based (IAM 5.0) Cloud Service
Permission
Document Database Service (DDS)
- dds:instance:bindPublicGateway
- dds:instance:unbindPublicGateway
- dds:instance:list
NAT Gateway (NAT)
- nat:dnatRules:create
- nat:dnatRules:delete
- nat:dnatRules:get
- nat:dnatRules:list
- nat:dnatRules:update
- nat:natGateways:get
- nat:natGateways:list
- nat:natGateways:listTags
- nat:snatRules:list
Elastic IP (EIP)
- eip:publicIps:associateInstance
- eip:publicIps:disassociateInstance
If you do not have these permissions, create a custom identity policy and attach it to the principal.
Precautions
- You need to set security groups and enable specific IP addresses and ports to access a DB instance. Before accessing the DB instance, you need to add an individual IP address or an IP address range that will access the DB instance to the inbound rule. For details, see Configuring Security Group Rules.
- If you cannot access a DB instance after binding a gateway address, rectify the fault by referring to What Can I Do If Connection Between My Servers and the Internet Fails After I Add SNAT and DNAT Rules?
Constraints
- Only the primary and secondary nodes of a replica set instance can be bound to a public gateway.
- If an EIP has been bound to an instance node, you need to unbind it before binding a public gateway address.
- After a public gateway is bound to an instance node, do not delete the DNAT rule on the NAT gateway's DNAT Rules page. If the DNAT rule is deleted, it will not be removed from the DDS console, and the EIP will no longer be usable for connecting to the DB instance.
Billing
- You need to pay for the NAT Gateway and EIP services separately.
- For details about the NAT Gateway billing, see NAT Gateway Pricing Details.
- For details about the EIP billing, see EIP Pricing Details.
Binding a Public Gateway
- Log in to the management console.
- Click
in the upper left corner and select a region and a project. - Click
in the upper left corner of the page and choose Databases > Document Database Service. - On the Instances page, click the name of the replica set instance to go to the Basic Information page.
- In the navigation pane on the left, choose Connections. Click the Public Connection tab. In the Basic Information area, locate the target node and click Bind Gateway Address in the Operation column.
Figure 1 Binding a public gateway
Alternatively, in the Node Information area on the Basic Information page, locate the target node and choose More > Bind Gateway Address in the Operation column.
Figure 2 Binding a gateway address
- In the displayed dialog box, select the public gateway and EIP to be bound, enter a port number, and click OK.
Figure 3 Binding a gateway address
Table 3 Parameter description Parameter
Description
Public Gateway
Name of the public NAT gateway.
If no available gateway addresses are displayed, click View Public Gateway to go to the network console and buy a public NAT gateway.
EIP
EIP to be bound. Only EIPs that are not bound to any instance node can be bound.
If no available EIPs are displayed, click EIPs and create an EIP.
Port
Port used to provide services to external systems. You can connect to the DB instance node using the EIP and this port number. The value ranges from 1 to 65535.
- In the Public Gateway column of the target node, check the public gateway that has been bound, including the public NAT gateway name, EIP, and port.
To disable the public gateway, see Unbinding a Public Gateway.
Figure 4 Checking the binding result
Unbinding a Public Gateway
- Log in to the management console.
- Click
in the upper left corner and select a region and a project. - Click
in the upper left corner of the page and choose Databases > Document Database Service. - On the Instances page, click the name of the replica set instance whose node has been bound with a NAT gateway.
- In the navigation pane on the left, choose Connections. Click the Public Connection tab. In the Basic Information area, locate the target node and click Unbind Gateway Address in the Operation column.
Figure 5 Unbinding a public gateway
Alternatively, in the Node Information area on the Basic Information page, locate the target node and choose More > Unbind Gateway Address in the Operation column.
Figure 6 Unbinding a gateway address
- In the displayed dialog box, confirm the information and click OK.
- In the Node Information area, check the unbinding result in the Public Gateway column. If Unbound is displayed in the Public Gateway column, the unbinding is successful.
To bind the public gateway again, see Binding a Public Gateway.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
