A security group is a stateful virtual firewall capable of filtering. As an important means for network security isolation provided by Tencent Cloud, it can be used to set network access controls for one or more TencentDB instances. Instances with the same network security isolation demands in one region can be put into the same security group, which is a logical group. TencentDB and CVM share the security group list and are matched with each other within the security group based on rules. For specific rules and limitations, please see Security Group Overview.
- TencentDB for MySQL security groups currently only support network access control for VPCs and public networks but not the classic network.
- Security groups associated with TencentDB instances in the Frankfurt, Silicon Valley, and Singapore regions currently do not support public network access control.
- As TencentDB does not have active outbound traffic, outbound rules are not applicable to TencentDB.
- Security groups are supported for source, read-only, and disaster recovery TencentDB for MySQL instances.
- Security groups are not supported for basic single-node TencentDB for MySQL instances.
|Open all ports||All ports are open. May present security issues.||-|
|Open ports 22, 80, 443, and 3389 and the ICMP protocol||Ports 22, 80, 443, and 3389 and the ICMP protocol are opened to the internet. All ports are opened to the private network.||This template does not take effect for TencentDB.|
|Custom||You can create a security group and then add custom rules. For detailed directions, please see "Step 2. Add a security group rule" below.||-|
|Source or Target||Description|
|A single IPv4 address or an IPv4 range||In CIDR notation, such as |
|A single IPv6 address or an IPv6 range||In CIDR notation, such as |
|ID of referenced security group. You can reference the ID of:|
|Reference an IP address object or IP address group object in a parameter template.||-|
To connect to a TencentDB for MySQL instance, its port must be opened. You can log in to the TencentDB for MySQL console, click an instance ID in the instance list, and view its port number on the instance details page.
- TencentDB for MySQL uses private network port 3306 by default and supports customizing the port. If the default port is changed, the new port should be opened in the security group.
- TencentDB for MySQL uses public network port 60719 by default. After TencentDB for MySQL public network access is enabled, it will be controlled by the security group, so both port 60719 and 3306 should be opened.
- The security group rules displayed on the Security Group page in the TencentDB for MySQL console take effect for private and public (if enabled) network addresses of the TencentDB for MySQL instance.
Scenario: you have created a TencentDB for MySQL instance and want to access it from a CVM instance.
Solution: when adding security group rules, select MySQL(3306) in Type to open port 3306.
You can also set Source to all or specific IPs (IP ranges) as needed to allow them to access TencentDB for MySQL from a CVM instance.
|Inbound or Outbound||Type||Source||Protocol and Port||Policy|
|Inbound||MySQL(3306)||All IPs: 0.0.0.0/0
Specific IPs: specify IPs or IP ranges
A security group is an instance-level firewall provided by Tencent Cloud for controlling inbound traffic of TencentDB. You can associate a security group with an instance when purchasing it or later in the console.
Currently, security groups can be configured only for TencentDB for MySQL instances in VPC.
As existing rules will be overwritten after importing, we recommend that you export the existing rules before importing new ones.