Help Center/ TaurusDB/ User Guide/ Connecting to a DB Instance/ Connection Information Management/ Configuring Security Group Rules
Updated on 2026-03-19 GMT+08:00
View PDF
Share

Configuring Security Group Rules

Scenarios

A security group is a collection of access control rules for ECSs and TaurusDB instances that are within the same VPC, have the same security requirements, and are mutually trusted. To ensure database security and reliability, you need to configure security group rules to allow only specific IP addresses and ports to access the TaurusDB instances.

When you attempt to connect to a TaurusDB instance through a private network, check whether the ECS and TaurusDB instance are in the same security group.

  • If they are in the same security group, they can communicate with each other by default. No security group rules need to be configured.
  • If they are in different security groups, you need to configure security group rules for the ECS and TaurusDB instance, respectively.
    • TaurusDB instance: Configure an inbound rule for the security group that the TaurusDB instance is associated with.
    • ECS: The default security group rule allows all outbound data packets. In this case, you do not need to configure a security group rule for the ECS. If not all outbound data packets are allowed in the security group, you need to configure an outbound rule for the ECS.

This section describes how to configure an inbound rule for a TaurusDB instance.

For details about the requirements of security group rules, see Adding a Security Group Rule in Virtual Private Cloud User Guide.

Prerequisites

You have associated a security group with an instance when buying it.

Precautions

The default security group rule allows all outbound data packets. This means that ECSs and TaurusDB instances associated with the same security group can access each other by default. After a security group is created, you can configure security group rules to control access to and from TaurusDB instances associated with that security group.

  • By default, you can create up to 500 security group rules.
  • Too many security group rules will increase the first packet latency. You are advised to create up to 50 rules for each security group.
  • One instance can be associated with only one security group.
  • To access a TaurusDB instance from resources outside the security group, you need to configure an inbound rule for the security group associated with the instance.
  • To ensure data and instance security, use permissions properly. You are advised to use the minimum access permission, change the default database port 3306, and set the accessible IP address to the remote server's address or the remote server's minimum subnet address to control the access scope of the remote server.

    The default value of Source is 0.0.0.0/0, indicating that all IP addresses can access the TaurusDB instance as long as they are associated with the same security group as the instance.

Procedure

  1. Log in to the TaurusDB console.
  2. Click in the upper left corner and select a region and project.
  3. On the Instances page, click the instance name to go to the Basic Information page.
  4. Configure security group rules.

    In the Network Information area, click the security group name under Security Group.

    Figure 1 Configuring security group rules

  5. On the Inbound Rules tab, click Add Rule. In the displayed dialog box, set required parameters and click OK.

    You can click to add more inbound rules.

    Figure 2 Adding inbound rules

    Table 1 Inbound rule parameter description

    Parameter

    Description

    Example Value

    Priority

    Priority of the security group rule.

    The priority ranges from 1 to 100. The default value is 1 and has the highest priority. The security group rule with a smaller value has a higher priority.

    1

    Action
    The value can be Allow or Deny.
    • If Action is set to Allow, traffic is allowed to access the cloud servers in the security group over specified ports.
    • If Action is set to Deny, traffic is denied to access the cloud servers in the security group over specified ports.

    Security group rules are matched first by priority and then by action. Deny rules take precedence over allow rules.

    Allow

    Type

    Supported source IP address type. Its value can be:

    • IPv4
    • IPv6

    IPV4

    Protocol & Port

    Network protocol used to match traffic. TCP, UDP, ICMP, and GRE are supported.

    TCP (Custom ports)

    Port over which traffic can reach your DB instance.

    The database port of a TaurusDB instance ranges from 1025 to 65534, excluding 5342, 5343, 5344, 5345, 12017, 20000, 20201, 20202, 33060, 33062, and 33071, which are reserved for system use.

    Port formats:
    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • Non-consecutive ports: Enter ports and port ranges, such as 22,23-30. You can enter up to 20 port ranges. Each port range must be unique.
    • All ports: Leave it empty or enter 1-65535.

    3306

    Source

    Used to match the source of an external request. The source can be:

    • IP address: The source is a fixed IP address. You can enter or paste multiple IP addresses separated by commas (,). Each IP address represents a different security group rule.
      • Single IP address: IP address/mask

        Example IPv4 address: 192.168.10.10/32

        Example IPv6 address: 2002:50::44/128

      • IP address range in CIDR notation: IP address/mask

        Example IPv4 address range: 192.168.52.0/24

        Example IPv6 address range: 2407:c080:802:469::/64

      • Any IP addresses

        0.0.0.0/0 represents all IPv4 addresses.

        ::/0 represents all IPv6 addresses.

    • Security group: The source is another security group. You can select a security group in the same region from the drop-down list. If there is instance A in security group A and instance B in security group B, and the inbound rule of security group A allows traffic from security group B, traffic is allowed from instance B to instance A.
    • IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. For IP address ranges and IP addresses with the same security requirements, you can use an IP address group to simplify management.

      If no IP address groups are available, create one by referring to Creating an IP Address Group.

    IP address:

    192.168.52.0/24,10.0.0.0/24

    Description

    Supplementary information about the security group rule. This parameter is optional.

    The description can contain a maximum of 255 characters and cannot contain angle brackets (<>).

    -

    Operation

    You can replicate or delete a security group rule. If there is only one security group rule, it cannot be deleted.

    -

  6. If you have enabled operation protection, click Send Code in the displayed Identity Verification dialog box and enter the obtained verification code. Then, click OK.

    Two-factor authentication improves the security of your account. For details about how to enable operation protection, see Identity and Access Management User Guide.

Parent Topic: Connection Information Management