Security Isolation
Networks between different regions are completely isolated. Cloud products in different regions cannot communicate over the private network by default. Additionally, network isolation is implemented using security groups and VPC measures.
Security Group: is a stateful virtual firewall with packet filtering feature used to configure network access control for single or multiple cloud services, and is an important network security isolation measure provided by Tencent Cloud. Users can use the following methods to control the access permissions of TDSQL Boundless instances:
Create multiple security groups and define different rules for each security group.
Each TDSQL Boundless instance is assigned one or more security groups. These rules determine: which traffic can access the TDSQL Boundless instance, and which resources the TDSQL Boundless instance can access.
Configure security groups so that only specific IP addresses can access TDSQL Boundless instances.
VPC: is a logically isolated network space customized by users on Tencent Cloud. Even in the same region, different VPCs cannot communicate over the private network by default. Authentication and Verification
CAM (Cloud Access Management) is a set of Web services provided by Tencent Cloud, primarily used to help users securely manage access permissions to resources under Tencent Cloud accounts. Through CAM, you can create, manage, and destroy users (groups), and control Tencent Cloud resources that specified users can use through identity management and policy management. CAM supports associating policies with a single user or a group of users. These policies can authorize or deny users from executing specific tasks using specified resources.
If the user utilizes services such as CVM, VPC, and databases in their product, and these services are managed by different individuals but all share the user's cloud account key, the following issues will arise:
The risk of the key being compromised is high since multiple users are sharing it.
Users cannot restrict others' access permissions, which may lead to errors and security risks.
You can avoid these issues by using sub-accounts to allow different individuals to manage different services. By default, sub-accounts are not granted permissions to use cloud services or related resources. Therefore, you need to create policies to allow sub-accounts to access the required resources or permissions.
Transmission Encryption
The TDSQL Boundless console supports the HTTPS protocol, ensuring security for user access through standard network access protocols and meeting the requirement for encrypted transmission of sensitive data.