Setting Security Group Rules for a GeminiDB DynamoDB-Compatible Instance
A security group is a collection of access control rules for ECSs and GeminiDB DynamoDB-Compatible instances that have the same security requirements and are mutually trusted in a VPC.
To ensure database security and stability, you need to set a security group and add IP addresses and ports that can access the database before using GeminiDB DynamoDB-Compatible instances.
This section describes how to set security group rules for a GeminiDB DynamoDB-Compatible instance which is connected over a private or public network.
Usage Notes
- By default, a tenant can create a maximum of 500 security group rules.
- Too many security group rules will increase the first packet latency. You are advised to create a maximum of 50 rules for each security group.
- Currently, each instance can be bound to only one security group.
- Table 1 describes the security group rules required for connecting to an instance over a private or public network.
Table 1 Security group rules Scenario
Description
Connecting to an instance over a private network
When connecting to a GeminiDB DynamoDB-Compatible instance over a private network, set security group rules in either of the following ways:- If the ECS and GeminiDB DynamoDB-Compatible instance are in the same security group, they can communicate with each other by default. No security group rule needs to be set.
- If they are in different security groups, you need to set security group rules for both of them.
- Set an inbound rule for the GeminiDB DynamoDB-Compatible instance by following Procedure.
- The default security group rule allows all outbound data packets, so you do not need to set a security rule for the ECS. If not all outbound traffic is allowed in the security group, set an outbound rule for the ECS.
Connecting to an instance over a public network
Set an inbound rule when connecting to a GeminiDB DynamoDB-Compatible instance over a public network by following Procedure.
Procedure
- Log in to the Huawei Cloud console.
- In the service list, choose Databases > GeminiDB.
- On the Instances page, click the target instance go to the Basic Information page.
- Set security group rules.
Method 1:
In the Network Information area on the Basic Information page, click the security group.
Figure 1 Security groupMethod 2
On the Basic Information page, choose Connections in the navigation pane on the left. In the Security Group area on the right, click the name of the security group. The Security Group page is displayed.
- Add an inbound rule.
- Click the Inbound Rules tab.
Figure 2 Inbound rule
- Click Add Rule. The Add Inbound Rule dialog box is displayed.
Figure 3 Adding a rule
- Add a security group rule as prompted.
Table 2 Inbound rule settings Parameter
Description
Example Value
Protocol & Port
- Protocol: Currently, GeminiDB DynamoDB-Compatible API supports only TCP.
- Port: The port (1 to 65535) for accessing the ECS.
TCP
Type
IP address type. This parameter is available after IPv6 is enabled.
- IPv4
- IPv6
IPv4
Source
Source: The source can be an IP address, a security group, or an IP address group which allows access from IP addresses or instances in other security groups. For example:- xxx.xxx.xxx.xxx/32 (IPv4 address)
- xxx.xxx.xxx.0/24 (subnet)
- 0.0.0.0/0 (any IP address)
- sg-abc (security group)
0.0.0.0/0
Description
(Optional) Provides supplementary information about the security group rule.
The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).
-
- Click the Inbound Rules tab.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot