Security Center launches a security solution that allows you to deploy Security Center on a hybrid cloud. When you deploy the security solution, you must create a virtual private cloud (VPC), configure a hybrid cloud network, and install the Security Center agent. This topic describes how to prepare a network environment and install the Security Center agent.

Step 1: Create a VPC

If you have created a VPC on Alibaba Cloud, skip this step.

  1. Log on to the VPC console.
  2. In the top navigation bar, select the region in which your data center is located as the region of the VPC that you want to create.
  3. On the VPCs page, click Create VPC.
  4. On the Create VPC page, configure the required parameters of the VPC and vSwitch based on the following table.
    Section Parameter Description
    VPC Region The region where you want to create the VPC. This value is automatically displayed.
    Name The name of the VPC.

    The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter.

    IPv4 CIDR Block The IPv4 Classless Inter-Domain Routing (CIDR) block of the VPC. We recommend that you set this parameter to 10.0.0.0/8.
    Description The description of the VPC.
    Resource Group The resource group to which the VPC belongs. We recommend that you use the default resource group.
    VSwitch Name The name of the vSwitch.
    Zone The zone of the vSwitch. In the same VPC, vSwitches in different zones can communicate with each other.
    Zone Resources The cloud resources that can be created in the specified zone.
    IPv4 CIDR Block The IPv4 CIDR block of the vSwitch. We recommend that you set this parameter to 10.0.0.0/24.
    Number of Available Private IPs The number of available IP addresses.
    Description The description of the vSwitch.
  5. Click OK.
    After the VPC is created, you can view the created VPC in the VPC list.

Step 2: Configure a network

The servers in your data center can connect to Security Center by using one of the following methods:
  • Virtual private network (VPN) gateways

    The VPN proxy method is used to establish site-to-site VPN connections based on public IP addresses. This way, networks on the hybrid cloud are connected. If you use this method, network quality is not optimal because this method depends on the Internet. However, the method is easy to configure and has a moderate price. Therefore, it is accepted by a large number of enterprises.

  • Leased lines

    The leased line method indicates that users rent network lines to connect Alibaba Cloud to the data centers of enterprises. This achieves hybrid cloud networking for enterprises. The leased line method provides better network quality and ensures channel security. Therefore, it is preferred by enterprises.

Enterprises can choose an appropriate method based on their business requirements. The following table compares the two methods.
Connection method Network channel Network quality Pricing structure Scenario
VPN gateways Internet channel encryption Moderate Bandwidth and traffic Small- and medium-sized development tests
Leased lines Independent line Stable Leased line Enterprise production networking

Configure a VPN proxy

VPN tunnels can be used to establish point-to-point VPN connections between an Alibaba Cloud VPC and a data center or a third-party cloud over the Internet. This way, networks on the hybrid cloud are connected. The following figure shows the network architecture of a VPN proxy.

IPsec-VPN encrypts data transmission to ensure data security. The VPN gateway method is easy to configure and has a moderate price. We recommend that small- and medium-sized enterprises or users who perform Proof of Concept (POC) tests use this method.

The following figure shows the process to create an IPsec-VPN connection.
Notice A third-party cloud does not allow you to manually add a route to forward traffic from the CIDR block 100.64.0.0/10 to a VPN gateway. Therefore, VPN proxies are not suitable for a third-party cloud.
  1. Create a VPN gateway.
    1. Log on to the VPC console.
    2. On the VPN Gateways page, click Create VPN Gateway.
    3. On the buy page, configure the required parameters based on the following table.
      Parameter Description
      Name The name of the VPN gateway.
      Region The region where you want to create the VPN gateway. Make sure that the VPN gateway and VPC reside in the same region.
      VPC The VPC of the VPN gateway. You can select the VPC created in Step 1: Create a VPC or another existing VPC.
      Specify VSwitch Specifies whether to select a vSwitch for the VPN gateway. Valid values:
      Peak Bandwidth The maximum bandwidth of the VPN gateway.
      Traffic Only Pay By Traffic is supported.
      IPsec-VPN Specifies whether to enable IPsec-VPN. You must set this parameter to Enable.
      SSL-VPN Specifies whether to enable SSL-VPN. You must set this parameter to Disable.
      Duration Only By Hour is supported.
    4. Click Buy Now. On the page that appears, read and select I have read and agree to VPN Gateway Agreement of Service. Then, complete the payment.
    5. On the Pay page, click Console.
      You can view the created VPN gateway on the VPN Gateways page.
  2. Create a customer gateway.
    1. In the left-side navigation pane, choose VPN > Customer Gateways.
    2. Click Create Customer Gateway.
    3. In the Create Customer Gateway panel, configure the required parameters based on the following table.
      Parameter Description
      Name The name of the customer gateway.
      IP Address The IP address of the VPN gateway used to connect to a third-party cloud.
      ASN The Autonomous System Number (ASN) of the gateway in the data center to which the VPC is connected.
      Note You must set this parameter when Border Gateway Protocol (BGP) is enabled for the VPN gateway.
      Description The description of the customer gateway.
    4. Click OK.
      You can view the created customer gateway on the Customer Gateways page.
  3. Create an IPsec-VPN connection.
    1. In the left-side navigation pane, choose VPN > IPsec Connections.
    2. Click Create IPsec Connection.
    3. On the Create IPsec Connection page, configure the required parameters based on the following table.
      Category Parameter Description
      Basic information Name The name of the IPsec-VPN connection.
      VPN Gateway The VPN gateway of the IPsec-VPN connection. Select the created VPN gateway.
      Customer Gateway The customer gateway of the IPsec-VPN connection. Select the created customer gateway.
      Routing Mode The routing mode of the IPsec-VPN connection. Select Destination Route Mode.
      Effective Immediately Specifies whether to immediately start connection negotiations. Valid values:
      Pre-Shared Key
      Advanced configurations: IKE configurations Version The version of the IKE protocol. We recommend that you set this parameter to ikev2.
      Negotiation Mode The mode of the negotiation. We recommend that you set this parameter to main. The main mode is highly secure.
      Encryption Algorithm The encryption algorithm that is used in Phase 1 negotiations. We recommend that you set this parameter to aes256.
      Authentication Algorithm The authentication algorithm that is used in Phase 1 negotiations. We recommend that you set this parameter to sha1.
      DH Group The Diffie-Hellman key exchange algorithm that is used in Phase 1 negotiations. We recommend that you set this parameter to group1.
      SA Life Cycle (seconds)
      LocalId The ID of the VPN gateway that is used in Phase 1 negotiations. By default, the public IP address of the selected VPN gateway is used.
      RemoteId The ID of the customer gateway that is used in Phase 1 negotiations. By default, the public IP address of the selected customer gateway is used.
      Advanced configurations: IPsec configurations Encryption Algorithm The authentication algorithm that is used in Phase 2 negotiations. We recommend that you set this parameter to aes256.
      Authentication Algorithm The authentication algorithm that is used in Phase 2 negotiations. We recommend that you set this parameter to sha1.
      DH Group The Diffie-Hellman key exchange algorithm that is used in Phase 2 negotiations. We recommend that you set this parameter to group1.
      SA Life Cycle (seconds)
      DPD Specifies whether to enable the dead peer detection (DPD) feature. This feature is enabled by default. We recommend that you retain the default settings.
      NAT Traversal Specifies whether to enable the NAT traversal feature. This feature is enabled by default. We recommend that you retain the default settings.
      Note BGP Configuration and Health Check are disabled by default. We recommend that you retain the default settings.
    4. Click OK.
    5. In the Established message, click OK to advertise the VPN route.
    6. On the IPsec Connections page, click the name of the created IPsec-VPN connection.
    7. Click the Policy-based Routing tab.
    8. Click Publish in the Actions column.
  4. Create a peer gateway.
    On the private network of a third-party cloud, create a peer gateway. Set the IP address of the peer gateway to the public IP address 47.111.79.211 of Alibaba Cloud, as shown in the following figure. Tencent Cloud is used in this example.

    The following figure shows the created peer gateway.

  5. Create a VPN tunnel.
    Create a VPN tunnel on a third-party cloud. In this example, Tencent Cloud is used to describe how to create a VPN tunnel.
    1. Log on to the VPC console.
    2. In the left-side navigation pane, choose VPN Connection > VPN Tunnel.
    3. On the VPN Tunnel page, click Create.
    4. In the Create VPN Tunnel wizard, configure the basic information of the VPN tunnel.
      You can configure the required parameters based on the following figure.
    5. Click Next.
    6. Configure a Security Policy Database (SPD) policy.
    7. Click Next.
    8. Configure IKE settings.
    9. Configure IPsec settings and click Save.
  6. Advertise the route for the peer CIDR block.
    On the private network of the third-party cloud, use policy-based routing to point the peer CIDR block to the VPN gateway. In this example, the peer CIDR block is 100.100.0.0/16 of Alibaba Cloud.
  7. Verify the IPsec-VPN connection.
    1. Log on to the VPC console.
    2. In the left-side navigation pane, choose VPN > IPsec Connections.
    3. On the IPsec Connections page, view Connection Status of the created IPsec-VPN connection.
      You can check whether the IPsec-VPN connection is normal based on Connection Status.
      • Normal: Phase 2 of IKE Tunnel Negotiation Succeeded is displayed in the Connection Status column.
      • Failed: Phase 1 of IKE Tunnel Negotiation Failed or Phase 2 of IKE Tunnel Negotiation Failed is displayed in the Connection Status column. For information about how to handle negotiation failures, see FAQ about IPsec-VPN connections.

Configure a leased line

You can use a leased line to connect to internal networks. This method provides high quality and security. The following figure shows the network architecture of a leased line.

The leased line connects the following network elements in sequence: data center > VPN gateway > virtual border router (VBR) > Cloud Enterprise Network (CEN) instance > VPC. The data center connects to an Alibaba Cloud VPC by using a BGP route. For more information about how to connect a data center to a VPN gateway, see the description of how to configure a VPN proxy.

You can run the telnet jsrv2.aegis.aliyun.com 443/80 and telnet update2.aegis.aliyun.com 443/80 commands on a server in your data center. If the commands successfully run, the connection is normal. Verify the connectivity between a data center and Security Center

If the connection fails, perform the following operations to handle the issue.

Use tracert to trace routes. Advertise routes on the internal network of the customer to ensure that 100.100.0.0/16 is reachable. Add the route for 100.100.0.0/16 to the boundary VBR. The following procedure describes the steps in detail.

  1. Log on to the CEN console.
  2. Click the name of the CEN instance.
  3. On the instance details page, click the AnyTunnel tab.
  4. Click Configure AnyTunnel.
  5. In the Configure AnyTunnel panel, configure the required parameters based on the following table.
    Parameter Description
    Service IP Address The IP address or CIDR block of the cloud service. Set this parameter to 100.100.0.0/16, which is the CIDR block of Security Center.
    Service Region The region of Security Center. Set this parameter to China (Beijing).
    Host VPC The VPC of your data center.
    Access Region The region of the VBR or Cloud Connect Network (CCN) instance that needs to access the cloud service.
    Description The description of the cloud service.
  6. Click OK.

Step 3: Verify the connectivity

You must verify the connectivity between your server and the Internet and the connectivity between your server and Security Center.

Verify the connectivity between your server and the Internet

Check whether your server can connect to the Internet. In most cases, your server cannot connect to the Internet.

  1. Log on to your server.
    If your server is deployed in a data center, use a terminal to log on to the server. If your server is deployed on a third-party cloud, use the VNC connection feature in the console to log on to the server.
  2. Run the ping www.aliyun.com command.
    Check whether your server can connect to the Internet. VPN gateways and leased lines can be used to connect your server to Security Center. They cannot be used to connect your server to the Internet. If your server fails to connect to the Internet, this is normal. The following figure shows the connectivity between a server on a third-party cloud and the Internet. The server has no public IP address and cannot connect to the Internet. Example of a connection to the Internet

Verify the connectivity between your server on a third-party cloud and Security Center

In most cases, a server that is deployed on a third-party cloud can connect to Security Center over an internal network. This is why an IPsec VPN connection is created. Perform the following steps to check whether your server can connect to Security Center.

  1. Log on to your server.
    If your server is deployed in a data center, use a terminal to log on to the server. If your server is deployed on a third-party cloud, use the VNC connection feature in the console to log on to the server.
  2. Run the yum install -y telnet command to install telnet.
  3. Run the following telnet commands to check whether your server can connect to Security Center over an internal network:
    telnet jsrv2.aegis.aliyun.com 443/80
    
    telnet update2.aegis.aliyun.com 443/80
    Check whether your server can connect to Security Center

    jsrv2.aegis.aliyun.com and update2.aegis.aliyun.com are the internal endpoints of Security Center. If the telnet commands successfully run, your server can connect to Security Center.

  4. Run the telnet jsrv.aegis.aliyun.com 443/80 command to check whether your server can connect to Security Center over the Internet. Check whether your server can connect to Security Center over the Internet
    jsrv.aegis.aliyun.com is the public endpoint of Security Center. If the command fails, your server cannot connect to Security Center over the Internet. This meets the expectations.

Description of Security Center endpoints

jsrv2.aegis.aliyun.com in the A record is mapped to an internal IP address and is published to the external DNS. This allows you to use the Security Center agent to access the features provided by Security Center. You can run the nslookup command to query the A record. You can perform the following steps to view the A and Name Server (NS) records of jsrv2.aegis.aliyun.com.

  1. Run the yum install -y bind-utils command to install nslookup.
  2. Run the nslookup jsrv2.aegis.aliyun.com command to query A and NS records.

Step 4: Install the Security Center agent

You can perform the following steps to install the Security Center agent on your server in a data center.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click the Agent tab.
  4. Click the Client Installation Guide tab.
    Security Center provides four default installation commands on the Client Installation Guide tab. If you do not want Security Center to create an image based on an installation command, or you do not want the server on which the installation command is run to be automatically added to a specified server group, you can select an installation command based on the type of your server and the operating system that your server runs. Then, you can run a default command to install the Security Center agent on your server.
  5. Optional:On the Client Installation Guide tab, click Add Installation Command to create an installation command.
    Notice If you use a default installation command, skip this step.
    You can create an installation command to achieve the following purposes:
    • Enable Security Center to create an image based on the installation command, and use the image to preinstall the Security Center agent on multiple servers.
    • Bind a server group to the installation command. After you run the command to install the Security Center agent on a server, the server is automatically added to the server group.
    1. In the Add Installation Command dialog box, configure the parameters.

      The following table describes the parameters.

      Parameter Description
      Expiration time The time when the installation command expires.
      Service Provider The provider of your server.
      Default grouping The server group that you want to bind to the installation command.
      Operating system The operating system in which the installation command can be run. Valid values: Windows, Linux, and windows-2003.
      Making Image System Specifies whether to enable Security Center to create an image. Valid values: Yes and No.
      • If you select Yes, Security Center automatically creates an image based on the installation command. You can use the image to preinstall the Security Center agent on multiple servers at a time without the need to run the installation command on each server.
        Note After you run the installation command on your server, only the installation package of the Security Center agent is downloaded to the server. The process of the Security Center agent is not started. If you want Security Center to protect your server, you must restart the server to start the process of the Security Center agent.
      • If you select No, Security Center generates an installation command but does not create an image based on the installation command.
    2. Click OK. An installation command is generated. Then, copy the command.

      You can view the generated installation command on the Client Installation Guide tab.

  6. Log on to the server on which you want to install the agent by using an account that has administrative rights.
    The tool that you can use to run the installation command varies based on the operating system of the server.
    • Windows: Open the Command Prompt and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.
    • Linux: Open the CLI and run the installation command that you copied. Then, the installation package of the Security Center agent is downloaded to and installed on the server.
    Notice After you run the installation command, the latest version of the Security Center agent is downloaded from Alibaba Cloud. If you use a server that is not deployed on Alibaba Cloud, make sure that the server is connected to the Internet before you run the installation command.
    You can view the status of the agent on the Assets page approximately 5 minutes after the agent is installed.
    • If you use an ECS instance, the status in the Agent column of the instance changes from Close to Enable.
    • If you use a server that is not deployed on Alibaba Cloud, the server is added to the server list on the Assets page.
      Notice Due to network latency, a server that is not deployed on Alibaba Cloud and has the Security Center agent installed may not be immediately displayed on the Assets page. In this case, you must click Synchronize Asset on the Server(s) tab of the Assets page to update the information about the server.

We recommend that you perform the following steps to check whether the Security Center agent is installed.

  1. Check whether the AliYunDun and AliYunDunUpdate processes of the Security Center agent are running as expected on your server. For more information about the processes of the Security Center agent, see Security Center agent.
  2. Run the following telnet commands to check whether your server can connect to the Security Center server:
    Note Make sure that your server can connect to at least one of the following JSRV domain names and one of the following update domain names. JSRV domain names are used to issue instructions such as vulnerability detection and virus detection. Update domain names are used to download and update the Security Center agent.
    • telnet jsrv.aegis.aliyun.com 443/80
    • telnet jsrv2.aegis.aliyun.com 443/80
    • telnet jsrv3.aegis.aliyun.com 443/80
    • telnet update.aegis.aliyun.com 443/80
    • telnet update2.aegis.aliyun.com 443/80
    • telnet update3.aegis.aliyun.com 443/80

If a server no longer requires protection from Security Center, you can uninstall the Security Center agent from the server in the Security Center console. For more information, see Uninstall the Security Center agent.