ACL
Initialization
Confirm Endpoint
When you confirm the use of SDK and need to configure the Endpoint, please understood Endpoint related concepts. At present, Baidu AI Cloud provides multi-region support. For more information, please refer to Region Selection Instruction. Currently, the six regions are supported: "North China - Beijing", "South China- Guangzhou", "East China - Suzhou", "Hong Kong", "Finance Central China - Wuhan" and "North China - Baoding". The corresponding Endpoint information is:
Access region | Corresponding Endpoint |
---|---|
North China - Beijing | bcc.bj.baidubce.com |
South China - Guangzhou | bcc.gz.baidubce.com |
East China - Suzhou | bcc.su.baidubce.com |
Hong Kong | bcc.hkg.baidubce.com |
Finance Central China - Wuhan | bcc.fwh.baidubce.com |
North China - Baoding | bcc.bd.baidubce.com |
Get the Key
To use Baidu AI Cloud security group, you need to have a valid AK (Access Key ID) and SK (Secret Access Key) for signature authentication. AK/SK is assigned to users by the system and is a string to identify users and verify signatures for accessing BOS. You can obtain and understand your AK/SK information through the following steps: Register Baidu AI Cloud Account Create AK/SK
Create AclClient
Being the client of the ACL service, AclClient provides a series of methods for developers to interact with the ACL service.
When creating AclClient, you need to first use Endpoint, AK and SK to configure the AclConfigs, and then use the AclConfigs instance to configure the AclClient. The configuration example is as follows:
$AclConfigs = array(
'credentials' => array(
'ak' => '',
'sk' => '',
),
'endpoint' => 'bcc.bj.baidubce.com', //bj
);
$AclClient = new AclClient($AclConfigs)
ACL Management
The ACL (Access Control List) is a fire wall component in VPC, and used for control of the subnet-level security policy. The traffic of one or more subnets is set flexibly to satisfy the security requirements of different network deployments of the users. Before ACL management, you need to pay attention to the following contents:
Entry | ACL rule |
---|---|
ACL range | ACL is subordinate to VPC, and the valid object is the subnet under VPC. |
Control instance type | The ACL access control policy is valid for all instances under the subnet, including BCC, DCC, BBC, RDS and SCS. |
Default ACL rule | The system creates a default ACL for each subnet, there is one default rule in ACL, and all rules are allowed. The default rules cannot be edited. |
Ingress or egress | The direction of ingress and egress refers to the direction seen from the perspective of instances under the subnet. |
Maximum rule limit | For the rules under the same ACL, a maximum of 256 rules are supported in each direction. |
Rule trigging | Once the traffic matches a rule in ACL, namely, triggers the access control policy (allow or deny), the traffic will not continue to match other rules. |
ACL status | ACL is stateless, makes access control for the traffic in the specified direction of one data stream, and will not automatically control the return traffic of the data flow. |
Create ACL
The createAclRule function can be used to create ACL rules, and is defined as below:
public function createAclRule($aclRules, $clientToken = null, $options = array()) {
......
}
The parameters included in aclRules are as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
subnetId | String | Yes | Subnet ID |
protocol | String | Yes | Protocol, including all tcp udp icmp |
sourceIpAddress | String | Yes | Source IP |
destinationIpAddress | String | Yes | Destination IP |
sourcePort | String | Yes | Source port, e.g. 1-65535 or 8080 |
destinationPort | String | Yes | Destination port , e.g. 1-65535 or 8080 |
position | Integer | Yes | Priority 1-5000, no repetition with existing items The smaller the value is, the higher the priority is. The rule matching sequence is matched according to the priority from high to low. |
direction | String | Yes | Ingress and egress of rules |
action | String | Yes | Policy, including allow and deny |
description | String | No | Comments |
Note:
- The ACL rules are matched according to the priority level from high to low. For example, the rules with a priority level of 50 have priority over the rules with a priority level of 100.
- The input range of priority level is 1-32768.As the best practice, it is recommended that the priority value range between two adjacent rules is wide, which is convenient for later adjustment, such as 100, 200 and 300.
- In the same ingress/egress direction, the priority levels of different rules cannot be the same.
- As for setting of ingress rules, the destinationIpAddress needs to be within the subnet cidr range; as for setting of egress rules, the sourceIpAddress needs to be within the subnet cidr range.
The example is as follows:
$aclrule = new AclRule("$subnetId", "tcp", "192.168.0.0", "192.168.0.0/20", "1-65535", "443", 55, "ingress", "allow");
$aclRules = array($aclrule);
$resp = $this->client->createAclRule($aclRules);
print_r($resp);
List ACL
To list ACL can be divided into two dimensions: to list all ACL rules in vpc and all ACL rules in subnet.
List all ACLs in vpc
The getAcl function can be used to list all ACLs in vpc, and is defined as below:
public function getAcl($vpcId, $options = array()) {
......
}
The example is as follows:
$resp = $this->client->getAcl('$vpcId');
print_r($resp);
List all ACLs in subnet
The listAclRules function can be used to list all ACLs in the subnet, and is defined as below:
public function listAclRules($subnetId, $marker = null, $maxkeys = null, $options = array()) {
......
}
The example is as follows:
$resp = $this->client->listAclRules('$subnetId');
print_r($resp);
Update ACL
The modifyAclRuleAttributes function can be used to update ACL rules, and is defined as below:
public function updateAclRule($aclRuleId, $description = null, $protocol = null, $sourceIpAddress = null, $destinationIpAddress = null, $sourcePort = null, $destinationPort = null, $position = null, $action = null, $clientToken = null, $options = array()){
......
}
The updateAclRule parameter includes aclRuleId and Acl fields which can be updated. The aclRuleId specifies the ACLs to be updated, and the list of updated ACL parameters can be seen in the field contents, and other fields except subnetId can be all updated.
Note: When the ACL rule fields are updated, the filling requirements of all fields still need to be met.
The example is as follows:
$resp = $this->client->updateAclRule('$aclId', 'aaaaaaaa', 'tcp', '192.168.0.0', '192.168.0.0/20', '1-65535', '22', '334', 'allow');
print_r($resp);
Delete ACL
The deleteAcl function can be used to delete ACL rules, and is defined as below:
public function deleteAclRule($aclRuleId, $clientToken = null, $options = array()) {
......
}
The deleteAcl parameter mainly includes aclRuleId to confirm the ACL rules to be deleted.
Note: The aclRuleId can be obtained by listing ACLs. The default ACL rules don't display the aclRuleId, and the default ACL rules cannot be updated and deleted.
The example is as follows:
$resp = $this->client->deleteAclRule('$aclId');
print_r($resp);