Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.
Original topic: ticdc网络安全策略问题
[TiDB Usage Environment] Production Environment / Testing / PoC
[TiDB Version] 7.5
[Reproduction Path] What operations were performed when the issue occurred
[Encountered Issue: Issue Phenomenon and Impact]
We are using TiCDC and isolating upstream and downstream with a firewall.
The upstream can access all servers and ports downstream. The question is whether the downstream needs to access the upstream. If not, we will block it with the firewall.
Normally, on the TiCDC side, you just need to allow the TiCDC port through the firewall for the specified source IP. TiCDC will access the downstream database port.
Specify the IP and port, it definitely won’t open all ports. Use the whitelist method.
Should TiCDC be placed upstream or downstream? If placed upstream, it is best to open the CDC port through the downstream URL address.
TiCDC is deployed upstream. The main issue is whether the downstream has any access to the upstream. If not, then network security is completely blocked.
Ensure that the upstream TiDB cluster and TiCDC can access all necessary ports of the downstream system. These ports depend on the type and configuration of the downstream system.
It is recommended to disable the local firewall.
Opening the firewall and adding to the whitelist should be enough.
Turn on the firewall and try adding it to the whitelist.
Suggested strategy: Do not set policies between nodes (including CDC) in the upstream TiDB cluster, do not set policies between nodes in the downstream TiDB cluster, and enable one-way access policies from all upstream CDC nodes to all TiDB server stage service ports.
In the end, that’s what I did.
|
username: zhanggame1
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: