How to connect hosts and containers to Security Center without a direct internet connection-Security Center(Security Center)-阿里云帮助中心

If your servers, such as hosts and containers, are in environments that cannot directly connect to Security Center—like on-premises data centers, hybrid clouds, or restricted VPCs—you can use a proxy server to establish a connection. This article describes how to use proxy access to connect your servers to Security Center for protection.

Use cases

Restricted Alibaba Cloud VPCs

If your Alibaba Cloud VPC has extensive access restrictions that prevent a direct connection to Security Center, you can use proxy access to connect your ECS instances to Security Center for protection.

On-premises data centers

Hybrid clouds

Limitations

Only Linux servers can be used as proxy servers.

Servers connected to Security Center through a proxy server support most Security Center features. However, the features listed in the following table are not supported. For a complete list of features supported by Security Center, see Features.

Unsupported features for proxy access

Module	Feature
Assets	Batch O&M and CloudMonitor Container Assets Cloud Services Websites
Risk Governance	asset exposure analysis CSPM Note If your cloud services are on Tencent Cloud, AWS, Azure, or Huawei Cloud, you can connect them by using an AccessKey. For more information, see Connect third-party cloud assets. AccessKey leak detection
Protection Configuration	brute-force attack protection Note This feature is available only for servers where the AliNet agent is online.
Protection Configuration	anti-ransomware

Prerequisites

Prepare one or more servers with internet access to use as proxy servers. Ensure the proxy servers meet the following requirements:
- Sufficient network bandwidth is reserved. 10 Kbit/s of bandwidth must be reserved on the proxy server for each connected server. For example, if you plan to connect 50 servers, the proxy server must have at least 500 Kbit/s of reserved bandwidth.
- Ports 80, 443, and 8080 are open on the proxy server to allow inbound connections from the hosts and containers you want to protect.
- If you use multiple proxy servers, we recommend you use a domain name as the access address. Ensure that you have a registered domain name that can resolve to the IP addresses of the proxy servers, a load balancing IP address, or a virtual IP address (VIP).
Important
- A single 8-core, 16 GB proxy server can support up to 6,000 hosts or containers. Plan your proxy server specifications and quantity based on your business requirements.
- If you do not use a domain name as the access address, for example, if you use a public IP address to connect to Security Center, we recommend you set up a proxy cluster with multiple servers to ensure connection stability.
For hybrid cloud scenarios, ensure that you have established network connectivity between your third-party cloud servers and your Alibaba Cloud VPC.

Step 1: Create a proxy cluster

Log on to the Security Center console.
In the left navigation bar, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the asset you want to protect is located: Chinese Mainland or Outside Chinese Mainland.
On the Agent > Proxy Access tab, click Create Cluster.
In the Create Cluster dialog box, configure the cluster name, communication address, and remarks, and click OK.
Address: Enter the IP address or domain name of the proxy server. After you create a cluster, hosts or containers in the cluster use the Address to connect to the proxy server.
Important
- When Address is set to the IP address of a proxy server, you can configure only one proxy server. This method is recommended when you need to connect a small number of hosts or containers, for example, five.
- If you need to set up multiple proxy servers, we recommend that you use a domain name as the Address. Ensure that the domain name can be resolved to the IP addresses of the proxy servers, a load balancing IP address, or a virtual IP address (VIP).
- After a cluster is created, you cannot modify its name and address. Provide a descriptive name and a reachable address.

Step 2: Deploy the proxy server

On the Agent > Proxy Access tab, in the Actions column of the target cluster, click Deploy Proxy.
In the Deploy Proxy Server panel, select the deployment mode and configure it accordingly.
If the Security Center agent is already installed and online on your proxy server, you can select Quick Deployment. If the Security Center agent is not installed, deploy the proxy manually.
- Quick Deployment
  When you select the Quick Deployment mode, you need to select a Linux server from the asset list to use as the proxy server, and then click OK.
- Manual Deployment
  When you select the Manual Deployment method, you must copy the manual deployment command from the page. Then, log on to the proxy server by using an administrator account and run the manual deployment command in the command line.
Approximately five minutes after the deployment is complete, you can view the online status of the proxy server on the Agent > Proxy Access tab.

Note

After you deploy the proxy server, if the Security Center agent is not installed on it, the server can only function as a proxy. It will not be protected by features such as vulnerability detection or baseline checks. To protect the proxy server itself, install the Security Center agent on it. For more information, see Install the agent.

Step 3: Connect agents to the proxy cluster

After you create the cluster and deploy the proxy server, you can connect servers to the cluster as agents. This enables the servers to connect to Security Center through the proxy.

Important

A single 8-core, 16 GB proxy server can support up to 6,000 hosts or containers.
Whether you are directly selecting servers or using an installation command, you can connect a maximum of 500 hosts per batch. Wait at least one minute between batches.

On the Agent > Proxy Access tab, in the Actions column of the target cluster, click Install Agent.

In the Install Agent panel, select an installation mode and configure the settings accordingly.

If the Security Center agent is already installed and online on the server you want to connect, you can directly select the server. If the Security Center agent is not installed, connect it manually by using an installation command.

Directly select servers
In the asset list, select the servers to add, and click OK.

Use an installation command

Click Generate Installation Command.
On the Agent > Installation Command tab, click Create Installation Command.

In the Create Installation Command dialog box, configure the parameters, and click OK.

Parameter	Description
Expiration Time	The expiration time of the installation command.
Service Provider	The service provider of the server.
Default Group	The group for the server in the host assets list of Security Center.
OS	The operating system of the server.
Create Image System	For Create an image for the server, keep the default option No.
Select Proxy	Select Self-managed Proxy Cluster, and select the proxy cluster to connect.

In the command list, view and copy the installation command.
Log on to the server with administrator privileges and run the installation command for the server's operating system.
Five minutes after the installation is complete, you can click the number in the Client Connected column of the proxy cluster to view the list of servers connected through the proxy.

(Optional) Step 4: Configure a proxy cluster policy

By default, Security Center sends data collected by the proxy server to Security Center, with no limits on bandwidth or transmission frequency. If you need to change the data transmission mode or set limits, follow these steps.

On the Agent > Proxy Access tab, in the Actions column of the target cluster, click Proxy Settings.

In the Proxy Settings dialog box, configure the settings, and click OK.

For the data transmission method, you can select Send Data Back to Management Center or Directly Cache to Specified Directory.

Transmission mode

Description

Send Data Back to Management Center

Data is sent to Security Center for risk and threat detection.

If you select this mode, you can manually set the bandwidth and frequency for communication between the proxy server and Security Center. Options include:

Unlimited: Indicates that there is no limit on the bandwidth or frequency used for communication between the proxy server and the Security Center server.
Custom: Set the bandwidth or frequency for communication between the proxy server and the Security Center server based on your actual usage.

Important

Set the bandwidth and frequency control parameters so that the proxy's bandwidth usage and communication-related processes do not exceed 60% of its total resources.

Directly Cache to Specified Directory

Caches data to a specified directory so you can perform risk and threat detection within your own network, such as on-premises data centers or VPCs.

If you select this mode, logs are stored by default in the /usr/local/aegis/proxy/log/export.log file on the proxy server. You can change the cache directory.

Note

The cache directory can store a maximum of 10 GB of data. When this limit is exceeded, the system cyclically overwrites the oldest logs.

More operations

View proxy cluster information

Log on to the Security Center console.
In the left navigation bar, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the asset you want to protect is located: Chinese Mainland or Outside Chinese Mainland.
On the Agent > Proxy Access tab, you can perform the following operations.
- View basic cluster information
  You can view information such as the proxy cluster name, address, number of connected agents, and cluster status. A cluster can have one of the following statuses:
  - Online: At least one proxy server in the cluster is online.
  - Offline: The cluster has no proxy servers, or all proxy servers in the cluster are offline.
- View the proxy server list
  In the Server Information column of the target cluster, click the icon to view the list of proxy servers. Hover over the asset information of a target proxy server to view its basic information. The Agent Status field shows the online status of the Security Center agent.
- View the connected agent list
  Click the corresponding number in the Client Connected column for the target cluster to view a list of connected servers. You can view the asset information, group, OS type, service provider, region, tags, and agent status of the servers.

Delete a cluster

If you no longer need Security Center to protect servers connected through a proxy, you must delete the connected servers, proxy servers, and the proxy cluster in that order.

Remove the connected servers from the proxy cluster.
1. On the Agent > Proxy Access tab, in the Actions column of the target cluster, click Install Agent.
2. In the Install Agent panel, deselect all servers with the agent installed, and click OK.
This operation unbinds all servers from the proxy cluster but does not uninstall the Security Center agent from the servers. If you need to uninstall the Security Center agent, run the uninstallation command on the server. For more information, see Uninstall agent.
Uninstall the proxy server.
You can delete a proxy server only when it is offline. Therefore, you must first stop the aegis proxy process to bring the server offline.
1. Log on to the proxy server with an administrator account and run the following commands to stop the aegis proxy process.
```
ps -ef | grep aegis
kill PID	# The PID of the /usr/local/aegis/proxy/SasClientProxy process
```
  Note
  If you receive a permission denied error, you must first disable client protection. For more information, see Configure agent capabilities.
2. On the Agent > Proxy Access tab, click the icon in the Server Information column for the target cluster.
3. In the Server Information panel, click Delete in the Actions column for each proxy server.
After you delete all proxy servers from the proxy cluster, in the Actions column for the proxy cluster, click Delete to delete the cluster.

Upgrade the proxy version

Security Center continuously releases new proxy server versions. You can upgrade your proxy servers as needed.

Log on to the Security Center console.
In the left navigation bar, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets you want to protect are located: Chinese Mainland or Outside Chinese Mainland.
On the Agent > Proxy Access tab, in the Server Information column of the target cluster, click the icon.
In the Server Information panel, in the Actions column of the target proxy server, click Upgrade.
If the Upgrade button is grayed out, this means that the agent on the proxy server is up to date or the Security Center agent is offline. If the Security Center agent is offline, you must troubleshoot the issue to bring the agent online before you perform the upgrade. For more information about how to troubleshoot an offline agent, see Troubleshoot offline agents.

FAQ

Cross-account proxy access

No. An ECS instance in Alibaba Cloud account B cannot use a proxy cluster created under account A to connect to Security Center.

Security Center provides the multi-account security management feature to centrally manage security configurations, including asset connection, and handle security risks across multiple Alibaba Cloud accounts. We recommend using this feature. For more information, see multi-account security management.