Security Center can protect and manage the servers that are not deployed on Alibaba Cloud. The servers include third-party cloud servers and servers in data centers. Before you use Security Center to protect these servers, you must add these servers to Security Center and synchronize the server information to Security Center. This topic describes how to use multi-cloud configuration management.

Add multi-cloud assets to Security Center

After third-party servers are added to Security Center, the server information is synchronized to the Assets module of the Security Center console. This allows Security Center to protect and manage the servers in a centralized manner.
Note You can add only the servers of third-party cloud service providers, such as Tencent Cloud and Amazon Web Services (AWS) Cloud, to Security Center.
  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Multi-cloud configuration management tab, click the Multi-cloud assets tab. On the Multi-cloud assets tab, click Add authorization and select the cloud service provider whose server you want to add to Security Center from the drop-down list.
  3. In the Access to assets outside the cloud panel, create a sub-account for the cloud service provider as prompted.
    You can select Quick configuration scheme or Manual configuration scheme.
    • Quick configuration scheme: You must obtain the AccessKey pair of the master account that owns the third-party cloud server. Then, Security Center automatically creates the AccessKey pair for the sub-account that is authorized to manage the third-party cloud server. This way, you can add the third-party cloud server to Security Center. If you select this option, perform the following steps:
      1. Log on to the management console of the third-party cloud server.
      2. Obtain the AccessKey ID and AccessKey secret of the master account.

        You can view the guidelines on how to obtain the AccessKey ID and AccessKey secret in the Access to assets outside the cloud panel.

        Note The AccessKey pairs of master accounts are not automatically provided. You must manually create the AccessKey pairs.
      3. Go to the Security Center console, open the Access to assets outside the cloud panel, select Quick configuration scheme, and then click Next.
      4. In the Submit AccessKey Pair step, enter the obtained information about the AccessKey pair of the master account and click Next.
      5. In the Policy Configuration step, configure the Select Region and Region Management parameters.
        Parameter Description
        Select Region Select the region in which your server resides.

        After you select a region, your server is added to the current management center. Security Center supports only two management centers in International and Singapore. You can switch between International and Singapore in the upper-left corner of the Security Center console.

        Region Management Specify whether to add newly purchased servers in the specified region to Security Center.

        After you select this option, newly purchased servers in the specified region are automatically added to the current management center. You can switch between International and Singapore in the upper-left corner of the Security Center console. If you do not select this option, newly purchased servers in the specified region are not automatically added to the current management center.

      6. Click Determine.

        After you complete this step, the third-party cloud server is added to Security Center. If more servers are created within the sub-account that belongs to the master account, information about the servers is automatically synchronized to Security Center.

      7. In the left-side navigation pane, choose Assets > Host. On the Server tab of the Host page, click Synchronize Asset to synchronize the information about all your assets to Security Center.

        If you do not click Synchronize Asset, the server information is automatically synchronized to Security Center 1 hour later.

        Note The synchronization requires a specific period of time. Wait until the synchronization is complete. Do not click Synchronize Asset again.
    • Manual configuration scheme: You must manually create the AccessKey pair for the sub-account that is authorized to manage the third-party cloud server. This way, you can add the third-party cloud server to Security Center. If you select this option, perform the following steps:
      1. Log on to the management console of the third-party cloud server.
      2. Obtain the AccessKey ID and AccessKey secret of the sub-account.

        You can view the guidelines on how to obtain the AccessKey ID and AccessKey secret in the Access to assets outside the cloud panel.

        Note The AccessKey pairs of sub-accounts are not automatically provided. You must manually create the AccessKey pairs.
      3. Go to the Security Center console, open the Access to assets outside the cloud panel, select Manual configuration scheme, and then click Next.
      4. In the Submit AccessKey Pair step, enter the obtained information about the AccessKey pair of the sub-account and click Next.
      5. In the Policy Configuration step, configure the Select Region and Region Management parameters.
        Parameter Description
        Select Region Select the region in which your server resides.

        After you select a region, your server is added to the current management center. Security Center supports only two management centers in International and Singapore. You can switch between International and Singapore in the upper-left corner of the Security Center console.

        Region Management Specify whether to add newly purchased servers in the specified region to Security Center.

        After you select this option, newly purchased servers in the specified region are automatically added to the current management center. You can switch between International and Singapore in the upper-left corner of the Security Center console. If you do not select this option, newly purchased servers in the specified region are not automatically added to the current management center.

      6. Click Determine.

        After you complete this step, the third-party cloud server is added to Security Center.

      7. In the left-side navigation pane, choose Assets > Host. On the Server tab of the Host page, click Synchronize Asset.
        Note If you have a large number of servers, the synchronization may require a long time to complete. Wait until the synchronization is complete. Do not click Synchronize Assets again.

Create an IDC probe

You can create IDC probes to scan servers and identify the servers that have the Security Center agent installed in a data center. Then, you can synchronize the information about the identified servers to the Assets module of the Security Center console. This way, Security Center can manage the servers in a centralized manner.

Note You can use only the servers that have the Security Center agent installed in data centers as IDC probes. For more information, see Overview of the Security Center agent.
  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Multi-cloud configuration management tab, click IDC probe. Then, click Added probe.
  3. In the Access to assets outside the cloud panel, configure the parameters and click Next.
    The following list describes the parameters:
    • IDC room: the name of the data center. The data center houses the servers that you want the IDC probe to scan.
    • Network segment settings: the CIDR block that the IDC probe supports for scanning. Only class C addresses are supported. Therefore, you must enter a CIDR block that ranges from 192.168.0.0 to 192.168.255.255.
    • Cycle setting: the interval at which the IDC probe scans servers.
    • linux port: the SSH port of the Linux servers that the IDC probe scans. You can specify a non-standard port.
    • windows port: the Remote Desktop Protocol (RDP) port of the Windows servers that the IDC probe scans. You can specify a non-standard port.
    • Region: the region of the IDC probe. You need to only enter the city name. The value of this parameter is displayed on the Host page of the Assets module.
  4. In the Select assets step, select the server that you want to use as the IDC probe and click Determine.
    After you specify the IDC probe, you can use the probe to scan servers in the data center and identify the servers that have the Security Center agent installed. You can select multiple servers.
    After you complete this step, the IDC probe is created. The IDC probe scans the servers that use the specified CIDR block in the data center at the specified interval. If the IDC probe identifies a server that has the Security Center agent installed, the probe automatically adds the server to the server list in the Assets module of the Security Center console.

Disable an IDC probe

If you no longer require an IDC probe, find the probe on the IDC probe tab and click Deactivation in the Operation column. After the IDC probe is disabled, the probe no longer scans the servers in the data center.
Note If a server is added to the data center after the IDC probe is disabled, the information about the server is not automatically synchronized to Security Center.

What to do next

Go to the Host page. On the Server tab, view the details of the servers that are not deployed on Alibaba Cloud and whose information is synchronized to Security Center. On the IDC probe findings tab, check whether the Security Center agent installed on the servers is online.