百度智能云
All Product Document

          Virtual Private Cloud

          • Virtual Private Cloud
          • >
          • SDK
          • >
          • Java-SDK
          • >
          • Security Group

          Security Group

          Last Updated2020-07-20

          Initialization

          Confirm Endpoint

          When you confirm the use of SDK and need to configure the Endpoint, please understood Endpoint related concepts. At present, Baidu AI Cloud provides multi-region support. For more information, please refer to Region Selection Introduction. Currently, the six regions are supported: "North China - Beijing", "South China- Guangzhou", "East China - Suzhou", "Hong Kong", "Finance Central China - Wuhan" and "North China - Baoding". The corresponding Endpoint information is:

          Access region Corresponding Endpoint
          North China - Beijing bcc.bj.baidubce.com
          South China - Guangzhou bcc.gz.baidubce.com
          East China - Suzhou bcc.su.baidubce.com
          Hong Kong bcc.hkg.baidubce.com
          Finance Central China - Wuhan bcc.fwh.baidubce.com
          North China - Baoding bcc.bd.baidubce.com

          Get the Key

          To use Baidu AI Cloud security group, you need to have a valid AK (Access Key ID) and SK (Secret Access Key) for signature authentication. AK/SK is assigned to users by the system and is a string to identify users and verify signatures for accessing BOS. You can obtain and understand your AK/SK information through the following steps: Register Baidu AI Cloud Account Create AK/SK

          Create BccClient

          BccClient is the client of security group service, and provides a series of methods for the interactions between developers and the security group services.

          When creating BccClient, you need to first use Endpoint, AK and SK to configure the BccClientConfiguration type config instance, and then use the config instance to configure the BccClient. The configuration example is as follows: 

           static final String HOST = "";
 static final String AK = "";
 static final String SK = "";
 BccClientConfiguration config = new BccClientConfiguration();
 config.setCredentials(new DefaultBceCredentials(AK, SK));
 config.setEndpoint(HOST);
 BccClient bccClient = new BccClient(config);

          Security Group Management

          • The BCC instance can choose a default security group or a custom security group.
          • One security group must be selected for each BCC instance.
          • Each BCC instance can be only associated with a maximum of 10 security groups. If one BCC instance is associated with multiple security groups, the rule for the BCC instance validity has been associated with the collection of all rules of the security groups.
          • The users can allow all the BCC instances associated with this security to communicate with each other, or allow the instances associated with other security groups and those associated with this security to communicate with each other. The BCC instances associated with the same security can communicate with each other by default.
          • The association of BCC instances is not supported under the dimension of security group, and the security group can be added only through the BCC instances.
          • The security cannot be deleted by default, and the rules can be added, deleted and changed. Only the security group provides the "One key Recovery of Initial Setting" button by default.

          Default rules of security group:

          • Ingress: It allows access to all ports, namely, allows the traffic of all external IPs to enter all ports associated with BCC.
          • Egress: It allows access to all ports, namely, allows all ports associated with BCC to access all ports of all external IPs.

          Create Security Group

          The createSecurityGroup function can be used to create a security group, and is defined as below: 

          public CreateSecurityGroupResponse createSecurityGroup(CreateSecurityGroupRequest request) {
	......
 }

          The createSecurityGroup parameter is as follows:

          Parameter name Type Required or not Description
          name String Yes The name of created security groups supports upper and lower case letters, numbers, Chinese and -_/. special characters. It must start with letters, with a length of 1-65.
          rules [SecurityGroupRuleModel] Yes List of security group rules bound in creation of a security group
          vpc_id String No Specified vpc in creation of a security group
          desc String No Description information of the created security group
          clientToken String No The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details.

          The parameter rules is the list type, and can include multiple security group rules. The sec group rule parameter is as follows:

          Parameter name Type Description Required or not
          remark String Comments No
          direction String Ingress/egress, value taken: ingress or egress. No
          ethertype String Network type, value taken: IPv4 or IPv6.When the value is null, it means that the value IPv4 is taken by default. No
          portRange String Port range, the individual ports of 80 and other numbers can be specified. When the value is null, the default value 1-65535 is taken. No
          protocol String Protocol type, tcp, udp or icmp. When the value is null, the default value all is taken. No
          sourceGroupId String Source security group ID No
          sourceIp String Values cannot be set simultaneously for the source IP address and sourceGroupId. No
          destGroupId String Destination security group ID No
          destIp String Values cannot be set simultaneously for the destination IP address and destGroupId. No
          securityGroupId String Security group ID No

          The example is as follows: 

          public void createSecurityGroup() {
            CreateSecurityGroupRequest request = createSecurityGroupRequest();
            CreateSecurityGroupResponse response = client.createSecurityGroup(request);
            assertThat(response.getSecurityGroupId(), notNullValue());
            toJsonPrettyString("createSecurityGroup", response);
            securityGroupIds.add(response.getSecurityGroupId());
        }

private CreateSecurityGroupRequest createSecurityGroupRequest() {
            List<SecurityGroupRuleModel> rules = new                       
                ArrayList<SecurityGroupRuleModel>();
            rules.add(new SecurityGroupRuleModel()
                    .withRemark("ingress_remark")
                    .withProtocol("tcp")
                    .withPortRange("1-65535")
                    .withDirection("ingress")
                    .withSourceIp("")
                    .withSourceGroupId(""));

            rules.add(new SecurityGroupRuleModel()
                    .withRemark("egress_remark")
                    .withProtocol("")
                    .withPortRange("")
                    .withDirection("egress")
                    .withDestIp("")
                    .withDestGroupId(""));
            return new CreateSecurityGroupRequest()
                    .withDesc("sdk_desc").withName("sdk_name" + 
                        System.currentTimeMillis())
                    .withRules(rules);
        }

          List of Security Group

          The listSecurityGroups function can be used to list security groups, and is defined as below: 

          public ListSecurityGroupsResponse listSecurityGroups(ListSecurityGroupsRequest request) {
	......
 }

          The listSecurityGroups parameter is as follows:

          Parameter name Type Required or not Description
          instanceId String No The instance id can be used to query the security group list associated with the instance. To query the information of all created security groups, you need not to fill in this parameter.
          vpcId String No The vpc instance id can be used to query the security group list associated with the instance.
          marker String No The starting location of query for batch acquisition of lists, and is one string generated by the system.
          maxKeys int No Maximum number contained in each page, generally not exceeding 1000. The default value is 1000.

          The example is as follows: 

          ListSecurityGroupsResponse response = client.listSecurityGroups(new 
    ListSecurityGroupsRequest());
assertThat(response.getSecurityGroups(), notNullValue());
toJsonPrettyString("listSecurityGroup", response);

          Delete the Security Group

          The createSecurityGroup function can be used to delete a security group, and is defined as below: 

          public void deleteSecurityGroup(DeleteSecurityGroupRequest request) {
	......
 }

          The deleteSecurityGroup parameter mainly includes securityGroupId to confirm the security group to be deleted.

          Note:: The securityGroupId can be obtained by listing security groups.

          The example is as follows: 

          if (!securityGroupIds.isEmpty()) {
                String target = securityGroupIds.get(0);
                client.deleteSecurityGroup(target);
                securityGroupIds.remove(target);
            }

          Authorize the Security Group Rule

          The authorizeSecurityGroupRule function can be used to authorize new security group rules in the security group, and is defined as below: 

          public void authorizeSecurityGroupRule(SecurityGroupRuleOperateRequest request) {
	......
 }

          The authorizeSecurityGroupRule parameter is as follows:

          Parameter name Type Required or not Description
          securityGroupId String Yes Security group id of authorized new security group rules
          rule SecurityGroupRuleModel Yes Security group rules to be authorized
          clientToken String No The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details.

          Note:: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.

          The example is as follows: 

          SecurityGroupRuleOperateRequest request = new 
    SecurityGroupRuleOperateRequest().withSecurityGroupId("g-RrAecfjQ");
SecurityGroupRuleModel ruleModel = new  
    SecurityGroupRuleModel().withProtocol("tcp").withPortRange("80-
    90").withDirection("ingress");
request.withRule(ruleModel);

client.authorizeSecurityGroupRule(request);

          Delete the Security Group Rule

          The revokeSecurityGroupRule function can be used to cancel the security group rules in the security group, and is defined as below: 

          public void revokeSecurityGroupRule(SecurityGroupRuleOperateRequest request) {
    ......
 }

          The revokeSecurityGroupRule parameter is as follows:

          Parameter name Type Required or not Description
          securityGroupId String Yes Security group id of security group rules to be cancelled
          rule SecurityGroupRuleModel Yes Security group rules to be cancelled
          clientToken String No The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details.

          Note:: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.

          The example is as follows: 

          SecurityGroupRuleOperateRequest request = new 
    SecurityGroupRuleOperateRequest().withSecurityGroupId("g-RrAecfjQ");
SecurityGroupRuleModel ruleModel = new  
    SecurityGroupRuleModel().withProtocol("tcp")
    .withPortRange("80-90").withDirection("ingress");
request.withRule(ruleModel);

client.revokeSecurityGroupRule(request);
          Previous
          Subnet
          Next
          ACL