All Products
Search

This Product

    ApsaraDB RDS:Configure security group settings

    Document Center

    ApsaraDB RDS:Configure security group settings

    Last Updated:Jul 16, 2024

    The security group feature of ApsaraDB RDS allows you to associate security groups in Elastic Compute Service (ECS) with ApsaraDB RDS for SQL Server instances or configure custom security group rules. This way, you can control access from ECS instances or authorization entities to RDS instances, implement fine-grained access control of RDS instances, and ensure secure and efficient data access. This topic describes how to configure the security group settings for an RDS instance. Security group settings include security groups and security group rules.

    Scenarios

    You cannot connect to an RDS instance that you created. In this case, you must configure the security group settings or an IP address whitelist for the RDS instance. After the configuration is complete, the IP addresses in the IP address whitelist, the ECS instances in the security group, and the custom authorization entities in the security group rule are granted access to the RDS instance.

    Note

    You can configure IP address whitelists and security group settings for an RDS instance. For more information, see Configure an IP address whitelist and Create a security group.

    Usage notes

    • Up to 10 security groups can be configured for each RDS instance. The number of rules that can be configured for each security group is not limited.

    • Updates to the ECS instances in a configured security group immediately take effect.

    • The security groups that you configured for an RDS instance must have the same network type as the RDS instance. This means that the network types of the RDS instance and the security groups that you want to configure must be virtual private cloud (VPC) or classic network.

      Note

      After you change the network type of your RDS instance, the security group that you configured becomes invalid. You must re-configure the security group of the required network type.

    Configure a security group

    You can associate an ECS security group with your RDS instance. This way, all ECS instances in the security group can access the RDS instance.

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Whitelist and SecGroup. On the page that appears, click the Security Group tab.

    3. Click Add Security Group for the RDS instance that belongs to the shared instance family or Associate Security Group Whitelist for the RDS instance that belongs to the general-purpose or dedicated instance family, select security groups that you want to associate, and then click OK.

      Note

      Security groups followed by a VPC tag are VPC-type security groups.

      image

    Configure security group rules

    You can configure security group rules for specific authorization entities to allow the authorization entities to access your RDS instance or other services such as SQL Server Analysis Services (SSAS) and SQL Server Reporting Services (SSRS). Security group rules are suitable for network connections in specific business scenarios.

    Note

    You can configure security group rules for RDS instances that belong to the general-purpose and dedicated instance families. For more information, see Instance families.

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Whitelist and SecGroup. On the page that appears, click the Security Group tab.

    3. Click Add Security Group Rule. In the Add Security Group Rule dialog box, select Scenario-based Addition or Manually Add, and then click OK.

      Note

      Hosts in a VPC share the same security group. If you modify the security group of an RDS instance, other RDS instances in the VPC are directly affected.

      Option

      Description

      Scenario-based Addition

      The following scenarios are supported:

      • SSAS: The default protocol is TCP, the port range is 2383/2383, and the authorization object is the entry 0.0.0.0/0.

      • SSRS: The default protocol is TCP, the port range is 443/443, and the authorization object is the entry 0.0.0.0/0.

      Important

      If you use the entry 0.0.0.0/0 as an authorization object, all IP addresses are granted access to your RDS instance. We recommend that you replace the entry 0.0.0.0/0 with a specific CIDR block based on your business requirements at the earliest opportunity. This avoids risks.

      Manually Add

      The following information describes the parameters required to configure a security group rule:

      • Protocol Type: the protocol type. TCP and UDP are supported. For more information, see Security group rules.

      • Port Range: the destination port range. Example: 22/22. For more information, see Common ports.

      • Authorization Object: the authorized source IP address. Example: 192.XX.XX. 100.

      • Description: the description of the rule.

    What to do next

    Disassociate a security group

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Whitelist and SecGroup. On the page that appears, click the Security Group tab.

    3. Find the security group that you want to disassociate and click Delete on the right.

      image

      Note

      To disassociate all ECS security groups from an RDS instance, click Clear.

    4. Click OK.

    Modify a security group rule

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Whitelist and SecGroup. On the page that appears, click the Security Group tab.

    3. Click Modify in the Action column.

      image

    4. In the dialog box that appears, modify the security group rule. The following list describes the required parameters:

      • Protocol Type: the protocol type. TCP and UDP are supported. For more information, see Security group rules.

      • Port Range: the destination port range. Example: 22/22. For more information, see Common ports.

      • Authorization Object: the authorized source IP address. Example: 192.XX.XX. 100.

      • Description: the description of the rule.

    5. Click OK.

    Delete a security group rule

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the left-side navigation pane, click Whitelist and SecGroup. On the page that appears, click the Security Group tab.

    3. Find the security group rule that you want to disassociate and click Delete in the Action column.

      image

    References