Scenarios
Security Group is a stateful virtual firewall with filtering capabilities, used to configure network access control for one or multiple cloud databases. It serves as a critical network security isolation mechanism provided by Tencent Cloud. A security group functions as a logical container where you can add TencentDB instances from the same region that share identical network security isolation requirements. Cloud databases share the same security group mechanism with CVMs. Rules are matched within security groups based on configured policies. For specific rules and limitations, refer to Security Group Details. Note:
TencentDB for PostgreSQL security groups currently only support network control for VPC private network access and public network access, and do not currently support network control for the basic network.
The security group feature for public network access to databases is currently only supported in the Beijing, Shanghai, Guangzhou, and Chengdu regions.
Since the cloud database has no active outbound traffic, the outbound rule does not take effect for the cloud database.
TencentDB for PostgreSQL security groups support primary instances, read-only instances, and read-only instance groups.
Configuring a Security Group
Step 1: Creating a Security Group
2. In the left sidebar, select the Security Group page, select a region, and click New.
3. In the dialog box that pops up, complete the following configurations. After they are completed, click OK.
Template: Based on the services to be deployed for database instances in the security group, select an appropriate template to simplify security group rule configuration, as shown in the table below:
|
Open All Ports | All ports are opened to the public network and private network by default, which has certain security risks. | - |
Ports 22, 80, 443, 3389 and the ICMP protocol are opened. | By default, ports 22, 80, 443, 3389 and the ICMP protocol are opened. The private network is fully opened. | This template does not take effect for cloud databases. |
Custom | After the security group is successfully created, add security group rules as needed. For specific operations, see "Adding Security Group Rules" below. | We recommend that you select this template to customize a template for accessing specified instances. |
Name: customize the security group name.
Affiliated project: By default, select Default Project, but it can be designated to other projects for easier management.
Remarks: Custom, and a short description of the security group for easier management.
Step 2: Add security group rules
1. On the Security Group page, in the row of the security group for which you need to set rules, click Modify Rules in the Operation column. 2. On the Security Group Rules page, choose Inbound Rules > Add Rule.
3. Configure rules in the displayed dialog box.
Type: "Custom" is selected by default.
Source: The source (inbound rule) or destination (outbound rule) of traffic can be specified. Specify one of the following options:
|
Single IPv4 address or IPv4 address range | Use CIDR notation (such as 203.0.113.0, 203.0.113.0/24, or 0.0.0.0/0, where 0.0.0.0/0 indicates that all IPv4 addresses will be matched). |
Single IPv6 address or IPv6 address range | Use CIDR notation (such as FF05::B5, FF05:B5::/60, ::/0, or 0::0/0, where ::/0 or 0::0/0 indicates that all IPv6 addresses will be matched). |
Reference of a security group ID. You can refer to the IDs of the following security groups: Security group Other security groups
| The current security group indicates the CVM associated with the security group. Other security groups indicate another security group ID under the same item in the same area.
|
| - |
Protocol Port: Enter the protocol type and port range. You can also refer to the protocol port or protocol port group in the Parameter Template. Note:
To connect to TencentDB for PostgreSQL, you need to open the instance port for the PostgreSQL instance.
The private network port for PostgreSQL is 5432. You need to allow traffic through the PostgreSQL port in the security group.
The public network port for PostgreSQL is automatically assigned by the system and does not support customization. After the public network is enabled, it will be controlled by the security group network access policy. When you are configuring security policies, ensure traffic is allowed through the private network access port 5432.
Security group rules configured on the PostgreSQL console page apply uniformly to both private and public network addresses (if the public network is enabled).
Policy: The default value is Allow.
Allow: Access requests of this port are allowed.
Reject: Data packets will be discarded without any response.
Notes: Custom and a short description of the rule is provided for easier management.
4. Click OK to complete the addition of the security group inbound rules.
Case
Scenario: You have created a TencentDB for PostgreSQL and want to access it via CVM.
Solution: When adding security group rules, configure access permissions for the TCP:5432 protocol port in the inbound rules.
You can also, based on actual needs, allow all IP addresses or specify IP addresses (IP ranges) to configure the IP sources that can access the TencentDB for PostgreSQL via CVM.
|
| | All IP addresses: 0.0.0.0/0 Specifying IP: Enter the IP or IP range you specify | | |
Import security group rules
1. On the Security Group Page, select the desired security group and click Security Group ID/Name. 2. On the Inbound/Outbound rules tab, click Import Rules.
3. In the pop-up dialog box, select the edited inbound/outbound rule template file and click Start Import.
Note:
If there are security group rules under the security groups that need to be imported, it is recommended that you export the existing rules first. Otherwise, when importing new rules, the original rules will be overwritten.
Clone Security Group
2. In the pop-up dialog box, after the target region and target project are selected, click OK. If the new security group needs to be associated with CVM, please re-manage the CVMs within the security group.
Delete Security Group
1. On the Security Group Page, select the security group to be deleted, and in the Operation column, choose More > Delete. 2. In the pop-up dialog box, click OK. If the current security group is associated with CVM, the security group must be disassociated before deletion can proceed.