Security group
Initialization
Confirm Endpoint
When confirming SDK usage and configuring endpoint, understand the related concepts of endpoint. Baidu AI Cloud currently supports multiple regions. Please refer toRegion Selection Guide. North China - Beijing, South China-Guangzhou, East China - Suzhou, Hong Kong, Central China-Wuhan (Financial) and North China - Baoding are supported currently. Corresponding endpoint details are as follows:
| Access region | Endpoint |
|---|---|
| North China-Beijing | bcc.bj.baidubce.com |
| South China-Guangzhou | bcc.gz.baidubce.com |
| East China-Suzhou | bcc.su.baidubce.com |
| Hong Kong | bcc.hkg.baidubce.com |
| Central China-Wuhan (Financial) | bcc.fwh.baidubce.com |
| North China-Baoding | bcc.bd.baidubce.com |
Retrieve access key
To use the security group of Baidu AI Cloud, you need a valid AK (Access Key ID) and SK (Secret Access Key) for signature certification. AK/SK are system-assigned strings used to identify users and perform signature certification for BOS. Your AK/SK information can be obtained and understood through the following steps: Register a Baidu AI Cloud account Create AK/SK
Create BccClient
The BccClient enables developers to interact with the security group service by providing a variety of methods.
When creating a new BccClient, first configure BccConfigs using endpoint, AK, and SK, then use the BccConfigs instance to configure the BccClient. Configuration example is as follows:
1 $BccConfigs = array(
2 'credentials' => array(
3 'ak' => '',
4 'sk' => '',
5 ),
6 'endpoint' => 'bcc.bj.baidubce.com', //bj
7);
8$BccClient = new BccClient($BccConfigs)Security group management
- When creating a BCC instance, you have the option to use either the default security group or a custom security group.
- Every BCC instance must be associated with a security group.
- Each BCC instance can associate with up to 10 security groups. When associated with multiple groups, the effective rules for the instance will be the combined rules from all associated groups.
- Users can allow communication between all BCC instances associated with the same security group or between instances belonging to different security groups. By default, all BCC instances in the same security group can communicate with each other.
- Security group association for BCC instances at the group level is not supported; instances can only be added to security groups.
- Default security groups cannot be deleted, but their rules can be added, removed, or modified. Only the default security group includes a "One-click Restoration to Initial Setting" option.
Default security group rules:
- Ingress: Allows unrestricted access to all ports, permitting traffic from all external IPs to enter all ports associated with the BCC.
- Egress: Grants access to all ports, allowing all ports associated with BCC to connect to any external IP ports.
Create security group
The createSecurityGroup function can be used to create a security group. The function is defined as follows:
1public function createSecurityGroup($name, $rules, $vpcId=null, $desc=null, $clientToken=null, $options = array()) {
2 ......
3 }The parameters for createSecurityGroup are as follows:
| Parameter name | Types | Whether required | Description |
|---|---|---|---|
| name | String | Yes | The security group name to be created can include uppercase and lowercase letters, numbers, Chinese characters, and special characters like _, /, starting with a letter and ranging from 1 to 65 characters in length. |
| rules | [SecurityGroupRuleModel] | Yes | List of security group rules bound when creating the security group |
| vpc_id | String | No | Specify the VPC when creating a security group |
| desc | String | No | Description information of the created security group |
| clientToken | String | No | Idempotence Token, which is an ASCII string with a length not exceeding 64 bits. For details, refer to ClientToken Idempotence. |
| Parameter name | Types | Description | Required or not |
|---|---|---|---|
| remark | String | Remarks | No |
| direction | String | Ingress/Egress: either ingress or egress. | No |
| ethertype | String | The network type, which can be either IPv4 or IPv6. When this value is null, it defaults to IPv4. | No |
| portRange | String | A port range can be specified, such as a single port like 80, with a default range of 1-65535 if no value is provided. | No |
| protocol | String | Protocol type: TCP, UDP, or ICMP. Defaults to "all" if no value is provided. | No |
| sourceGroupId | String | Source security group ID | No |
| sourceIp | String | Source IP address cannot be set at the same time as sourceGroupId. | No |
| destGroupId | String | Destination security group ID | No |
| destIp | String | Destination IP address cannot be set at the same time as destGroupId. | No |
| securityGroupId | String | Security group ID | No |
Usage examples are as follows:
1$securityGroupName = 'test'
2$rule = new SecurityGroupRuleModel('test_rule', 'ingress', null, '1-65535', 'tcp', '', '');
3$rules = array($rule);
4$resp = $this->client->createSecurityGroup($securityGroupName, $rules, null);
5print_r($resp);List security groups
The listSecurityGroups function can be used to list security groups. The function is defined as follows:
1public function listSecurityGroups($instanceId=null, $vpcId=null, $marker=null, $maxKeys=null, $options = array()){
2 ......
3 }listSecurityGroups parameters are as follows:
| Parameter name | Types | Whether required | Description |
|---|---|---|---|
| instanceId | String | No | Instance ID, used to get the list of security groups linked to the instance. Leave this parameter empty to query all created security groups. |
| vpcId | String | No | VPC instance ID, used to retrieve the list of security groups associated with the instance. |
| marker | String | No | The starting position of the batch list query is a system-generated string |
| maxKeys | int | No | The maximum number of items per page is 1,000, with a default value of 1,000. |
Usage examples are as follows:
1$resp = $this->client->listSecurityGroups($this->instanceId);
2print_r($resp);Delete a security group
The deleteSecurityGroup function can be used to delete a security group. The function is defined as follows:
1public function deleteSecurityGroup($securityGroupId, $options = array()) {
2 ......
3 }The deleteSecurityGroup parameter mainly includes securityGroupId, which represents the security group to be deleted.
Note: securityGroupId can be obtained by listing security groups.
Usage examples are as follows:
1$resp = $this->client->deleteSecurityGroup($this->securityGroupId);
2print_r($resp);Authorize security group rules
The authorizeSecurityGroupRule function can be used to authorize new security group rules within a security group. The function is defined as follows:
1public function authorizeSecurityGroupRule($securityGroupId, $rule, $clientToken=null, $options = array()) {
2 ......
3 }The parameters for authorizeSecurityGroupRule are as follows:
| Parameter name | Types | Whether required | Description |
|---|---|---|---|
| securityGroupId | String | Yes | ID of the security group for which new rules are to be authorized |
| rule | SecurityGroupRuleModel | Yes | Security group rules to be authorized |
| clientToken | String | No | Idempotence Token, which is an ASCII string with a length not exceeding 64 bits, see details in ClientToken Idempotence. |
Note: Within the same security group, rules are uniquely indexed based on the six-tuple combination of remark, protocol, direction, portRange, sourceIp | destIp, and sourceGroupId | destGroupId. If an identical rule already exists in the security group, an error will be reported.
Usage examples are as follows:
1$direction = 'ingress';
2$portRange = '80-90';
3$protocol = 'tcp';
4$rule = new SecurityGroupRuleModel(null, $direction, null, $portRange, $protocol);
5$resp = $this->client->authorizeSecurityGroupRule($this->securityGroupId, $rule);
6print_r($resp);Revoke security group rules
The revokeSecurityGroupRule function can be used to revoke security group rules within a security group. The function is defined as follows:
1public function revokeSecurityGroupRule($securityGroupId, $rule, $clientToken=null, $options = array()){
2 ......
3 }revokeSecurityGroupRule parameters are as follows:
| Parameter name | Types | Whether required | Description |
|---|---|---|---|
| securityGroupId | String | Yes | The ID of the security group for which the security group rule is to be revoked |
| rule | SecurityGroupRuleModel | Yes | The security group rule to be revoked |
| clientToken | String | No | Idempotence Token, which is an ASCII string with a length not exceeding 64 bits, see details in ClientToken Idempotence. |
Note: Within the same security group, rules are uniquely indexed based on the six-tuple combination of remark, protocol, direction, portRange, sourceIp | destIp, and sourceGroupId | destGroupId. If an identical rule already exists in the security group, an error will be reported.
Usage examples are as follows:
1$direction = 'ingress';
2$portRange = '80-90';
3$protocol = 'tcp';
4$rule = new SecurityGroupRuleModel(null, $direction, null, $portRange, $protocol);
5$resp = $this->client->revokeSecurityGroupRule($this->securityGroupId, $rule);
6print_r($resp);