cloud-network-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cloud Network Security

云网络安全

Manage network security policies for Elastic Cloud Serverless projects: IP filters to allowlist specific IPs or CIDRs, and VPC filters (AWS PrivateLink) to restrict traffic to specific VPC endpoints.

Prerequisite: This skill assumes the cloud-setup skill has already run —
EC_API_KEY
is set in the environment and the organization context is established. If
EC_API_KEY
is missing, instruct the agent to invoke cloud-setup first. Do NOT prompt the user for an API key directly.

For project creation and day-2 operations (including associating filters with projects), see cloud-create-project and cloud-manage-project. For identity and access management (users, roles, API keys), see cloud-access-management.

For detailed API endpoints and request schemas, see references/api-reference.md.

管理Elastic Cloud Serverless项目的网络安全策略：包括用于允许特定IP或CIDR的IP过滤器，以及用于将流量限制到特定VPC终端节点的VPC过滤器（AWS PrivateLink）。

前置条件： 本技能假设已运行cloud-setup技能——环境中已设置
EC_API_KEY
且已建立组织上下文。如果缺少
EC_API_KEY
，请指示代理先调用cloud-setup，不要直接向用户索要API密钥。

有关项目创建和日常运维操作（包括将过滤器与项目关联），请查看cloud-create-project和cloud-manage-project。有关身份与访问管理（用户、角色、API密钥），请查看cloud-access-management。

有关详细的API端点和请求模式，请参阅references/api-reference.md。

Terminology

术语说明

This skill uses network security as the umbrella term, aligned with the Elastic Cloud UI direction. The underlying API uses traffic filters — you will see

traffic-filters

in endpoint paths and

traffic_filters

in JSON fields. When a user or agent says "traffic filter," they mean the same thing as "network security policy." The two filter types are IP filters (type

ip

) and VPC filters (type

vpce

本技能使用网络安全作为统称，与Elastic Cloud UI的术语保持一致。底层API使用流量过滤器——你会在端点路径中看到

traffic-filters

，在JSON字段中看到

traffic_filters

。当用户或代理提到“流量过滤器”时，其含义与“网络安全策略”相同。两种过滤器类型分别是IP过滤器（类型

ip

）和VPC过滤器（类型

vpce

）。

Jobs to Be Done

可完成的任务

Create an IP filter to restrict ingress to specific IPs or CIDR blocks
Create a VPC filter (AWS PrivateLink) to restrict traffic to specific VPC endpoint IDs
List, inspect, update, and delete network security policies
Look up PrivateLink region metadata (service names, domain names, availability zones)
Associate or disassociate filters with Serverless projects (delegates to cloud-manage-project)
Audit the current network security posture for an organization

创建IP过滤器以限制入口流量仅来自特定IP或CIDR块
创建VPC过滤器（AWS PrivateLink）以将流量限制到特定AWS VPC终端节点ID
列出、查看、更新和删除网络安全策略
查询PrivateLink区域元数据（服务名称、域名、可用区）
将过滤器与Serverless项目关联或解除关联（委托给cloud-manage-project）
审计组织当前的网络安全状况

Prerequisites

前置条件

Item	Description
EC_API_KEY	Cloud API key (set by cloud-setup). Required for all operations.
Region	Filters are region-scoped. The user must specify the target region when creating filters.
Project IDs	Required only when associating filters with projects (handled by cloud-manage-project).

Run

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters

to verify that

EC_API_KEY

is valid before proceeding with any operation.

项	描述
EC_API_KEY	云API密钥（由cloud-setup设置）。所有操作都需要此密钥。
Region	过滤器是区域级别的。创建过滤器时用户必须指定目标区域。
Project IDs	仅在将过滤器与项目关联时需要（由cloud-manage-project处理）。

在进行任何操作之前，运行

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters

以验证

EC_API_KEY

是否有效。

Decomposing Network Security Requests

拆解网络安全请求

When the user describes a network security need in natural language (for example, "restrict my search project to our office IP"), break the request into discrete tasks before executing.

当用户用自然语言描述网络安全需求时（例如：“将我的搜索项目限制为仅允许我们办公室的IP访问”），请在执行前将请求拆分为多个独立任务。

Step 1 — Identify the components

步骤1 — 确定组件

Component	Question to answer
Filter type	IP filter (public IPs/CIDRs) or VPC filter (AWS PrivateLink endpoint)?
Region	Which AWS region are the target projects in?
Rules	What source IPs, CIDRs, or VPC endpoint IDs should be allowed?
Scope	Apply to all new projects by default, or specific projects only?
Projects	Which existing projects should this filter be associated with?

组件	需要回答的问题
过滤器类型	是IP过滤器（公网IP/CIDR）还是VPC过滤器（AWS PrivateLink终端节点）？
区域	目标项目位于哪个AWS区域？
规则	应允许哪些源IP、CIDR或VPC终端节点ID？
范围	默认应用于所有新项目，还是仅应用于特定项目？
项目	此过滤器应与哪些现有项目关联？

Step 2 — Check existing state

步骤2 — 检查现有状态

Before creating a new filter, check what already exists:

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region us-east-1

Filter hygiene: If an existing filter already covers the same source rules for the same purpose, reuse it instead of creating a duplicate. Filters are region-scoped and can be associated with multiple projects, so a single filter with the right rules serves many projects. Two filters with identical source rules are fine when they serve different purposes (for example, different teams managing their own policies), but creating a second filter for the same purpose is unnecessary.

创建新过滤器之前，请检查已有的过滤器：

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region us-east-1

过滤器规范： 如果已有过滤器针对相同用途包含了相同的源规则，请复用该过滤器，不要创建重复项。过滤器是区域级别的，可与多个项目关联，因此一个包含正确规则的过滤器可服务多个项目。当用于不同用途时（例如不同团队管理各自的策略），两个具有相同源规则的过滤器是合理的，但为相同用途创建第二个过滤器则没有必要。

Step 3 — Create the filter

步骤3 — 创建过滤器

Run the appropriate command from

skills/cloud/network-security/scripts/cloud_network_security.py

运行

skills/cloud/network-security/scripts/cloud_network_security.py

中的相应命令。

Step 4 — Associate with projects

步骤4 — 与项目关联

Filter association is managed using the project PATCH endpoint. Use cloud-manage-project to associate or disassociate filters:

text

PATCH /api/v1/serverless/projects/{type}/{id}
Body: { "traffic_filters": [{ "id": "filter-id-1" }, { "id": "filter-id-2" }] }

When updating associations, provide the complete list of filter IDs. Any filter not included in the list is disassociated from the project.

过滤器关联通过项目PATCH端点管理。使用cloud-manage-project来关联或解除关联过滤器：

text

PATCH /api/v1/serverless/projects/{type}/{id}
Body: { "traffic_filters": [{ "id": "filter-id-1" }, { "id": "filter-id-2" }] }

更新关联时，请提供过滤器ID的完整列表。列表中未包含的任何过滤器都将与项目解除关联。

Step 5 — Verify

步骤5 — 验证

After execution, list filters again or GET the project to confirm the change took effect.

执行完成后，再次列出过滤器或获取项目信息以确认变更已生效。

IP Filters versus VPC Filters

IP过滤器与VPC过滤器对比

Aspect	IP Filter ( `ip` )	VPC Filter ( `vpce` )
Purpose	Allowlist public IP addresses or CIDR blocks	Restrict traffic to specific AWS VPC endpoint IDs
Use case	Office IPs, CI/CD runners, partner access	Private connectivity without public internet exposure
Source format	IP address or CIDR (for example, `203.0.113.0/24` )	AWS VPC endpoint ID (for example, `vpce-0abc123def456` )
Network path	Public internet	AWS PrivateLink (private, never leaves AWS network)
Prerequisite	None	VPC endpoint and DNS record created in AWS console first

Key concept: Private connectivity in AWS is accepted by default in Elastic Cloud. Creating a VPC filter is only needed to restrict traffic to specific VPC endpoint IDs. If you only need private connectivity (without filtering), create the VPC endpoint and DNS record in AWS — no filter is needed on the Elastic Cloud side.

方面	IP过滤器 ( `ip` )	VPC过滤器 ( `vpce` )
用途	允许公网IP地址或CIDR块访问	将流量限制到特定AWS VPC终端节点ID
使用场景	办公室IP、CI/CD运行器、合作伙伴访问	无需公网暴露的私有连接
源格式	IP地址或CIDR（例如 `203.0.113.0/24` ）	AWS VPC终端节点ID（例如 `vpce-0abc123def456` ）
网络路径	公网	AWS PrivateLink（私有网络，不会离开AWS网络）
前置条件	无	需先在AWS控制台创建VPC终端节点和DNS记录

核心概念： Elastic Cloud默认支持AWS中的私有连接。仅当需要将流量限制到特定VPC终端节点ID时，才需要创建VPC过滤器。如果仅需要私有连接（无需过滤），只需在AWS中创建VPC终端节点和DNS记录——Elastic Cloud端无需创建过滤器。

Examples

示例

Allowlist an office IP range

允许办公室IP段访问

Prompt: "Only allow traffic from our office network 203.0.113.0/24 to projects in us-east-1."

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Office IP allowlist" \
  --type ip \
  --region us-east-1 \
  --rules '[{"source": "203.0.113.0/24", "description": "Office network"}]'

Then associate the filter with specific projects using cloud-manage-project.

提示： "仅允许来自我们办公室网络203.0.113.0/24的流量访问us-east-1区域的项目。"

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Office IP allowlist" \
  --type ip \
  --region us-east-1 \
  --rules '[{"source": "203.0.113.0/24", "description": "Office network"}]'

然后使用cloud-manage-project将过滤器与特定项目关联。

Restrict traffic to a VPC endpoint

将流量限制到VPC终端节点

Prompt: "Lock down my observability project to only accept traffic from our VPC endpoint."

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Production VPC" \
  --type vpce \
  --region us-east-1 \
  --rules '[{"source": "vpce-0abc123def456", "description": "Production VPC endpoint"}]'

提示： "将我的可观测性项目锁定为仅接受来自我们VPC终端节点的流量。"

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Production VPC" \
  --type vpce \
  --region us-east-1 \
  --rules '[{"source": "vpce-0abc123def456", "description": "Production VPC endpoint"}]'

List all filters in a region

列出区域内所有过滤器

Prompt: "Show me all network security policies in eu-west-1."

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region eu-west-1

提示： "显示eu-west-1区域的所有网络安全策略。"

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region eu-west-1

Update a filter to add a new IP

更新过滤器以添加新IP

Prompt: "Add the VPN IP 198.51.100.5 to our existing office filter."

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-filter --filter-id tf-12345

提示： "将VPN IP 198.51.100.5添加到我们现有的办公室过滤器中。"

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-filter --filter-id tf-12345

Review current rules, then update with the complete rule set:

查看当前规则，然后使用完整规则集进行更新：

python3 skills/cloud/network-security/scripts/cloud_network_security.py update-filter
--filter-id tf-12345
--body '{"rules": [{"source": "203.0.113.0/24", "description": "Office network"}, {"source": "198.51.100.5", "description": "VPN"}]}'

undefined

undefined

Look up PrivateLink metadata for a region

查询区域的PrivateLink元数据

Prompt: "What PrivateLink service name do I need for us-east-1?"

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-metadata --region us-east-1

提示： "us-east-1区域需要使用什么PrivateLink服务名称？"

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-metadata --region us-east-1

Delete an unused filter

删除未使用的过滤器

Prompt: "Remove the old staging IP filter."

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890 --dry-run

提示： "移除旧的预发布环境IP过滤器。"

bash

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890 --dry-run

Review what would be deleted, then confirm:

查看将被删除的内容，然后确认：

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890

undefined

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890

undefined

Guidelines

指南

If
```
EC_API_KEY
```
is not set, do not prompt the user — instruct the agent to invoke cloud-setup first.
Always confirm destructive actions (delete filter) with the user before executing.
Filters are region-scoped: a filter created in
```
us-east-1
```
can only be associated with projects in that region.
Filter hygiene — reuse, scope, and clean up:
- Before creating a filter, always run
```
list-filters
```
  and check whether an existing filter for the same purpose already has the required source rules. Filters can be associated with multiple projects, so one filter with the right rules is better than duplicates.
- Duplicate filters means filters for the same purpose with identical source rules — not merely overlapping IPs. Two filters covering different project groups with the same CIDR are legitimate.
- Review unused filters periodically. If a filter is no longer associated with any project, prompt the user to delete it to reduce clutter.
Updating rules replaces the entire rule set. When adding a rule using PATCH, include all existing rules plus the new one. Omitting an existing rule removes it.
Deleting a filter fails if it is still associated with a project. Disassociate first using cloud-manage-project (PATCH the project with the filter removed from the
```
traffic_filters
```
list), then delete.
```
include_by_default
```
automatically associates the filter with all new projects in the region. Use with caution — it affects every future project.
For project association and disassociation, delegate to the cloud-manage-project skill. This skill manages filter definitions only.
For identity and access management (users, roles, API keys), see cloud-access-management.
For Elasticsearch-level security (native users, role mappings, DLS/FLS), see elasticsearch-authz.

如果未设置
```
EC_API_KEY
```
，不要提示用户——请指示代理先调用cloud-setup。
执行破坏性操作（删除过滤器）前，务必与用户确认。
过滤器是区域级别的：在
```
us-east-1
```
创建的过滤器只能与该区域的项目关联。
过滤器规范——复用、范围和清理：
- 创建过滤器前，务必运行
```
list-filters
```
  并检查是否已有针对相同用途的过滤器包含所需的源规则。过滤器可与多个项目关联，因此一个包含正确规则的过滤器优于重复项。
- 重复过滤器指的是针对相同用途且源规则完全相同的过滤器——并非只是IP重叠。为不同项目组配置相同CIDR的两个过滤器是合理的。
- 定期检查未使用的过滤器。如果某个过滤器不再与任何项目关联，请提示用户删除它以减少混乱。
更新规则会替换整个规则集。使用PATCH添加规则时，需包含所有现有规则和新规则。省略现有规则会将其移除。
如果过滤器仍与项目关联，删除操作会失败。请先使用cloud-manage-project解除关联（通过PATCH项目，从
```
traffic_filters
```
列表中移除该过滤器），然后再删除。
```
include_by_default
```
会自动将过滤器与该区域的所有新项目关联。请谨慎使用——它会影响所有未来创建的项目。
项目关联和解除关联操作，请委托给cloud-manage-project技能。本技能仅管理过滤器定义。
有关身份与访问管理（用户、角色、API密钥），请查看cloud-access-management。
有关Elasticsearch级别的安全（原生用户、角色映射、DLS/FLS），请查看elasticsearch-authz。