Security Group
Initialization
Confirm Endpoint
When you confirm the use of SDK and need to configure the Endpoint, please understood Endpoint related concepts. At present, Baidu AI Cloud provides multi-region support. For more information, please refer to Region Selection Introduction.
Currently, the six regions are supported: "North China - Beijing", "South China- Guangzhou", "East China - Suzhou", "Hong Kong", "Finance Central China - Wuhan" and "North China - Baoding". The corresponding Endpoint information is:
| Access region | Corresponding Endpoint |
|---|---|
| North China - Beijing | bcc.bj.baidubce.com |
| South China - Guangzhou | bcc.gz.baidubce.com |
| East China - Suzhou | bcc.su.baidubce.com |
| Hong Kong | bcc.hkg.baidubce.com |
| Finance Central China - Wuhan | bcc.fwh.baidubce.com |
| North China - Baoding | bcc.bd.baidubce.com |
Get the Key
To use Baidu AI Cloud security group, you need to have a valid AK (Access Key ID) and SK (Secret Access Key) for signature authentication. AK/SK is assigned to users by the system and is a string to identify users and verify signatures for accessing Security Group. You can obtain and understand your AK/SK information through the following steps:
Register Baidu AI Cloud Account
Create BccClient
BccClient is the client of security group service, and provides a series of methods for the interactions between developers and the security group services.
Access to BccClient via AK/SK
1.Before creation of BccClient, first create a configuration file to configure BccClient, and in the following, configuration file is named as sg_sample_conf.py, with specific configuration information as follows:
#!/usr/bin/env python
#coding=utf-8
# Import Python standard log module
import logging
# Import Bcc configuration management module and security authentication module from Python SDK
from baidubce.bce_client_configuration import BceClientConfiguration
from baidubce.auth.bce_credentials import BceCredentials
import baidubce
# Set Host, Access Key ID and Secret Access Key of BccClient
sg_host = ""bcc.bj.baidubce.com"
access_key_id = "AK"
secret_access_key = "SK"
# Set handle and log level of log file
logger = logging.getLogger('baidubce.http.bce_http_client')
fh = logging.FileHandler("sample.log")
fh.setLevel(logging.DEBUG)
# Set output sequence, structure and contents of log file.
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
fh.setFormatter(formatter)
logger.setLevel(logging.DEBUG)
logger.addHandler(fh)
# Create BceClientConfiguration
config = BceClientConfiguration(credentials=BceCredentials(access_key_id, secret_access_key), endpoint = sg_host)Note: For the log file, Logging has the following levels: DEBUG, INFO, WARNING, ERROR, CRITICAL.
In the codes above, ACCESS_KEY_ID corresponds to "Access Key ID" in the console, SECRET_ACCESS_KEY corresponds to "Access Key Secret" in the console, for the way of obtaining, please see "Operation Guideline Manage ACCESSKEY".
For the method above, you need to specify service domain name of Security Group by yourselves, which can be specified by assigning a value to bos_host variable. If not configured, it is not needed to introduce endpoint parameter, and the default is Beijing region http://bos.bj.bcebos.com
2.After completing the configuration above, create a BccClient by reference to the following codes.
# Import BccClient configuration file
import sg_sample_conf
# Import Bcc related module
from baidubce import exception
from baidubce.services import bcc
from baidubce.services.bcc.bcc_client import BccClient
from baidubce.services.bcc.bcc_model import SecurityGroupRuleModel
#Create BccClient
sg_client = BccClient(sg_sample_conf.config)Security Group Management
- The BCC instance can choose a default security group or a custom security group.
- One security group must be selected for each BCC instance.
- Each BCC instance can be only associated with a maximum of 10 security groups. If one BCC instance is associated with multiple security groups, the rule for the BCC instance validity has been associated with the collection of all rules of the security groups.
- The users can allow all the BCC instances associated with this security to communicate with each other, or allow the instances associated with other security groups and those associated with this security to communicate with each other. The BCC instances associated with the same security can communicate with each other by default.
- The association of BCC instances is not supported under the dimension of security group, and the security group can be added only through the BCC instances.
- The security cannot be deleted by default, and the rules can be added, deleted and changed. Only the security group provides the "Onekey Recovery of Initial Setting" button by default.
Default rules of security group:
- Ingress: It allows access to all ports, namely, allows the traffic of all external IPs to enter all ports associated with BCC.
- Egress: It allows access to all ports, namely, allows all ports associated with BCC to access all ports of all external IPs.
Create Security Group
The following code can be used to create a security group:
sg_rule_list = SecurityGroupRuleModel(
Remark='Remark',
direction='ingress',
portRange='1-65535',
protocol='tcp',
sourceIp='172.16.0.0/12')
sg_client = BccClient(sg_sample_conf.config)
response = sg_client.create_security_group(
name='test',
vpc_id='vpc-icc3paqaf5g0',
rules=[sg_rule_list])
print (response)The create_security_group parameter is as follows:
| Parameter name | Type | Required or not | Description |
|---|---|---|---|
| name | String | Yes | The name of created security groups supports upper and lower case letters, numbers, Chinese and -_/. special characters. It must start with letters, with a length of 1-65. |
| rules | [SecurityGroupRuleModel] | Yes | List of security group rules bound in creation of a security group |
| vpc_id | String | No | Specified vpc in creation of a security group |
| desc | String | No | Description information of the created security group |
| clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
The parameter rules is the list
| Parameter name | Type | Description | Required or not |
|---|---|---|---|
| remark | String | Comments | No |
| direction | String | Ingress/egress, value taken: ingress or egress. | No |
| ethertype | String | Network type, value taken: IPv4 or IPv6.When the value is null, it means that the value IPv4 is taken by default. | No |
| portRange | String | Port range, the individual ports of 80 and other numbers can be specified. When the value is null, the default value 1-65535 is taken. | No |
| protocol | String | Protocol type, tcp, udp or icmp. When the value is null, the default value all is taken. | No |
| sourceGroupId | String | Source security group ID | No |
| sourceIp | String | Values cannot be set simultaneously for the source IP address and sourceGroupId. | No |
| destGroupId | String | Destination security group ID | No |
| destIp | String | Values cannot be set simultaneously for the destination IP address and destGroupId. | No |
| securityGroupId | String | Security group ID | No |
List of Security Group
The following code can be used to list all security group rules bound to the instance:
sg_client = BccClient(sg_sample_conf.config)
response = sg_client.list_security_groups(instance_id='$instance_id')
print (response)The list_security_groups parameter is as follows:
| Parameter name | Type | Required or not | Description |
|---|---|---|---|
| instanceId | String | No | The instance id can be used to query the security group list associated with the instance. To query the information of all created security groups, you need not to fill in this parameter. |
| vpcId | String | No | The vpc instance id can be used to query the security group list associated with the instance. |
| marker | String | No | The starting location of query for batch acquisition of lists, and is one string generated by the system. |
| maxKeys | int | No | Maximum number contained in each page, generally not exceeding 1000. The default value is 1000. |
Note: The return information includes security_groups, and the security_groups is one list including different security groups bound to the instance as well as the rules in the security groups.
Delete Security Group
The following code can be used to delete a security group:
sg_client = BccClient(sg_sample_conf.config)
response = sg_client.delete_security_group(security_group_id='$security_group_id')
print (response)The delete_security_group parameter mainly includes the security_group_id to confirm the security group to be deleted.
Note: The security_group_id can be obtained by listing security groups.
Authorize Security Group Rule
The following code can be used to authorize a security group rule:
sg_client = BccClient(sg_sample_conf.config)
sg_rule_list = SecurityGroupRuleModel(
Remark='Remark',
direction='egress',
portRange='1-65535',
protocol='udp',
sourceIp='172.16.0.0/12')
response = sg_client.authorize_security_group_rule(
security_group_id='$security_group_id',
rule=sg_rule_list)
print (response)The authorize_security_group_rule is used to authorize new security group rules in the security group, and the parameter is as follows:
| Parameter name | Type | Required or not | Description |
|---|---|---|---|
| securityGroupId | String | Yes | Security group id of authorized new security group rules |
| rule | SecurityGroupRuleModel | Yes | Security group rules to be authorized |
| clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
Note: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.
Delete Security Group Rule
The following code can be used to cancel a security group rule:
sg_client = BccClient(sg_sample_conf.config)
sg_rule_list = SecurityGroupRuleModel(
Remark='Remark',
direction='egress',
portRange='1-65535',
protocol='udp',
sourceIp='172.16.0.0/12')
response = sg_client.revoke_security_group_rule(
security_group_id='$security_group_id',
rule=sg_rule_list)
print (response)The revoke_security_group_rule is used to cancel the rules in the security group, and the parameter is as follows:
| Parameter name | Type | Required or not | Description |
|---|---|---|---|
| securityGroupId | String | Yes | Security group id of security group rules to be cancelled |
| rule | SecurityGroupRuleModel | Yes | Security group rules to be cancelled |
| clientToken | String | No | The idempotence Token is a ASCII string with a length not exceeding 64 bits. Refer to ClientToken Idempotence for details. |
Note: For the rules in the same security group, the remark, protocol, direction, portRange, sourceIp | destIp, sourceGroupId and | destGroupId sextuple is used as a unique index. An error is reported if the same rules exist in the security group.