This topic describes how to configure a security group for a tenant. After you configure an OceanBase security group, you can associate it with an Elastic Compute Service (ECS) security group. After the association, all ECS instances in the ECS security group can access the OceanBase Database instance.
Background information
A security group is a logical group that implements access security strategies for ECS instances with the same security protection requirements and mutual trust in the same Virtual Private Cloud (VPC). ApsaraDB for OceanBase allows you to configure security groups for a tenant. When you configure a security group, the operating system automatically creates a service-linked role for querying the security group list on the user side. You can configure at most three security groups for a tenant.
Procedure
Log on to the ApsaraDB for OceanBase console.
In the left-side navigation pane, click Instances.
In the instance list, click the name of the target cluster instance to go to the Cluster Instance Workspace page.
In the left-side navigation pane, click Tenant Management. In the tenant list, click the target tenant to go to the Tenant Workspace page.
In the left-side navigation pane, click Security Settings.
Click the Security Group tab on the Security Settings page. If no security groups have been configured, click Configure or Configure Security Group in the upper-right corner of the page to add a security group. If a security group has been configured for the tenant, click Configure Security Group in the upper-right corner of the page to add a new security group.
You can associate an OceanBase security group with an ECS security group. Then, all ECS instances in the ECS security group can access the OceanBase Database instance.
Security group changes, such as security group addition or deletion and server changes in a security group, take effect after a delay.
In the dialog box for creating a service-linked role, click OK. The system automatically creates a service-linked role for querying the security group list on the user side. If this role already exists, the system will not create it again. For more information, see AliyunServiceRoleForOceanBaseEncryption.
If you do not have the privilege to create this role, request the primary account or privilege administrator to grant the privilege to create a service-linked role. Information about the service-linked role:
Service name: security-group.oceanbase.aliyuncs.com
Role name: AliyunServiceRoleForOceanBaseSecurityGroup
Privilege required to create the role: RAM:CreateServiceLinkedRole
On the security group configuration page, select the target security group and click OK.
Click the security group ID to go to the ECS security group details page and view the related information.
You can click the Delete icon next to a security group to delete it.
Deleting a security group may affect your business. Proceed with caution.
