Remember a very strange process of troubleshooting cloud security group rules

The problem background ：

1、 application server ：172.16.100.21

2、 database server ：172.16.100.22 （SQLServer 1433)

As shown in the figure

( Click to enlarge the picture )

One 、 Problem phenomenon

Feedback from development engineers ：

1、 Office area PC telnet 172.16.100.22 1433 SQLServer The port is open , use Navicat You can connect to the database

2、 But it's very strange that ： application server 172.16.100.21 On telnet 172.16.100.22 1433 But it doesn't work , The application server joint debugging is not successful

( Click to enlarge the picture )

Two 、 Problem identification and analysis

I found

1、 The same ECS security group rules used by the application server and the database server

As shown in the figure below

( Click to enlarge the picture )

You can see that the security group rules are （0.0.0.0/0） All open 1433 port

2、 I try to use the server in the operation and maintenance area for port detection

Find out 172.16.100.22 1433 SQLServer The port is open

( Click to enlarge the picture )

So I'm very puzzled At this time, I thought the problem should be the database server , Is there any restriction made by the database server itself

Checked 172.16.100.22 Operating system firewall configuration , There are no restrictions , The firewall is closed directly

Also asked the development engineer , Are there any restrictions at the database level , It is also said that there are no restrictions

It's too strange

3、 ... and 、 Continue to troubleshoot

Check the security protection software on the database server (HIDS) There are no restrictions

Communicate with the development engineer , In the joint commissioning stage, the database server can be restarted , It has also been restarted , The problem remains. （ Although restart can solve 80% The problem of ）

The problem is at an impasse

Four 、 Out of the box , The problem is solved in an instant

In communication （battle） In the process of , Suddenly, a word from the development engineer reminded me ： Is there any restriction on the external access of the application server ？ foreign ? The downlink rules all release external access , What he said about external visits refers to the uplink rules ？ Exit direction ？

Yeah , Is it possible that the problem lies on the source server , It should not be on the destination server , I have to change direction

At this time, I plan to check the outbound rules of the application server's own operating system firewall , Suddenly in the security group uplink rules （ Exit direction ） See this little detail

( Click to enlarge the picture )

 The system determines some high-risk ports , By default, it is added to the security group and forbidden .  about  Windows  Cloud server , By default, the system limits several “ Uplink security group ” The rules ：
 agreement  TCP, port 3389,1433,445,135,139;
 agreement  UDP, port 1434,445,135,137,138.
Windows  ECS sends out   Remote Desktop Connection , You need to release rules in the security group  tcp  The upside  3389  port ;
Windows  ECS sends out  SQL Server  Connect , You need to release rules in the security group  tcp  The upside  1433  port .

Instantly know the reason At this time, a rule is added to solve the problem

( Click to enlarge the picture )

Develop feedback application server ：172.16.100.21 It can be connected normally 172.16.100.22 （SQLServer 1433) database , Problem solving

5、 ... and 、 summary

The more strange the problem is, the more it is necessary to jump out of the mindset to check

The normal way of thinking is to determine that the problem is on the destination server , I don't think there is any problem with the source server