- Release Notes and Announcements
- Release Notes
- Open-Source Plugin Privilege Escalation Has Vulnerability Risk for PostgreSQL
- Announcements
- Security Risk Statement for Creating Partial Plugins in PostgreSQL Cloud Database
- TencentDB for PostgreSQL Will Start Billing for Backup Space
- Some Extensions on Lower Kernel Version Can't Be Created and Upgraded in TencentDB for PostgreSQL
- Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin
- Product Introduction
- Purchase Guide
- Getting Started
- Kernel Version Introduction
- Operation Guide
- Instance Management
- Upgrading Instance
- Read-Only Instance
- Account Management
- Database Optimization
- Parameter Management
- Log management
- Backup and Restoration
- Extension Management
- Network Management
- Access Management
- Data Encryption
- Security Groups
- Monitoring and Alarms
- Tag
- PostgreSQL for Serverless
- Best Practice
- postgres_fdw Extension for Cross-database Access
- Automatically Creating Partition in PostgreSQL
- Searching in High Numbers of Tags Based on pg_roaringbitmap
- Querying People Nearby with One SQL Statement
- Configuring TencentDB for PostgreSQL as GitLab's External Data Source
- Supporting Tiered Storage Based on cos_fdw Extension
- Implement Read/Write Separation via pgpool
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- DescribeDBInstanceHAConfig
- SwitchDBInstancePrimary
- ModifyDBInstanceChargeType
- ModifyDBInstanceHAConfig
- UpgradeDBInstanceKernelVersion
- CreateInstances
- DescribeDBInstanceAttribute
- DescribeDBInstances
- InitDBInstances
- UpgradeDBInstance
- SetAutoRenewFlag
- RestartDBInstance
- RenewInstance
- ModifyDBInstancesProject
- ModifyDBInstanceName
- DestroyDBInstance
- IsolateDBInstances
- DisIsolateDBInstances
- ModifySwitchTimePeriod
- ModifyDBInstanceSpec
- ModifyDBInstanceDeployment
- DescribeEncryptionKeys
- CreateDBInstances
- Read-only Replica APIs
- Backup and Restoration APIs
- DescribeBackupDownloadRestriction
- ModifyBackupDownloadRestriction
- DescribeDBXlogs
- DescribeDBBackups
- ModifyBackupPlan
- DescribeCloneDBInstanceSpec
- DescribeBackupPlans
- DescribeAvailableRecoveryTime
- CloneDBInstance
- ModifyBaseBackupExpireTime
- DescribeLogBackups
- DescribeBaseBackups
- DescribeBackupSummaries
- DescribeBackupOverview
- DescribeBackupDownloadURL
- DeleteLogBackup
- DeleteBaseBackup
- CreateBaseBackup
- Parameter Management APIs
- Network APIs
- Security Group APIs
- Performance Optimization APIs
- Account APIs
- Specification APIs
- PostgreSQL for Serverless APIs
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Glossary
- Contact Us
- Release Notes and Announcements
- Release Notes
- Open-Source Plugin Privilege Escalation Has Vulnerability Risk for PostgreSQL
- Announcements
- Security Risk Statement for Creating Partial Plugins in PostgreSQL Cloud Database
- TencentDB for PostgreSQL Will Start Billing for Backup Space
- Some Extensions on Lower Kernel Version Can't Be Created and Upgraded in TencentDB for PostgreSQL
- Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin
- Product Introduction
- Purchase Guide
- Getting Started
- Kernel Version Introduction
- Operation Guide
- Instance Management
- Upgrading Instance
- Read-Only Instance
- Account Management
- Database Optimization
- Parameter Management
- Log management
- Backup and Restoration
- Extension Management
- Network Management
- Access Management
- Data Encryption
- Security Groups
- Monitoring and Alarms
- Tag
- PostgreSQL for Serverless
- Best Practice
- postgres_fdw Extension for Cross-database Access
- Automatically Creating Partition in PostgreSQL
- Searching in High Numbers of Tags Based on pg_roaringbitmap
- Querying People Nearby with One SQL Statement
- Configuring TencentDB for PostgreSQL as GitLab's External Data Source
- Supporting Tiered Storage Based on cos_fdw Extension
- Implement Read/Write Separation via pgpool
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- DescribeDBInstanceHAConfig
- SwitchDBInstancePrimary
- ModifyDBInstanceChargeType
- ModifyDBInstanceHAConfig
- UpgradeDBInstanceKernelVersion
- CreateInstances
- DescribeDBInstanceAttribute
- DescribeDBInstances
- InitDBInstances
- UpgradeDBInstance
- SetAutoRenewFlag
- RestartDBInstance
- RenewInstance
- ModifyDBInstancesProject
- ModifyDBInstanceName
- DestroyDBInstance
- IsolateDBInstances
- DisIsolateDBInstances
- ModifySwitchTimePeriod
- ModifyDBInstanceSpec
- ModifyDBInstanceDeployment
- DescribeEncryptionKeys
- CreateDBInstances
- Read-only Replica APIs
- Backup and Restoration APIs
- DescribeBackupDownloadRestriction
- ModifyBackupDownloadRestriction
- DescribeDBXlogs
- DescribeDBBackups
- ModifyBackupPlan
- DescribeCloneDBInstanceSpec
- DescribeBackupPlans
- DescribeAvailableRecoveryTime
- CloneDBInstance
- ModifyBaseBackupExpireTime
- DescribeLogBackups
- DescribeBaseBackups
- DescribeBackupSummaries
- DescribeBackupOverview
- DescribeBackupDownloadURL
- DeleteLogBackup
- DeleteBaseBackup
- CreateBaseBackup
- Parameter Management APIs
- Network APIs
- Security Group APIs
- Performance Optimization APIs
- Account APIs
- Specification APIs
- PostgreSQL for Serverless APIs
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Glossary
- Contact Us
Overview
A security group is a stateful virtual firewall capable of filtering. As an important means for network security isolation provided by Tencent Cloud, it can be used to set network access controls for one or more TencentDB instances. Instances with the same network security isolation demands in one region can be put into the same security group, which is a logical group. TencentDB and CVM share the security group list and are matched with each other within the security group based on rules. For specific rules and limitations, please see Security Group Overview.
Note:
- TencentDB for PostgreSQL security groups currently only support network access control for VPCs and public networks but not the classic network.
- Security groups that currently support public network access are available only in the Beijing, Shanghai, Guangzhou, and Chengdu regions.
- As TencentDB does not have active outbound traffic, outbound rules are not applicable to TencentDB.
- TencentDB for PostgreSQL primary instances, read-only instances, and read-only instance groups (RO groups) support security groups.
Configuring Security Groups
Step 1. Create a security group
- Log in to the CVM console.
- Select Security Group on the left sidebar, select a region, and click New.
- In the pop-up dialog box, configure the following items and click OK.
- Template: select a template based on the service to be deployed on the TencentDB instance in the security group, which simplifies the security group rule configuration, as shown below:
Template Description Remarks Open all ports All ports are open. May present security issues. - Open ports 22, 80, 443, and 3389 and the ICMP protocol Ports 22, 80, 443, and 3389 and the ICMP protocol are opened to the internet. All ports are opened to the private network. This template does not take effect for TencentDB. Custom You can create a security group and then add custom rules. For detailed directions, please see "Step 2. Add a security group rule" below. The custom template is recommended. - Name: name of the security group.
- Project: by default, DEFAULT PROJECT is selected. Select a project for easier management.
- Notes: a short description of the security group for easier management.
Step 2. Add a security group rule
- On the Security Group page, click Modify Rule in the Operation column on the row of the security group for which to configure a rule.
- On the security group rule page, click Inbound rule > Add Rule.
- In the pop-up dialog box, set the rule.
- Type: Custom by default.
- Source or Target: traffic source (inbound rules) or target (outbound rules). You need to specify one of the following options:
Source or Target Description A single IPv4 address or an IPv4 range In CIDR notation, such as 203.0.113.0,203.0.113.0/24or0.0.0.0/0, where0.0.0.0/0indicates all IPv4 addresses will be matched.A single IPv6 address or an IPv6 range In CIDR notation, such as FF05::B5,FF05:B5::/60,::/0or0::0/0, where::/0or0::0/0indicates all IPv6 addresses will be matched.ID of referenced security group. You can reference the ID of: - Current security group
- Other security group
- To reference the current security group, please enter the ID of security group associated with the CVM.
- You can also reference another security group in the same region and belongs to the same project by entering the security group ID.
Reference an IP address object or IP address group object in a parameter template. - - Protocol Port: enter the protocol type and port range or reference a protocol/port or protocol/port group in a parameter template.
Note:
To connect to TencentDB for PostgreSQL, port 5432 must be opened.
- Policy: Allow or Reject. Allow is selected by default.
- Allow: traffic to this port is allowed.
- Reject: data packets will be discarded without any response.
- Notes: a short description of the rule for easier management.
- Click Complete.
Use cases
Scenario: you have created a TencentDB for PostgreSQL instance and want to access it from a CVM instance.
Solution: add an inbound security group rule where TCP:5432 is opened.
You can also set Source to all or specific IPs (IP ranges) as needed to allow them to access TencentDB for PostgreSQL from a CVM instance.
| Inbound or Outbound | Type | Source | Protocol and Port | Policy |
|---|---|---|---|---|
| Inbound | Custom | All IPs: 0.0.0.0/0 Specific IPs: specify IPs or IP ranges |
TCP:5432 | Allow |
Importing Security Group Rules
- On the Security Group page, click the ID/name of the desired security group.
- On the inbound rule or outbound rule tab, click Import Rule.
- In the pop-up dialog box, select an edited inbound/outbound rule template file and click Import.
Note:
As existing rules will be overwritten after importing, we recommend that you export the existing rules before importing new ones.
Cloning Security Groups
- On the Security Group page, locate the desired security group and click More > Clone in the Operation column.
- In the pop-up dialog box, select the target region and target project, enter the new security group name, and click OK. If the new security group needs to be associated with a CVM instance, do so by managing the CVM instances in the security group.
Deleting Security Groups
- On the Security Group page, locate the security group to be deleted and click More > Delete in the Operation column.
- Click OK in the pop-up dialog box. If the current security group is associated with a CVM instance, it must be disassociated before it can be deleted.
Yes
No
Was this page helpful?