Use multi-cloud configuration management - Security Center

Security Center can protect and manage the servers that are not deployed on Alibaba Cloud. The servers include third-party cloud servers and servers in data centers. Before you use Security Center to protect these servers, you must add these servers to Security Center and synchronize the server information to Security Center. This topic describes how to use multi-cloud configuration management.

Add multi-cloud assets to Security Center

After the servers of a third-party cloud service provider are added to Security Center, the server information is synchronized to the Assets module of the Security Center console. This allows Security Center to protect and manage the servers in a centralized manner.

Log on to the Security Center console.
In the left-side navigation pane, choose System Configuration > Feature Settings.
On the Multi-cloud configuration management tab, click the Multi-cloud assets tab. On the Multi-cloud assets tab, click Add authorization and select the cloud service provider whose server you want to add to Security Center from the drop-down list.

In the Access to assets outside the cloud panel, create a sub-account for the cloud service provider as prompted.

The steps to add a server to Security Center vary based on different cloud service providers.

Tencent Cloud, HUAWEI CLOUD, and Amazon Cloud (AWS)

You can select Quick configuration scheme or Manual configuration scheme.

Quick configuration scheme: You must obtain the AccessKey pair of the master account that owns the third-party cloud server. Then, Security Center automatically creates the AccessKey pair for the sub-account that is authorized to manage the third-party cloud server. This way, you can add the third-party cloud server to Security Center. If you select this option, perform the following steps:

Log on to the management console of the third-party cloud server.
Obtain the AccessKey ID and AccessKey secret of the master account.
You can view the guidelines on how to obtain the AccessKey ID and AccessKey secret in the Access to assets outside the cloud panel.
Note The AccessKey pairs of master accounts are not automatically provided. You must manually create the AccessKey pairs.
Go to the Security Center console, open the Access to assets outside the cloud panel, select Quick configuration scheme, and then click Next.
In the Submit AccessKey Pair step, enter the obtained information about the AccessKey pair of the master account and click Next.

In the Policy Configuration step, configure the Select Region and Region Management parameters.


Parameter	Description
Select Region	Select the region in which the third-party cloud server resides. After you select a region, the third-party cloud server is added to the current management center.
Region Management	Specify whether to add newly purchased servers in the specified region to Security Center. After you select this option, newly purchased servers in the specified region are automatically added to the current management center. If you do not select this option, newly purchased servers in the specified region are not automatically added to the current management center.

Click Determine.
After you complete this step, the third-party cloud server is added to Security Center. If more servers are created within the sub-account that belongs to the master account, information about the servers is automatically synchronized to Security Center.

Manual configuration scheme: You must manually create the AccessKey pair for the sub-account that is authorized to manage the third-party cloud server. This way, you can add the third-party cloud server to Security Center. If you select this option, perform the following steps:

Log on to the management console of the third-party cloud server.
Obtain the AccessKey ID and AccessKey secret of the sub-account.
You can view the guidelines on how to obtain the AccessKey ID and AccessKey secret in the Access to assets outside the cloud panel.
Note The AccessKey pairs of sub-accounts are not automatically provided. You must manually create the AccessKey pairs.
Go to the Security Center console, open the Access to assets outside the cloud panel, select Manual configuration scheme, and then click Next.
In the Submit AccessKey Pair step, enter the obtained information about the AccessKey pair of the sub-account and click Next.

In the Policy Configuration step, configure the Select Region and Region Management parameters.


Parameter	Description
Select Region	Select the region in which the third-party cloud server resides. After you select a region, the third-party cloud server is added to the current management center.
Region Management	Specify whether to add newly purchased servers in the specified region to Security Center. After you select this option, newly purchased servers in the specified region are automatically added to the current management center. If you do not select this option, newly purchased servers in the specified region are not automatically added to the current management center.

Click Determine.
After you complete this step, the third-party cloud server is added to Security Center.

Microsoft Azure

Log on to a Microsoft Azure virtual machine and install Azure CLI. For more information, visit How to install Azure CLI.
After Azure CLI is installed, run one of the following commands in the Microsoft Azure virtual machine.
- If you use Microsoft Azure that is managed by 21Vianet, run the following command:
```
az cloud set -n AzureChinaCloud
az login
```
- If do not use Microsoft Azure that is managed by 21Vianet, run the following command:
```
 az login
```
Log on to Microsoft Azure Portal by using the endpoint and code that you obtained in the previous step.

After you log on to Microsoft Azure Portal, obtain the values of the your-account-ID and your-subscription-ID parameters and run the following command:

az ad sp create-for-rbac \
    --name <your-account-ID> \
    --role Contributor \
    --scopes /subscriptions/<your-subscription-ID>

To obtain the value of the parameters, refer to the following table.


Parameter	Description	Method to obtain the parameter value
your-account-ID	The ID of the current logon account.	On the Users page, click the username of the user. In the Identity panel, obtain the account ID based on the type of Microsoft Azure account that you use. User of Microsoft Azure that is managed by 21Vianet: The account ID is the value in the Issuer assigned ID column. Not a user of Microsoft Azure that is managed by 21Vianet: The account ID is the value in the Issuer column.
your-subscription-ID	The ID of the subscription.	On the Subscriptions page, obtain a value in the Subscription ID column.

Record the values of the appId, displayName, name, password, and tenant parameters in the command execution result.

Go to the Security Center console, open the Access to assets outside the cloud panel and click Next.

In the Submit AccessKey Pair step, configure the parameters and click Next.


Parameter	Description
Enter an AppID	Enter the value of the `appId` parameter that you obtained in Step 4.
Enter a password	Enter the value of the `password` parameter that you obtained in Step 4.
tenant	Enter the value of the `tenant` parameter that you obtained in Step 4.
SubscriptionId	Enter the value of the `your-subscription-ID` parameter that you obtained from Microsoft Azure Portal in Step 4.
Domain (Select Chinese Edition for VNET and International Edition for others)	Select the edition of the Microsoft Azure virtual machine. Valid values: China: If you use Microsoft Azure that is managed by 21Vianet, select this option. International: If you do not use Microsoft Azure that is managed by 21Vianet, select this option.

In the Policy Configuration step, configure the Select Region and Region Management parameters.


Parameter	Description
Select Region	Select the region in which the third-party cloud server resides. After you select a region, the third-party cloud server is added to the current management center.
Region Management	Specify whether to add newly purchased servers in the specified region to Security Center. After you select this option, newly purchased servers in the specified region are automatically added to the current management center. If you do not select this option, newly purchased servers in the specified region are not automatically added to the current management center.

Click Determine.
After you complete this step, the third-party cloud server is added to Security Center.

In the left-side navigation pane, choose Assets > Host. On the Server tab of the Host page, click Synchronize Asset to synchronize the third-party cloud server to Security Center.
Note The synchronization requires a long period to complete. Wait for a moment. You do not need to click Synchronize Asset again.

Manage an IDC probe

You can create IDC probes to scan servers and identify the servers that have the Security Center agent installed in a data center. Then, you can synchronize the information about the identified servers to the Assets module of the Security Center console. This way, Security Center can manage the servers in a centralized manner.

Note You can use only the servers that have the Security Center agent installed in data centers as IDC probes. For more information about the Security Center agent, see Overview of the Security Center agent.

Create an IDC probe

Log on to the Security Center console.
In the left-side navigation pane, choose System Configuration > Feature Settings.
On the Multi-cloud configuration management tab, click IDC probe and then click Added probe.
In the Access to assets outside the cloud panel, configure the parameters and click Next.
The following list describes the parameters:
- IDC room: the name of the data center. The data center houses the servers that you want the IDC probe to scan.
- Network segment settings: the CIDR block that the IDC probe supports for scanning. Only class C addresses are supported. Therefore, you must enter a CIDR block that ranges from 192.168.0.0 to 192.168.255.255.
- Cycle setting: the interval at which the IDC probe scans servers.
- linux port: the SSH port of the Linux servers that the IDC probe scans. You can specify a non-standard port.
- windows port: the Remote Desktop Protocol (RDP) port of the Windows servers that the IDC probe scans. You can specify a non-standard port.
- Region: the region of the IDC probe. Enter the name of the city. The value of this parameter is displayed on the Host page of the Assets module.
In the Select assets step, select the server that you want to use as the IDC probe and click Determine.
After you specify the IDC probe, you can use the IDC probe to scan servers in the data center and identify the servers that have the Security Center agent installed. You can select multiple servers.
After you complete this step, the IDC probe is created. The IDC probe scans the servers that use the specified CIDR block in the data center at the specified interval. If the IDC probe identifies a server that has the Security Center agent installed, the probe automatically adds the server to the server list in the Assets module of the Security Center console.

Disable an IDC probe

If you no longer require an IDC probe, find the IDC probe on the IDC probe tab and click Deactivation in the Operation column. After the IDC probe is disabled, Security Center no longer scans the servers in the data center.

Note If a server is added to the data center after the IDC probe is disabled, the information about the server is not automatically synchronized to Security Center.

View scan results

Go to the Host page. On the Server and IDC probe findings tabs, view the details of the servers that are not deployed on Alibaba Cloud and whose information is synchronized to Security Center and check whether the Security Center agent that is installed on the servers is online.