当前位置:网站首页>Record a 'very strange' troubleshooting process of cloud security group rules
Record a 'very strange' troubleshooting process of cloud security group rules
2022-07-05 16:13:00 【yuanfan2012】
Remember a very strange process of troubleshooting cloud security group rules
The problem background :
1、 application server :172.16.100.21
2、 database server :172.16.100.22 (SQLServer 1433)
As shown in the figure
( Click to enlarge the picture )
One 、 Problem phenomenon
Feedback from development engineers :
1、 Office area PC telnet 172.16.100.22 1433 SQLServer The port is open , use Navicat You can connect to the database
2、 But it's very strange that : application server 172.16.100.21 On telnet 172.16.100.22 1433 But it doesn't work , The application server joint debugging is not successful
( Click to enlarge the picture )
Two 、 Problem identification and analysis
I found
1、 The same ECS security group rules used by the application server and the database server
As shown in the figure below
( Click to enlarge the picture )
You can see that the security group rules are (0.0.0.0/0) All open 1433 port
2、 I try to use the server in the operation and maintenance area for port detection
Find out 172.16.100.22 1433 SQLServer The port is open
( Click to enlarge the picture )
So I'm very puzzled At this time, I thought the problem should be the database server , Is there any restriction made by the database server itself
Checked 172.16.100.22 Operating system firewall configuration , There are no restrictions , The firewall is closed directly
Also asked the development engineer , Are there any restrictions at the database level , It is also said that there are no restrictions
It's too strange
3、 ... and 、 Continue to troubleshoot
Check the security protection software on the database server (HIDS) There are no restrictions
Communicate with the development engineer , In the joint commissioning stage, the database server can be restarted , It has also been restarted , The problem remains. ( Although restart can solve 80% The problem of )
The problem is at an impasse
Four 、 Out of the box , The problem is solved in an instant
In communication (battle) In the process of , Suddenly, a word from the development engineer reminded me : Is there any restriction on the external access of the application server ? foreign ? The downlink rules all release external access , What he said about external visits refers to the uplink rules ? Exit direction ?
Yeah , Is it possible that the problem lies on the source server , It should not be on the destination server , I have to change direction
At this time, I plan to check the outbound rules of the application server's own operating system firewall , Suddenly in the security group uplink rules ( Exit direction ) See this little detail
( Click to enlarge the picture )
The system determines some high-risk ports , By default, it is added to the security group and forbidden . about Windows Cloud server , By default, the system limits several “ Uplink security group ” The rules :
agreement TCP, port 3389,1433,445,135,139;
agreement UDP, port 1434,445,135,137,138.
Windows ECS sends out Remote Desktop Connection , You need to release rules in the security group tcp The upside 3389 port ;
Windows ECS sends out SQL Server Connect , You need to release rules in the security group tcp The upside 1433 port .
Instantly know the reason At this time, a rule is added to solve the problem
( Click to enlarge the picture )
Develop feedback application server :172.16.100.21 It can be connected normally 172.16.100.22 (SQLServer 1433) database , Problem solving
5、 ... and 、 summary
The more strange the problem is, the more it is necessary to jump out of the mindset to check
The normal way of thinking is to determine that the problem is on the destination server , I don't think there is any problem with the source server
边栏推荐
- Arduino controls a tiny hexapod 3D printing robot
- 21. [STM32] I don't understand the I2C protocol. Dig deep into the sequence diagram to help you write the underlying driver
- ES6 drill down - Async functions and symbol types
- RLock锁的使用
- Data Lake (XIV): spark and iceberg integrated query operation
- sql中查询最近一条记录
- 抽象类和接口的区别
- 公司自用的国产API管理神器
- Noi / 1.4 07: collect bottle caps to win awards
- 漫画:什么是八皇后问题?
猜你喜欢
Vulnhub-Moneybox
vlunhub- BoredHackerBlog Moriarty Corp
Data communication foundation - routing communication between VLANs
力扣今日题-729. 我的日程安排表 I
RLock锁的使用
Use of set tag in SQL
Pits encountered in the use of boolean type in development
Data communication foundation - dynamic routing protocol rip
机械臂速成小指南(九):正运动学分析
项目sql中批量update的时候参数类型设置错误
随机推荐
Replknet: it's not that large convolution is bad, but that convolution is not large enough. 31x31 convolution. Let's have a look at | CVPR 2022
List uses stream flow to add according to the number of certain attributes of the element
一键安装脚本实现快速部署GrayLog Server 4.2.10单机版
vlunhub- BoredHackerBlog Social Network
Research and development efficiency measurement index composition and efficiency measurement methodology
Noi / 1.5 06: element maximum span value of integer sequence
ES6深入—ES6 Generator 函数
移动办公时如何使用frp内网穿透+teamviewer方式快速连入家中内网主机
The visual experience has been comprehensively upgraded, and Howell group and Intel Evo 3.0 have jointly accelerated the reform of the PC industry
Vulnhub-Moneybox
记录一下树莓派搭建环境中遇到的坑。。。
16. [stm32] starting from the principle, I will show you the DS18B20 temperature sensor - four digit digital tube displays the temperature
Transaction rollback exception
记一次'非常诡异'的云安全组规则问题排查过程
Li Kou today's question -729 My schedule I
sql中查询最近一条记录
RLock锁的使用
降本40%!Redis多租户集群的容器化实践
Use of RLOCK lock
自己要有自己的坚持