Configure Security Group

Last updated: 2020-02-25 18:28:04

PDF

Operation Scenario

A security group serves as a stateful virtual firewall with filtering feature for setting network access control for one or more databases. It is an important network security isolation tool provided by Tencent Cloud. A security group is a logical group. You can associate the database instances with the same network security isolation requirements in the same region with the same security group. The databases share the security group list with the CVMs. Matching is performed based on the rules in the security group. See the detailed security group description for specific rules and limitations.

  1. Database security group Only supports the network control of private network access in VPCs, and does not support the network control of basic networks .

  2. No outbound traffic is generated for databases, so outbound rules do not take effect for databases .

  3. TencentDB for MongoDB security group supports master instances, read-only instances and disaster recovery instances.

  4. Notes for default security group templates:

    • Port 22 opened on Linux: Only TCP port 22 for SSH login is exposed to Internet, and all private network ports are opened to Internet. This template is unavailable for databases .
    • Port 3389 opened on Windows: Only TCP 3389 for MSTSC logins is opened to the public network, while all ports are opened to the private network. This template is not applicable to TencentDB.
    • All ports opened: Access to TencentDB from all IP addresses is allowed, which comes with certain security risks.
  1. The security group feature is implemented based on the whitelist. Submit a ticket To apply for this feature.

Directions

Create a security group

  1. Log in to the Tencent Cloud Console , and select Products > Cloud Virtual Machine to go to the CVM management page.
  2. Click Security Groups in the left navigation bar to enter the security group management page.
  3. Click CREATE , select Template or Custom , and then enter the Name Of the security group, such as my-security-group. select Project , enter Notes (optional), and then click OK .

Configure security groups for TencentDB for MongoDB

A Security group Is an instance-level firewall provided by Tencent Cloud for controlling inbound/outbound traffic of TencentDB. You can associate a security group with an instance when purchasing it or later in the console.

TencentDB for MongoDB security group is only available for VPC-based databases .

  1. Log in to the Console of TencentDB for MongoDB , select the instance for which you want to configure security groups in the instance list, and click Manage -> Security Groups In the Operation Column。
  2. Select the security group to be associated and click OK To associate the security group with TencentDB for MongoDB.

Delete a security group

  1. Log in to the Security group page , and select More > .setRegion(region) In the Operation Column of the security group list.
  2. In the pop-up deletion confirmation box, click OK . If the security group is associated with a CVM, you need to remove the association before deleting the security group.

Clone a security group

  1. Log in to the Security group page , and select More > Clone In the Operation Column of the security group list.
  2. In the clone security group dialog box, select the target region and the target project, and click OK . If the new security group needs to be associated with CVMs, associate it with the desired CVMs.

Add rules to a security group

  1. Log in to the Security group page , select the security group you want to update, and click the security group ID to enter the details page, on which you can see the detailed information of the security group and the inbound/outbound rules.
  2. On the Inbound rule/Outbound rule Tab, click Add a Rule .
  3. Select the options for the inbound/outbound rules, and enter the required information. For example, specify "10.0.0.0 for the policy, and then click 0" for source/destination, "TCP:3306" for protocol port, and "Allow" for the policy, and then click Completed . You can click New Line To add more rules.

Import/Export security group rules

  1. Log in to the Security group page , select the security group you want to update, and click the security group ID to enter the details page.
  2. On the Inbound rule/Outbound rule Tab, click Import rule .
  3. If a rule already exists in the security group, export the existing rule first, otherwise it will be overwritten by the imported rules. If no rule exists, you can export an template and edit it, then click Selecting file. To select the edited template file, and click Import .