Overview
TencentDB for SQL Server supports both private and public network addresses, with the former enabled by default for you to access your instance over the private network and the latter enabled or disabled as needed.
Note:
It is recommended that you use public domain names rather than IP addresses for access. Because the adjustment in database instance specifications, the reactivation of public network, and the network upgrade may lead to changes in the public IP addresses. Accessing via public domain names ensures minimal impact on your operations, without the need of application modification.
Explanation of New Public Network Architecture Upgrade
1. New Architecture Release Time
To enhance the security and reliability of databases' public network links, in May 2024, Beijing Time (UTC+8) , TencentDB for SQL Server released a new public network architecture, which adopted Cloud Load Balancer (CLB) as its underlying structure.
2. Difference Comparison of New Architecture and Old Architecture
|
Architecture differences | The old public network architecture adopts single-point deployment, resulting in slow recovery and a lack of high availability in case of a single point of failure. | The new public network architecture can extend the service capability of an application system through traffic distribution, improving the availability of the application system by eliminating single points of failure. |
Whether product integration involved | No. | Yes. After the public network address is enabled, the system will automatically create a free, simple CLB instance in the same region in the CLB console to provide public network capabilities. |
3. Precautions
Currently, after TencentDB for SQL Server is enabled with public network addresses, it adopts a CLB architecture. The system will automatically create a free, simple CLB instance in the same region in the CLB console to provide public network capabilities. Note the policies of the CLB architecture (as shown in the table below). If you have higher performance requirements, you can also directly purchase CLB. |
CLB | 2000 | 200/s | Unlimited | 20Mbps | 20Mbps |
Note:
You can try for free a CLB instance automatically created due to the activation of a public network address.
After deactivating the public network address, the corresponding CLB instance in the CLB console will be automatically deleted.
Starting from mid-May 2024, the health probe source IP of CLB will be in the 100.64.0.0/10 segment. If your simple CLB instance shows an abnormal health status after the public network is enabled, you can resolve the issue of health check failure by configuring the security group of your Cloud Database SQL Server instance to open the 100.64.0.0/10 range. Please refer to Configuring Security Groups for the steps. You need to configure monitoring alerts for the above-mentioned simple CLB instances to monitor public network connections through metrics (such as new public network connections, public network connections, public network outbound bandwidth, and public network inbound bandwidth) after enabling the public network address. Please refer to Setting Alarm Policies for the operation steps. The policy type is as shown in the image below. Note
After enabling the public network address, you can access your TencentDB for SQL Server instance by using the system-assigned domain name and port. It takes about five minutes for the configuration to take effect.
After the public network access is enabled, it will be controlled by the security group policy. You should configure the database access source in the security group's inbound rules and open the protocol ports (both the private network port (1433 by default) and public network port) as instructed in Configuring Security Group. Enabling the public network address will expose your database services to the public network, which may lead to database intrusions or attacks. We recommend that you use the private network to connect to the database in the production environment, as public network access may become unavailable due to uncontrollable factors, such as DDoS attacks and large traffic surges.
A public network address makes it less secure to access an instance, and service availability cannot be guaranteed by SLA. Therefore, we recommend that you access your instance at the public network address only when developing, testing, or managing databases. To make transfer faster and ensure a higher security level, use the private network address for database connection. Do not use the public network to sustain the business load, and if you need this, we recommend that you follow the instructions described in Enabling Public Network Access Through CLB. Currently, enabling the public network address and the resulting traffic are free of charge, but the stability of the public network bandwidth and traffic cannot be guaranteed.
The instance service downtime caused by public network errors won't be counted into the "Single Instance Service Downtime" in TencentDB for SQL Server Service Level Agreement (SLA).
Prerequisites
The instance uses a VPC.
The instance resides in the following regions: Guangzhou, Shanghai, Beijing, Chengdu, Chongqing, Nanjing, Hong Kong (China), Singapore, Seoul, Tokyo, Silicon Valley, or Frankfurt.
Note:
If you can't enable public network access for an instance in the above regions, submit a ticket for assistance. Private/Public network address description
|
| A private network address is an IP address that cannot be accessed by an external device on the internet. It is the implementation form of the Tencent Cloud private network service. A private network address is provided by the system by default and cannot be disabled. You can switch the network type though. If your CVM and TencentDB for SQL Server instances are in the same VPC in the same region under the same Tencent Cloud root account, they can be interconnected over the private network, and there is no need to enable the public network address. It is highly secure. |
| A public network address is a non-reserved address on the internet. A public network address needs to be manually enabled and can be disabled when no longer needed. As a public network address will expose your instance to security risks, it should be used with caution. A device not in Tencent Cloud can access a TencentDB for SQL Server instance at its public network address. |
Directions
The procedures for enabling or disabling public network addresses for the primary instance and read-only groups are slightly differently. For the primary instance, configurations must be made within the instance details page. As for read-only groups, configurations must be made within the read-only group of the corresponding primary instance. The following sections will elaborate on the steps respectively.
Note:
The independent enabling or disabling of public network addresses is not supported by read-only instances. It is only supported by the read-only group which the read-only instance belongs to. Moreover, it can only be configured within the read-only group which the read-only instance belongs to, and cannot be set from the details page of the read-only instance.
Enabling/Disabling Public Network Addresses for Primary Instances
Enabling/Disabling Public Network Addresses for Read-Only Groups
Enabling Public IP Addresses for Primary Instances
2. Select the region and click the ID or Manage in the Operation column of the target instance in the instance list.
3. In the Instance Details page, on the right side under Instance Info, click Enable for the public network access.
4. In the Enabling public network window, read the note, indicate your consent, and click OK (before the public network address is enabled, a note will be displayed depending on whether a security group is configured).
Note:
After the public network address is enabled, it can be viewed in Basic Info. The public network access can be toggled off.
If your instance is bound to a security group, and no high-risk policy is involved, the public network address can be enabled, and a note will be displayed as follows:
If your instance is bound to a security group, but there is a high-risk inbound rule such as 0.0.0.0/0
or ::/0
, a note will be displayed as follows:
If your instance is not bound to a security group, enabling public network access will lead to a high risk, and a note will be displayed as follows:
5. After the instance status becomes Running, you can view the public network address on the instance details page.
Disabling the public network address
2. Select the region and click the ID or Manage in the Operation column of the target instance in the instance list.
3. In the Instance Details page, on the right-hand side under Instance Info, click Disable next to External Network.
4. In the Disabling public network pop-up window, click OK.
Note:
After it is disabled, you can no longer use the domain name and port to access TencentDB for SQL Server over the public network. To minimize potential losses, make sure that no public address is used in your system before disabling it.
Enabling Public Network Addresses for Read-Only Groups
2. Select the region, and in the instance list, locate the primary instance for which you want to enable the public network address of the read-only group. Click Instance ID or Manage option in the Operation column.
3. Go to the Read-Only Instance page from the Instance Details page, then click Enable following the Public Network Address under the RO group .
Note:
You may also navigate to the Instance Details page, hover your mouse over the read-only instance section within the topology diagram, and then click Enable following the public network. Alternatively, within the instance information on the right, click Activate after the public network for any read-only instance.
4. In the window for enabling public network settings, read and check the prompt, then click OK .
Note:
When the public network address is enabled, it can be viewed in the RO group or the basic information of the corresponding read-only instance. The public network connection can be enabled via the toggle switch.
Disabling Public Network Addresses for Read-Only Groups
2. Select the region, and in the instance list, locate the primary instance for which you want to disable the public network address of the read-only group. Click Instance ID or Manage option in the Operation column.
3. Go to the Read-Only Instance page from the Instance Details page, then click Close following the Public Network Address under the RO group.
4. You may also navigate to the Instance Details page, hover your mouse over the read-only instance section within the topology diagram, and then click Close after the public network, or click Close after the public network for any read-only instance within the instance information on the right. (Either step 3 or 4 can be chosen for execution.)
5. In the pop-up window for disabling public network access, click OK.
Note:
After the public network access is disabled, you cannot access the read-only group corresponding to the SQL Server primary instance via the public domain names and ports. Please ensure that your application system does not use public access addresses to avoid losses.
Was this page helpful?