docs
udbproxy
Best Practices
security_group_explanation

Security Group Explanation

The database proxy now supports security group functionality. If your user account has the security group feature enabled, the database proxy will automatically adapt to security group-related features.

Note: If your current account does not have security groups enabled, you can ignore this section.

To check if your account has security groups enabled

Navigate to the network module in the console and click to access the Virtual Private Cloud (VPC).

If you can see the 'Security Groups' tab in the tab options on the VPC page, it means that your current account has security groups enabled.

Database Proxy Security Groups

After enabling the database proxy, it will automatically create a security group for the proxy, with the security group name starting with the proxy's ID. This security group is internally bound to the resources of the current proxy and has default rules.

By managing the security group rules of the database proxy, you can control which IP addresses are allowed to access the proxy. For detailed information and specific operations on security groups, please refer to the security group operation documentation.

Security Group Rules

In addition to creating the security group for the proxy itself, rules will also be added to the security group where the MySQL database associated with the current proxy resides. Each database proxy node will have a rule added to the security group to facilitate management of the nodes.

The rule has a priority of 0, which is used to allow communication between MySQL and the database proxy. [picture]

Usage Examples

First, create a MySQL instance and ensure that MySQL is added to the security group.[picture]

After enabling the database proxy, return to the security group page, and you will find an additional security group starting with the proxy's ID. This security group will have default inbound rules.[picture]

Click on the details of the MySQL security group, and you will see that the security group has an additional rule.[picture]

If you want to block a specific IP from accessing the database through the proxy, you can add a deny rule in the proxy's security group.[picture]

In a real production environment, if you want the database to only be accessible through the proxy and not through other means, you can set a high-priority deny rule to deny all IP ranges and allow traffic within the group (between databases).[picture]

The following illustrates the situation before and after adding a deny rule to the database for directly connecting to the MySQL database:[picture]

Meanwhile, when connecting through the proxy, you can establish a direct connection to the database.[picture]

For detailed operations related to security groups, please refer to the security group operation documentation.

  • Company
  • ContactUs
  • Blog
Copyright © 2024 SurferCloud All Rights Reserved