Shared VPC

Scenario

Ensure the VPC of the database audit instance is the same as that of the node (application side or database side) where you plan to install the database audit agent. Otherwise, the instance will be unable to connect to the agent or perform audit.

Creating a VPC

1. Log in to the management console.
2. Click in the upper left corner, choose Management & Governance > Resource Access Manager, and go to the resource access management page.
3. Choose Shared by Me > Resource Shares.
4. Click Create Resource Share in the upper right corner.
   Figure 1 Specifying shared resources
   

5. Set resource type to vpc:subnet, choose the corresponding region, and select VPCs to be shared. Click Next: Associate Permissions.
   Figure 2 Specifying shared resources
   

6. Associate a RAM managed permission with each resource type on the displayed page. Then, click Next: Grant Access to Principals in the lower right corner.
   Figure 3 Configuring permissions
   

7. Specify the principals that you want to have access to the resources on the displayed page. Then, click Next: Confirm in the lower right corner.
   Figure 4 Specifying principals
   

   Table 1 Parameter descriptions

   Parameter	Description
   Principal Type	Organization For details about how to create an organization, see . NOTE: If you have not enabled resource sharing with organizations, this parameter cannot be set to Organization. For details, see . Huawei Cloud account ID

8. Check the configurations and click OK.
   Figure 5 Confirming configurations
   

Using a VPC

1. Log in to the management console.
2. Select a region, click , and choose Security & Compliance > Database Security Service. The Dashboard page is displayed.
3. In the upper right corner, click Buy DBSS.
4. Select a region, an AZ type, an AZ, and an edition.
   Figure 6 Selecting an AZ and an edition
   

   Select an enterprise project. The DBSS you purchase will be put under this project. Billing and permissions management are performed based on enterprise projects.

   Table 2 describes the database audit editions.

   Table 2 DBSS editions

   Edition	Specification	Maximum Databases	Performance
   Starter	Database audit starter edition	1	Peak QPS: 1,000 queries/second Database load rate: 1.2 million statements/hour Online SQL statement storage: 100 million statements
   Basic	Database audit basic edition	3	Peak QPS: 3,000 queries/second Database load rate: 3.6 million statements/hour Online SQL statement storage: 400 million statements
   Professional	Database audit professional edition	6	Peak QPS: 6,000 queries/second Database load rate: 7.2 million statements/hour Online SQL statement storage: 600 million statements
   	Database audit O&M enhanced edition	10	Performance: 35,000 QPS Maximum concurrent connections: 5000
   Advanced	Database audit advanced edition	30	Peak QPS: 30,000 queries/second Database load rate: 10.8 million records/hour Online SQL statement storage: 1.5 billion statements
   	Database audit encryption enhanced edition	10	Encryption/decryption performance: 40,000 QPS Maximum concurrent connections: 3000

   

   • A database instance is uniquely defined by its database IP address and port.

     The number of database instances equals the number of database ports. If a database IP address has N database ports, there are N database instances.

     Example: A user has two database IP addresses, IP₁ and IP₂. IP₁ has a database port. IP₂ has three database ports. IP₁ and IP₂ have four database instances in total. To audit all of them, select professional edition DBSS, which supports a maximum of six database instances.

   • To change the edition of a DBSS instance, unsubscribe from it and purchase a new one.
   • The table above lists the system resources consumed by a database audit instance. Ensure your system has the required configurations before purchasing database audit instances.
   • Online SQL statements are counted based on the assumption that the capacity of an SQL statement is 1 KB.

5. Select the VPC and subnet for database audit. For details about related parameters, see Table 3.
   Figure 7 Setting database audit parameters
   

   Table 3 Database audit parameters

   Parameter	Description
   VPC	You can select an existing VPC, or click View VPC to create one on the VPC console. NOTE: Select the VPC of the node (application or database side) where you plan to install the agent. For more information, see How Do I Determine Where to Install an Agent? To change the VPC of a DBSS instance, unsubscribe from it and purchase a new one. For more information about VPC, see Virtual Private Cloud User Guide.
   Security Group	You can select an existing security group in the region or create a security group on the VPC console. Once a security group is selected for an instance, the instance is protected by the access rules of this security group. For more information about security groups, see Virtual Private Cloud User Guide.
   Subnet	You can select a subnet configured in the VPC or create a subnet on the VPC console.
   Name	Instance name
   Remarks	You can add instance remarks.
   Enterprise Project	This parameter is provided for enterprise users. An enterprise project groups cloud resources, so you can manage resources and members by project. The default project is default. Select an enterprise project from the drop-down list. For more information about enterprise project, see Enterprise Management User Guide.
   Tag	(Optional) Identifier of the database audit instance. Adding tags helps you better identify and manage your database instances. A maximum of 50 tags for each instance If you have configured tag policies for DBSS, you need to add tags to your DBSS instances based on the tag policies. If a tag does not comply with the policies, DBSS instance may fail to be created. Contact your organization administrator to learn more about tag policies.