If you use a self-managed data store on an Elastic Compute Service (ECS) instance, you must configure a security group for the ECS instance. This way, resource groups can read data from and write data to the data store. This topic shows you how to configure a security group for an ECS instance where a self-managed data store resides to allow access from different types of resource groups.

Prerequisites

  1. The network connectivity is configured between a resource group and the data store to be accessed. For more information, see Test data store connectivity.
  2. If the data store is configured with a whitelist, make sure that the IP addresses and classless inter-domain routing (CIDR) blocks of the resource group are added to the whitelist. For more information, see Configure whitelists.

Configure a security group

The security group rule to be configured varies based on the type of resource group that is used to run sync nodes to read data from or write data to a self-managed data store deployed on your ECS instance.
  • Exclusive resource group for Data Integration
    You must add the Elastic IP Address (EIP) CIDR block or vSwitch CIDR block of the exclusive resource group and the specific ports to your security group rule.
    • To synchronize data over the Internet, you must obtain and add the EIP CIDR block of the exclusive resource group and the specific ports to your security group rule.
    • To synchronize data to or from a data store in a virtual private cloud (VPC), you must obtain and add the vSwitch CIDR block of the exclusive resource group and the specific ports to your security group rule.
    For more information about exclusive resource groups for Data Integration, see Add the information about an exclusive resource group for Data Integration to the whitelist of a data store. For more information about how to add a security group rule, see Add security group rules.
  • Public resource group for Data Integration
    The authorization objects to be added to your security group rule must be in the same region as the ECS instance where the self-managed data store resides. The following table describes the authorization object and account ID to be added in different regions. You can configure a security group based on the region where your ECS instance resides. For example, your ECS instance resides in the China (Beijing) region. You must add the authorization object sg-2ze3236e8pcbxw61o9y0 and account ID 1156529087455811 to your security group rule. In addition, you can add connections for the data store only in the China (Beijing) region.
    Note Public resource groups for Data Integration use IP addresses on the classic network. If your ECS instance resides in a VPC, you cannot add the following information to your security group rule because the network types are different.
    Region Authorization object Account ID
    China (Hangzhou) sg-bp13y8iuj33uqpqvgqw2 1156529087455811
    China (Shanghai) sg-uf6ir5g3rlu7thymywza 1156529087455811
    China (Shenzhen) sg-wz9ar9o9jgok5tajj7ll 1156529087455811
    Singapore sg-t4n222njci99ik5y6dag 1156529087455811
    China (Hong Kong) sg-j6c28uqpqb27yc3tjmb6 1156529087455811
    US (Silicon Valley) sg-rj9bowpmdvhyl53lza2j 1156529087455811
    US (Virginia) sg-0xienf2ak8gs0puz68i9 1156529087455811
    China (Beijing) sg-2ze3236e8pcbxw61o9y0 1156529087455811
    In this case, you must manually add a security group rule by authorizing another account to which the security group belongs, as shown in the following figure. Set parametersFor more information, see Add security group rules.
  • Custom resource group for Data Integration

    You must add internal or public IP addresses of the custom resource group and the specific ports to your security group rule.

    For more information, see Add security group rules.