A security profile is a policy that can contain ingress and egress rules and can be dynamically attached to a CloudCenter deployment based on the specified tag rules thus enabling you to configure security on the cloud. You need to configure security profiles at the tenant level.
- Governance Mode: Based on tags, the security profile is automatically selected and you cannot change the security profile.
- Non-Governance Mode: You can attach any security profile for which you have permission.
Add Security Profiles
The Security Profile link in the CCM UI (Admin > Security Profiles) enables you to automatically assign run time policies, deployment environment, and firewall rule sets based on System Tags.
The following screenshot shows the Add a New Security Profile page.
Associate Security Profiles
When you add a new Security Profile in the Security Profiles page, you can associate this profile with one or more.
To associate the security profile with a system tag, follow this procedure.
- Click the Associate Tag link for the corresponding security profile.
- In the Associate Tag popup for the selected security profile, specify any or all of the tags (configured using
The Security Profiles tab enables administrators to:
- Define a set of system tags to define policies.
- Create a security profile and add a list of rules. The source and destinations of these rules could be IP CIDRs or other security profiles.
- Define a security policy using a set of system tags (defined as part of tag-based Governance) and profile and apply the security policy to an application profile when modeling the application.
- Add tags during the profile creation process. When deploying a profile, end users cannot mute these tags. Instead, users can add their own tags to each tier.
During the deployment process, all security profiles are applied to the application tier based on the matching tag rules.
Updating/Deleting Security Profiles
You cannot delete a security profile if the CCO is down or not reachable.
You can successfully add security policy tags, post the deployment at the application level, and apply it to the native cloud portal. But when removing the security tag from the application level, the tag is removed from the CCM UI, but not removed from the native cloud portal.
When updating a job, CloudCenter merely removes the association of the instance to the security profile – CloudCenter does not delete the security profile. If required, you can manually delete the security profile (as long as it not have any running job associated) from the Security profile page so it is also deleted in the cloud provider console .
For example, if Job1 is deployed with SecurityGroup1, then when the job is deployed, Instance1 comes up and the CloudCenter platform associates the Instance1 with SecurityGroup1. At this point, users performing the actions that the following table describes see a corresponding consequence as identified in the following table:
|Action Performed by a Permitted User||Resulting Consequence|
|Remove the tag from Job1||Instance1 cannot display the attached SecurityGroup1 even if it still exist in the cloud (and consequently still displays in the Security Profile page)|
|Update the security profile on the Security Profile page||The rules are propagated to all cloud providers|
|Delete SecurityGroup1 from the Security Profile page|
It is deleted from all the cloud providers who used SecurityGroup1
You can only delete a Security Group if it is not attached to any running job in any cloud.
When you try to delete a security profile, the CloudCenter platform deletes the firewall rules on all configured CCOs.
- If the CCOs are functional, then the CloudCenter platform attempts to delete the firewall rules on all configured CCOs.
- If one of the configured CCOs is down or not reachable for any reason, delete the Cloud Region for this CCO to ensure that firewall rules on that particular CCO are skipped –If you delete a cloud region for a functional CCO, the CloudCenter platform skips firewall rules
- If a CCO is already deleted, the CloudCenter platform does not attempt to delete the firewall rules on the deleted CCO.
Be sure to make the CCO functional or delete the cloud region whose CCO is not functional and attempt the deletion of the security profile again.
Azure Cloud Nuances
Due to the Azure limitation on the number of Security Groups, the Azure security group lifecycle is tied to an Instance – the security group is created when you create an instance is deleted when you delete the instance.