DB security groups are used to protect DB instances by controlling the incoming and outgoing traffic of DB instances. The positive security model is used to only allow the traffic specified by rules and block the rest. Unless you connect DB security groups to DB instances, all incoming and outgoing traffic is not allowed. Even if the DB security group is created, the rule will not apply if the DB security group is not set for the DB instance. You can apply multiple DB security groups to DB instances. Main features of DB security group are as follows.
DB security group consists of name, description, and a number of DB security rules, and DB security group name has the following restrictions.
When you create a DB instance, you can select the DB security group to apply. You can apply multiple DB security groups to DB instances. The rules of DB security groups already applied also apply to DB instances. You can freely change the applied DB instance on the Modify DB Instance screen.
You can create multiple DB security rules in one DB security group. When you set up DB security groups in a DB instance, all DB security rules created in that DB security group are applied.
Item | Description |
---|---|
Direction | Inbound refers to the direction into the DB instance. Outbound means the direction out of the DB instance. |
EtherType | The version of EtherType IP. You can specify IPv4, IPv6. |
Port | Set the port to which rules apply. You can enter a single port or a port range, or select the DB port. When you select the DB port, the DB port of the DB instance is automatically entered. |
Remote | You can set the IP address range. If the direction of the rule is 'outbound', the traffic destination is remote; if 'inbound', the traffic source is remote. Depending on the direction of the rule, compares whether the traffic source or destination is IP address or range.. |
Description | You can add a description for DB security group rules. |
When changes occur, such as creating, modifying, or deleting DB security rules, the changes are applied sequentially to the DB instances attached with the DB security group. You cannot add new DB security rules to DB security group or modify or delete other DB security rules until they are applied to all DB instances attached with DB security group.