Introduction

Based on the practice of the security group configuration (Getting Started), you can understand that the security group of Baidu AI Cloud realizes the stateful firewall by setting of the white list, and helps the cloud server to reach better access management and control. This document (Advanced) further introduces the batch operation of security groups, and the function of citing security group rules to realize the more convenient and more efficient unified management and configuration of batch cloud resources.

Scenario 1

To increase the security, the users should not only set the refined access control of cloud services but also arrange different security policies for the business system to satisfy the scenario of batch operation of security policies by multiple cloud servers and finally realize the flexible network access control.

Example scenarios

As shown below, the hierarchical business architecture includes three sets of cluster cloud servers. Different security group policies are set for each cluster, and the security groups should be set simultaneously for the cloud services in the cluster.

Operation steps

Cluster1: The security group policies (policy 1, policy 2 and policy 3) should be configured simultaneously for the Class A and the Class B cloud servers.

Up to this point, the function of batch application of multiple security groups to multiple cloud servers is realized.

Scenario 2

Based on Scenario I, the intranets in the Cluster1, Cluster2 and Cluster3 in the system interwork, and the intranets are isolated (not interwork) among Cluster1, Cluster2 and Cluster3.Requirements proposed on Scenario II: The Class A, B, C, D, E, F cloud servers realize the public network access interworking by their respective EIPs.

By setting of the intranet IP addresses for all servers one by one in multiple security groups, the cluster intranet interworking and isolation among clusters can be realized. However, when the servers are often increase or decrease in the clusters, it is quite complex to update the security group configurations and configuration errors also appear easily. So the function of citing security groups as the rules can better solve this problem.

Operation steps

1. Create Cluster1 security group, and apply it to the Class A and Class B cloud servers. Then modify the rules of Cluster 1, and add one rule in each of the ingress and egress after all policies are closed to refer the security group Cluster1 itself.
2. Configure the security group Cluster2 and Cluster3 policies according to step 1, and respectively apply them to Class C, D, E and F cloud servers. Then, the egress policy cities the security group Cluster2 and Cluster3 themselves.
3. By the steps above, Clusters 1, 2 and 3 realize the internal internet interworking, and the intranets don't interwork among the clusters. Meanwhile the public networks don't interwork.

4. To realize the public network interworking, you should create another security group, and you may name is "Public Network Interworking". The policies are closed in the ingress and egress to allow the public network EIP of Class A, B, C, D, E, F cloud servers.

   

5. Apply the "Public Network Interworking" of the security group to Class A, B, C, D, E, F cloud servers.

   Up to this point, Clusters 1, 2 and 3 realize the internal internet interworking, and the intranets don't interwork among the clusters but can access each other by the public network.