ACL
Initialization
Confirm Endpoint
When confirming SDK usage and configuring endpoint, understand the related concepts of endpoint. Baidu AI Cloud currently supports multiple regions. Please refer toRegion Selection Guide. North China - Beijing, South China-Guangzhou, East China - Suzhou, Hong Kong, Central China-Wuhan (Financial) and North China - Baoding are supported currently. Corresponding endpoint details are as follows:
| Access region | Endpoint |
|---|---|
| North China-Beijing | bcc.bj.baidubce.com |
| South China-Guangzhou | bcc.gz.baidubce.com |
| East China-Suzhou | bcc.su.baidubce.com |
| Hong Kong | bcc.hkg.baidubce.com |
| Central China-Wuhan (Financial) | bcc.fwh.baidubce.com |
| North China-Baoding | bcc.bd.baidubce.com |
Retrieve access key
To use the security group of Baidu AI Cloud, you need a valid AK (Access Key ID) and SK (Secret Access Key) for signature certification. AK/SK are system-assigned strings used to identify users and perform signature certification for BOS. Your AK/SK information can be obtained and understood through the following steps: Register a Baidu AI Cloud account Create AK/SK
Create ACL client
The ACL client serves as an interface for ACL services, providing developers with an array of methods to interact with these services.
When creating a new AclClient, first configure AclConfigs using endpoint, AK, and SK, then use the AclConfigs instance to configure the AclClient. Configuration example is as follows:
1$AclConfigs = array(
2 'credentials' => array(
3 'ak' => '',
4 'sk' => '',
5 ),
6 'endpoint' => 'bcc.bj.baidubce.com', //bj
7);
8$AclClient = new AclClient($AclConfigs)ACL management
Access control list (ACL) is a firewall component within VPC that controls subnet-level security group policies, thereby enabling flexible traffic configuration for one or multiple subnets to satisfy diverse network security demands. Before managing ACL, pay attention to the following:
| Entry | ACL rules |
|---|---|
| ACL scope | ACL belongs to the VPC and apply to the subnets within it |
| Control instance type | ACL access control policies apply to all instances under the subnet, including BCC, DCC, BBC, RDS, SCS, etc. |
| Default ACL rules | The system automatically creates a default ACL for each subnet, which includes a default rule that permits all traffic. Default rules cannot be modified. |
| Ingress or egress | Ingress and egress directions refer to the direction viewed from the perspective of an instance under the subnet |
| Maximum limit of rules | For rules under the same ACL, each direction supports up to 256 rules |
| Rule trigger | Once the traffic matches a rule in the ACL, the access control policy (allow/deny) is triggered without further matching against other rules |
| ACL status | ACL is stateless and performs access control on data flow traffic in the specified direction without automatically controlling the return traffic for the flow. |
Create ACL
The createAclRule function can be used to create ACL rules. The function is defined as follows:
1public function createAclRule($aclRules, $clientToken = null, $options = array()) {
2 ......
3 }aclRules includes the following parameters:
| Parameter name | Types | Whether required | Description |
|---|---|---|---|
| subnetId | String | Yes | Subnet ID |
| protocol | String | Yes | Protocol, including all, tcp, udp, icmp |
| sourceIpAddress | String | Yes | Source IP |
| destinationIpAddress | String | Yes | Destination IP |
| sourcePort | String | Yes | Source port, e.g., 1-65535, or 8080 |
| destinationPort | String | Yes | Destination port, e.g., 1-65535 or 8080 |
| position | Integer | Yes | Priority: Ranges from 1 to 5000. Must not duplicate existing entries. Lower values indicate higher priority. Rules are matched in descending priority order. |
| direction | String | Yes | Rule ingress: ingress, rule egress: egress |
| action | String | Yes | Policy, including allow and deny |
| description | String | No | Remarks |
Note:
- ACL rules are evaluated in descending order of priority. For instance, a rule with priority 50 takes precedence over a rule with priority 100.
- Priorities can range from 1 to 32,768. As a best practice, it is recommended to leave significant intervals between rule priorities, such as 100, 200, and 300, to facilitate future adjustments.
- Within the same ingress or egress direction, no two rules can share the same priority.
- For ingress rules, the destinationIpAddress must fall within the subnet's CIDR range; for egress rules, the sourceIpAddress must fall within the subnet's CIDR range.
Usage examples are as follows:
1$aclrule = new AclRule("$subnetId", "tcp", "192.168.0.0", "192.168.0.0/20", "1-65535", "443", 55, "ingress", "allow");
2$aclRules = array($aclrule);
3$resp = $this->client->createAclRule($aclRules);
4print_r($resp);List ACLs
ACL listings can be grouped into two categories: listing all ACL rules in a VPC and listing all ACL rules in a specific subnet.
List all ACLs within a VPC
The getAcl function can be used to list all ACLs within a VPC. The function is defined as follows:
1public function getAcl($vpcId, $options = array()) {
2 ......
3 }Usage examples are as follows:
1$resp = $this->client->getAcl('$vpcId');
2print_r($resp);List all ACLs in a subnet
The listAclRules function can be used to list all ACLs within a Subnet. The function is defined as follows:
1public function listAclRules($subnetId, $marker = null, $maxkeys = null, $options = array()) {
2 ......
3 }Usage examples are as follows:
1$resp = $this->client->listAclRules('$subnetId');
2print_r($resp);Update ACL
Users can use the modifyAclRuleAttributes function to update ACL rules. The function is defined as follows:
1public function updateAclRule($aclRuleId, $description = null, $protocol = null, $sourceIpAddress = null, $destinationIpAddress = null, $sourcePort = null, $destinationPort = null, $position = null, $action = null, $clientToken = null, $options = array()){
2 ......
3 }The updateAclRule parameters include aclRuleId and the fields in the ACL that can be updated. The aclRuleId specifies the ACL to be modified, and the content of the updatable ACL fields can be found in the new ACL parameter list. Note that all fields except subnetId are modifiable.
Note: When updating ACL rule fields, the requirements for each field must still be satisfied.
Usage examples are as follows:
1$resp = $this->client->updateAclRule('$aclId', 'aaaaaaaa', 'tcp', '192.168.0.0', '192.168.0.0/20', '1-65535', '22', '334', 'allow');
2print_r($resp);Delete ACL
The deleteAcl function can be used to Delete ACL rules. The function is defined as follows:
1public function deleteAclRule($aclRuleId, $clientToken = null, $options = array()) {
2 ......
3 }The deleteAcl parameters primarily consist of aclRuleId, which identifies the ACL rule that needs to be deleted.
Note: aclRuleId can be obtained by listing ACLs. Default ACL rules do not display aclRuleId and cannot be updated or deleted.
Usage examples are as follows:
1$resp = $this->client->deleteAclRule('$aclId');
2print_r($resp);