Security Group
Initialization
Confirm Endpoint
When you confirm the use of SDK and need to configure the Endpoint, please understood Endpoint related concepts. At present, Baidu AI Cloud provides multi-region support. For more information, please refer to Region Selection Introduction. Currently, the six regions are supported: "North China - Beijing", "South China- Guangzhou", "East China - Suzhou", "Hong Kong", "Finance Central China - Wuhan" and "North China - Baoding". The corresponding Endpoint information is:
Access region | Corresponding Endpoint |
---|---|
North China - Beijing | bcc.bj.baidubce.com |
South China - Guangzhou | bcc.gz.baidubce.com |
East China - Suzhou | bcc.su.baidubce.com |
Hong Kong | bcc.hkg.baidubce.com |
Finance Central China - Wuhan | bcc.fwh.baidubce.com |
North China - Baoding | bcc.bd.baidubce.com |
Get the Key
To use Baidu AI Cloud security group, you need to have a valid AK (Access Key ID) and SK (Secret Access Key) for signature authentication. AK/SK is assigned to users by the system and is a string to identify users and verify signatures for accessing BOS. You can obtain and understand your AK/SK information through the following steps: Register Baidu AI Cloud Account Create AK/SK
Create BccClient
BccClient is the client of security group service, and provides a series of methods for the interactions between developers and the security group services.
When creating BccClient, you need to first use Endpoint, AK and SK to configure the BccClientConfiguration type config instance, and then use the config instance to configure the BccClient. The configuration example is as follows:
static final String HOST = "";
static final String AK = "";
static final String SK = "";
BccClientConfiguration config = new BccClientConfiguration();
config.setCredentials(new DefaultBceCredentials(AK, SK));
config.setEndpoint(HOST);
BccClient bccClient = new BccClient(config);
Security Group Management
- The BCC instance can choose a default security group or a custom security group.
- One security group must be selected for each BCC instance.
- Each BCC instance can be only associated with a maximum of 10 security groups. If one BCC instance is associated with multiple security groups, the rule for the BCC instance validity has been associated with the collection of all rules of the security groups.
- The users can allow all the BCC instances associated with this security to communicate with each other, or allow the instances associated with other security groups and those associated with this security to communicate with each other. The BCC instances associated with the same security can communicate with each other by default.
- The association of BCC instances is not supported under the dimension of security group, and the security group can be added only through the BCC instances.
- The security cannot be deleted by default, and the rules can be added, deleted and changed. Only the security group provides the "One key Recovery of Initial Setting" button by default.
Default rules of security group:
- Ingress: It allows access to all ports, namely, allows the traffic of all external IPs to enter all ports associated with BCC.
- Egress: It allows access to all ports, namely, allows all ports associated with BCC to access all ports of all external IPs.
Create Security Group
The createSecurityGroup function can be used to create a security group, and is defined as below:
public CreateSecurityGroupResponse createSecurityGroup(CreateSecurityGroupRequest request) {
......
}
The createSecurityGroup parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
name | String | Yes | The name of created security groups supports upper and lower case letters, numbers, Chinese and -_/. special characters. It must start with letters, with a length of 1-65. |
rules | [SecurityGroupRuleModel] | Yes | List of security group rules bound in creation of a security group |
vpc_id | String | No | Specified vpc in creation of a security group |
desc | String | No | Description information of the created security group |
clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
The parameter rules is the list
Parameter name | Type | Description | Required or not |
---|---|---|---|
remark | String | Comments | No |
direction | String | Ingress/egress, value taken: ingress or egress. | No |
ethertype | String | Network type, value taken: IPv4 or IPv6.When the value is null, it means that the value IPv4 is taken by default. | No |
portRange | String | Port range, the individual ports of 80 and other numbers can be specified. When the value is null, the default value 1-65535 is taken. | No |
protocol | String | Protocol type, tcp, udp or icmp. When the value is null, the default value all is taken. | No |
sourceGroupId | String | Source security group ID | No |
sourceIp | String | Values cannot be set simultaneously for the source IP address and sourceGroupId. | No |
destGroupId | String | Destination security group ID | No |
destIp | String | Values cannot be set simultaneously for the destination IP address and destGroupId. | No |
securityGroupId | String | Security group ID | No |
The example is as follows:
public void createSecurityGroup() {
CreateSecurityGroupRequest request = createSecurityGroupRequest();
CreateSecurityGroupResponse response = client.createSecurityGroup(request);
assertThat(response.getSecurityGroupId(), notNullValue());
toJsonPrettyString("createSecurityGroup", response);
securityGroupIds.add(response.getSecurityGroupId());
}
private CreateSecurityGroupRequest createSecurityGroupRequest() {
List<SecurityGroupRuleModel> rules = new
ArrayList<SecurityGroupRuleModel>();
rules.add(new SecurityGroupRuleModel()
.withRemark("ingress_remark")
.withProtocol("tcp")
.withPortRange("1-65535")
.withDirection("ingress")
.withSourceIp("")
.withSourceGroupId(""));
rules.add(new SecurityGroupRuleModel()
.withRemark("egress_remark")
.withProtocol("")
.withPortRange("")
.withDirection("egress")
.withDestIp("")
.withDestGroupId(""));
return new CreateSecurityGroupRequest()
.withDesc("sdk_desc").withName("sdk_name" +
System.currentTimeMillis())
.withRules(rules);
}
List of Security Group
The listSecurityGroups function can be used to list security groups, and is defined as below:
public ListSecurityGroupsResponse listSecurityGroups(ListSecurityGroupsRequest request) {
......
}
The listSecurityGroups parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
instanceId | String | No | The instance id can be used to query the security group list associated with the instance. To query the information of all created security groups, you need not to fill in this parameter. |
vpcId | String | No | The vpc instance id can be used to query the security group list associated with the instance. |
marker | String | No | The starting location of query for batch acquisition of lists, and is one string generated by the system. |
maxKeys | int | No | Maximum number contained in each page, generally not exceeding 1000. The default value is 1000. |
The example is as follows:
ListSecurityGroupsResponse response = client.listSecurityGroups(new
ListSecurityGroupsRequest());
assertThat(response.getSecurityGroups(), notNullValue());
toJsonPrettyString("listSecurityGroup", response);
Delete the Security Group
The createSecurityGroup function can be used to delete a security group, and is defined as below:
public void deleteSecurityGroup(DeleteSecurityGroupRequest request) {
......
}
The deleteSecurityGroup parameter mainly includes securityGroupId to confirm the security group to be deleted.
Note:: The securityGroupId can be obtained by listing security groups.
The example is as follows:
if (!securityGroupIds.isEmpty()) {
String target = securityGroupIds.get(0);
client.deleteSecurityGroup(target);
securityGroupIds.remove(target);
}
Authorize the Security Group Rule
The authorizeSecurityGroupRule function can be used to authorize new security group rules in the security group, and is defined as below:
public void authorizeSecurityGroupRule(SecurityGroupRuleOperateRequest request) {
......
}
The authorizeSecurityGroupRule parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
securityGroupId | String | Yes | Security group id of authorized new security group rules |
rule | SecurityGroupRuleModel | Yes | Security group rules to be authorized |
clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
Note:: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.
The example is as follows:
SecurityGroupRuleOperateRequest request = new
SecurityGroupRuleOperateRequest().withSecurityGroupId("g-RrAecfjQ");
SecurityGroupRuleModel ruleModel = new
SecurityGroupRuleModel().withProtocol("tcp").withPortRange("80-
90").withDirection("ingress");
request.withRule(ruleModel);
client.authorizeSecurityGroupRule(request);
Delete the Security Group Rule
The revokeSecurityGroupRule function can be used to cancel the security group rules in the security group, and is defined as below:
public void revokeSecurityGroupRule(SecurityGroupRuleOperateRequest request) {
......
}
The revokeSecurityGroupRule parameter is as follows:
Parameter name | Type | Required or not | Description |
---|---|---|---|
securityGroupId | String | Yes | Security group id of security group rules to be cancelled |
rule | SecurityGroupRuleModel | Yes | Security group rules to be cancelled |
clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
Note:: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.
The example is as follows:
SecurityGroupRuleOperateRequest request = new
SecurityGroupRuleOperateRequest().withSecurityGroupId("g-RrAecfjQ");
SecurityGroupRuleModel ruleModel = new
SecurityGroupRuleModel().withProtocol("tcp")
.withPortRange("80-90").withDirection("ingress");
request.withRule(ruleModel);
client.revokeSecurityGroupRule(request);