Cluster Security Groups

Galera replication uses the following ports for communication:

• 3306: For MySQL client connections and State Snapshot Transfer that use the mysqldumpmethod.
• 4567: For Galera Cluster replication traffic, multicast replication uses both UDP transport and TCP on this port.
• 4568: For Incremental State Transfer (IST).
• 4444: For all other State Snapshot Transfer.

To create a security group that allows for Galera traffic within the VPCs, follow the steps below.

In this example, the VPC internal address space is 172.16.0.0/16 in US-East-1. The address space in US-East-2 is 172.31.0.0/16. 

• Create a Security Group called "All Galera Traffic" with the following rules:

This will allow any connections outbound to any address and any inbound connection on ports 3306, 4567, 4568 and 4444 from any address on the 172.16.0.0/16 and 172.31.0.0/16 subnets. The same rule in the other VPC will also need the same rule configured. These rules may be tightened as required for the organization.

• To apply these Security Groups to the SignServer Cloud Nodes in each of the VPCs, right-click the node, select Networking and then ChangeSecurityGroups.

• Apply the security group to the instance so that it can communicate with the other nodes in the cluster by checking the box next to the line item for the security group needed.

• In the node details there is a link to View Inbound Rules. The associated IPs should be something like the following (modified for your IP ranges subnets):