Configuring Security Groups

Last updated: 2021-01-20 10:58:29

    Overview

    A security group is a stateful virtual firewall capable of filtering. As an important means for network security isolation provided by Tencent Cloud, it can be used to set network access controls for one or more TencentDB instances. Instances with the same network security isolation demands in one region can be put into the same security group, which is a logical group. TencentDB and CVM share the security group list and are matched with each other within the security group based on rules. For specific rules and use limits, see Security Group Overview.

    Note:

    • TencentDB for SQL Server security group currently only supports network access control for VPCs and public network but not the classic network.
    • Security groups that currently support public network access are available only in Guangzhou, Shanghai, Beijing, and Chengdu.
    • As TencentDB does not have active outbound traffic, outbound rules are not applicable to TencentDB.
    • TencentDB for SQL Server security group supports primary instances and read-only replicas.

    Security Group Configuration for TencentDB

    Step 1. Create a security group

    1. Log in to the CVM console.
    2. Select Security Group on the left sidebar, select a region, and click +New.
    3. In the pop-up dialog box, configure the following items and click OK.
      • Template: select a template based on the service to be deployed on the TencentDB instance in the security group, which simplifies the security group rule configuration, as shown below:
        TemplateDescriptionRemarks
        Open all portsAll ports are open. May present security issues.-
        Open ports 22, 80, 443, and 3389 and the ICMP protocolPorts 22, 80, 443, and 3389 and the ICMP protocol are opened to the internet. All ports are opened to the private network.This template does not take effect for TencentDB.
        CustomYou can create a security group and then add custom rules. For detailed directions, please see "Step 2. Add a security group rule" below.-
      • Name: name of the security group.
      • Project: by default, DEFAULT PROJECT is selected. Select a project for easier management.
      • Notes: a short description of the security group for easier management.

    Step 2. Add a security group rule

    1. On the Security Group page, click Modify Rules in the Operation column on the row of the security group for which to configure a rule.
    2. Select Security Group Rule > Inbound rule, click Add a Rule.
    3. In the pop-up dialog box, set the rule.
      • Type: Custom is selected by default. You can also choose another system rule template. SQL Server(1433) is recommended.
      • Source or Target: traffic source (inbound rules) or target (outbound rules). You need to specify one of the following options:
        Source or DestinationDescription
        A single IPv4 address or an IPv4 rangeIn CIDR notation, such as 203.0.113.0, 203.0.113.0/24 or 0.0.0.0/0, where 0.0.0.0/0 indicates all IPv4 addresses will be matched.
        A single IPv6 address or an IPv6 rangeIn CIDR notation, such as FF05::B5, FF05:B5::/60, ::/0 or 0::0/0, where ::/0 or 0::0/0 indicates all IPv6 addresses will be matched.
        ID of referenced security group. You can reference the ID of:
        • Current security group
        • Other security group
        • Current security group: CVMs associated with the current security group.
        • Other security group: ID of another security group in the same region that belongs to the same project.
        Reference an IP address object or IP address group object in a parameter template.-
      • Protocol port: enter the protocol type and port range or reference a protocol/port or protocol/port group in a parameter template.

        Note:

        To connect to TencentDB for SQL Server, port 1433 must be opened.

      • Policy: Allow or Refuse. Allow is selected by default.
        • Allow: traffic to this port is allowed.
        • Refuse: data packets will be discarded without any response.
      • Notes: a short description of the rule for easier management.
    4. Click Complete.

    Use cases

    Scenario: you have created a TencentDB for SQL Server instance and want to access it from a CVM instance.
    Solution: when adding security group rules, select SQL Server(1433) in Type to open port 1433.
    You can also allow all IPs or specified IPs (IP ranges) based on your actual needs so as to configure IP sources that can access TencentDB for SQL Server through CVM.

    Direction Type Source Protocol and Port Policy
    Inbound SQL Server(1433) All IP: 0.0.0.0/0
    Specified IP: enter the specified IPs or IP ranges
    TCP:1433 Allow

    Step 3. Configure a security group

    A security group is an instance-level firewall provided by Tencent Cloud for controlling inbound traffic to TencentDB. You can associate a security group with an instance when purchasing it or later in the console.

    Note:

    Currently, only TencentDB for SQL Server in VPC can associate with security groups.

    1. Log in to the TencentDB for SQL Server console. In the instance list, locate the instance for which to configure a security group and click Manage in the Operation column to enter the instance management page.
    2. On the Security Group page, click Configure Security Group.
    3. In the pop-up dialog box, select the security group to be associated and click OK.

    Security Group Rule Import

    1. On the Security Group page, click the ID/name of the target security group.
    2. On the Inbound rule or Outbound rule tab, click Import rule.
    3. In the pop-up dialog box, select an edited inbound/outbound rule template file and click Import.

      Note:

      If there are existing rules in the security group, export them before importing new rules. Existing rules are overwritten after importing.

    Security Group Clone

    1. On the Security Group page, locate the desired security group and click More > Clone in the Operation column.
    2. In the pop-up dialog box, select the region and project, enter a new name for the security group, and click OK. If the new security group needs to be associated with a CVM instance, click Manage Instances in the Operation column to add a CVM instance on the Associate with Instance > Cloud Virtual Machine tab.

    Security Group Deletion

    1. On the Security Group page, locate the security group to be deleted and click More > Delete in the Operation column.
    2. Click OK in the pop-up dialog box. If the current security group is associated with a CVM instance, it must be disassociated before it can be deleted.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help