Security Group
Initialization
Confirm Endpoint
When you confirm the use of SDK and need to configure the Endpoint, please understood Endpoint related concepts. At present, Baidu AI Cloud provides multi-region support. For more information, please refer to Region Selection Instruction. Currently, the six regions are supported: "North China - Beijing", "South China- Guangzhou", "East China - Suzhou", "Hong Kong", "Finance Central China - Wuhan" and "North China - Baoding". The corresponding Endpoint information is:
Access region | Corresponding Endpoint |
---|---|
North China - Beijing | bcc.bj.baidubce.com |
South China - Guangzhou | bcc.gz.baidubce.com |
East China - Suzhou | bcc.su.baidubce.com |
Hong Kong | bcc.hkg.baidubce.com |
Finance Central China - Wuhan | bcc.fwh.baidubce.com |
North China - Baoding | bcc.bd.baidubce.com |
Get the Key
To use Baidu AI Cloud security group, you need to have a valid AK (Access Key ID) and SK (Secret Access Key) for signature authentication. AK/SK is assigned to users by the system and is a string to identify users and verify signatures for accessing BOS. You can obtain and understand your AK/SK information through the following steps: Register Baidu AI Cloud Account Create AK/SK
Create BccClient
BccClient is the client of security group service, and provides a series of methods for the interactions between developers and the security group services.
When creating BccClient, you need to first use Endpoint, AK and SK to configure the BccConfigs, and then use the BccConfigs instance to configure the BccClient. The configuration example is as follows:
$BccConfigs = array(
'credentials' => array(
'ak' => '',
'sk' => '',
),
'endpoint' => 'bcc.bj.baidubce.com', //bj
);
$BccClient = new BccClient($BccConfigs)
Security Group Management
- The BCC instance can choose a default security group or a custom security group.
- One security group must be selected for each BCC instance.
- Each BCC instance can be only associated with a maximum of 10 security groups. If one BCC instance is associated with multiple security groups, the rule for the BCC instance validity has been associated with the collection of all rules of the security groups.
- The users can allow all the BCC instances associated with this security to communicate with each other, or allow the instances associated with other security groups and those associated with this security to communicate with each other. The BCC instances associated with the same security can communicate with each other by default.
- The association of BCC instances is not supported under the dimension of security group, and the security group can be added only through the BCC instances.
- The security cannot be deleted by default, and the rules can be added, deleted and changed. Only the security group provides the "Onekey Recovery of Initial Setting" button by default.
Default rules of security group:
- Ingress: It allows access to all ports, namely, allows the traffic of all external IPs to enter all ports associated with BCC.
-
Egress: It allows access to all ports, namely, allows all ports associated with BCC to access all ports of all external IPs.
Create Security Group
The createSecurityGroup function can be used to create a security group, and is defined as below:
public function createSecurityGroup($name, $rules, $vpcId=null, $desc=null, $clientToken=null, $options = array()) {
......
}
The createSecurityGroup parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
name | String | Yes | The name of created security groups supports upper and lower case letters, numbers, Chinese and -_/. special characters. It must start with letters, with a length of 1-65. |
rules | [SecurityGroupRuleModel] | Yes | List of security group rules bound in creation of a security group |
vpc_id | String | No | Specified vpc in creation of a security group |
desc | String | No | Description information of the created security group |
clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
The parameter rules is the list
Parameter name | Type | Description | Required or not |
---|---|---|---|
remark | String | Comments | No |
direction | String | Ingress/egress, value taken: ingress or egress. | No |
ethertype | String | Network type, value taken: IPv4 or IPv6.When the value is null, it means that the value IPv4 is taken by default. | No |
portRange | String | Port range, the individual ports of 80 and other numbers can be specified. When the value is null, the default value 1-65535 is taken. | No |
protocol | String | Protocol type, tcp, udp or icmp. When the value is null, the default value all is taken. | No |
sourceGroupId | String | Source security group ID | No |
sourceIp | String | Values cannot be set simultaneously for the source IP address and sourceGroupId. | No |
destGroupId | String | Destination security group ID | No |
destIp | String | Values cannot be set simultaneously for the destination IP address and destGroupId. | No |
securityGroupId | String | Security group ID | No |
The example is as follows:
$securityGroupName = 'test'
$rule = new SecurityGroupRuleModel('test_rule', 'ingress', null, '1-65535', 'tcp', '', '');
$rules = array($rule);
$resp = $this->client->createSecurityGroup($securityGroupName, $rules, null);
print_r($resp);
List of Security Group
The listSecurityGroups function can be used to list security groups, and is defined as below:
public function listSecurityGroups($instanceId=null, $vpcId=null, $marker=null, $maxKeys=null, $options = array()){
......
}
The listSecurityGroups parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
instanceId | String | No | The instance id can be used to query the security group list associated with the instance. To query the information of all created security groups, you need not to fill in this parameter. |
vpcId | String | No | The vpc instance id can be used to query the security group list associated with the instance. |
marker | String | No | The starting location of query for batch acquisition of lists, and is one string generated by the system. |
maxKeys | int | No | Maximum number contained in each page, generally not exceeding 1000. The default value is 1000. |
The example is as follows:
$resp = $this->client->listSecurityGroups($this->instanceId);
print_r($resp);
Delete Security Group
The createSecurityGroup function can be used to delete a security group, and is defined as below:
public function deleteSecurityGroup($securityGroupId, $options = array()) {
......
}
The deleteSecurityGroup parameter mainly includes securityGroupId to confirm the security group to be deleted.
Note: The securityGroupId can be obtained by listing security groups.
The example is as follows:
$resp = $this->client->deleteSecurityGroup($this->securityGroupId);
print_r($resp);
Authorize Security Group Rule
The authorizeSecurityGroupRule function can be used to authorize new security group rules in the security group, and is defined as below:
public function authorizeSecurityGroupRule($securityGroupId, $rule, $clientToken=null, $options = array()) {
......
}
The authorizeSecurityGroupRule parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
securityGroupId | String | Yes | Security group id of authorized new security group rules |
rule | SecurityGroupRuleModel | Yes | Security group rules to be authorized |
clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
Note: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.
The example is as follows:
$direction = 'ingress';
$portRange = '80-90';
$protocol = 'tcp';
$rule = new SecurityGroupRuleModel(null, $direction, null, $portRange, $protocol);
$resp = $this->client->authorizeSecurityGroupRule($this->securityGroupId, $rule);
print_r($resp);
Delete Security Group Rule
The revokeSecurityGroupRule function can be used to cancel the security group rules in the security group, and is defined as below:
public function revokeSecurityGroupRule($securityGroupId, $rule, $clientToken=null, $options = array()){
......
}
The revokeSecurityGroupRule parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
securityGroupId | String | Yes | Security group id of security group rules to be cancelled |
rule | SecurityGroupRuleModel | Yes | Security group rules to be cancelled |
clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
Note: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.
The example is as follows:
$direction = 'ingress';
$portRange = '80-90';
$protocol = 'tcp';
$rule = new SecurityGroupRuleModel(null, $direction, null, $portRange, $protocol);
$resp = $this->client->revokeSecurityGroupRule($this->securityGroupId, $rule);
print_r($resp);