Elastic Cloud 云网络安全策略管理：IP过滤器与VPC过滤器配置指南

cloud-network-security by elastic/agent-skills

187 周安装量

293 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/elastic/agent-skills --skill cloud-network-security

云服务开发运维安全

🇨🇳中文介绍

云网络安全

管理 Elastic Cloud Serverless 项目的网络安全策略：IP 过滤器用于将特定 IP 或 CIDR 加入允许列表，VPC 过滤器（AWS PrivateLink）用于将流量限制在特定的 VPC 端点。

前提条件： 此技能假设 cloud-setup 技能已运行 —— EC_API_KEY 已在环境中设置且组织上下文已建立。如果缺少 EC_API_KEY，请指示代理先调用 cloud-setup。请勿直接向用户索要 API 密钥。

关于项目创建和日常运维（包括将过滤器与项目关联），请参阅 cloud-create-project 和 cloud-manage-project。关于身份和访问管理（用户、角色、API 密钥），请参阅 cloud-access-management。

有关详细的 API 端点和请求模式，请参阅 references/api-reference.md。

术语

此技能使用 网络安全 作为总称，与 Elastic Cloud UI 的方向保持一致。底层 API 使用 流量过滤器 —— 您将在端点路径中看到 traffic-filters，在 JSON 字段中看到 traffic_filters。当用户或代理说“流量过滤器”时，其含义与“网络安全策略”相同。两种过滤器类型是 IP 过滤器（类型）和（类型）。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

项目	描述
EC_API_KEY	云 API 密钥（由 cloud-setup 设置）。所有操作都需要。
区域	过滤器是按区域划分的。用户创建过滤器时必须指定目标区域。
项目 ID	仅在将过滤器与项目关联时需要（由 cloud-manage-project 处理）。

分解网络安全请求

当用户用自然语言描述网络安全需求时（例如，“将我的搜索项目限制为仅允许办公室 IP 访问”），在执行之前将请求分解为离散的任务。

步骤 1 — 识别组件

组件	需要回答的问题
过滤器类型	IP 过滤器（公共 IP/CIDR）还是 VPC 过滤器（AWS PrivateLink 端点）？
区域	目标项目位于哪个 AWS 区域？
规则	应允许哪些源 IP、CIDR 或 VPC 端点 ID？
作用范围	默认应用于所有新项目，还是仅应用于特定项目？
项目	此过滤器应关联到哪些现有项目？

步骤 2 — 检查现有状态

在创建新过滤器之前，检查已存在的内容：

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region us-east-1

过滤器管理： 如果现有过滤器已经覆盖了相同目的的相同源规则，请重用该过滤器，而不是创建重复项。过滤器是按区域划分的，可以与多个项目关联，因此一个具有正确规则的过滤器可以为许多项目服务。当两个具有相同源规则的过滤器服务于不同目的时（例如，不同团队管理自己的策略），这是可以的，但为相同目的创建第二个过滤器是不必要的。

步骤 3 — 创建过滤器

从 skills/cloud/network-security/scripts/cloud_network_security.py 运行相应的命令。

步骤 4 — 与项目关联

过滤器关联使用项目 PATCH 端点进行管理。使用 cloud-manage-project 来关联或取消关联过滤器：

PATCH /api/v1/serverless/projects/{type}/{id}
Body: { "traffic_filters": [{ "id": "filter-id-1" }, { "id": "filter-id-2" }] }

更新关联时，提供过滤器 ID 的完整列表。列表中未包含的任何过滤器都将从项目中取消关联。

执行后，再次列出过滤器或 GET 项目以确认更改生效。

IP 过滤器与 VPC 过滤器

方面	IP 过滤器 (`ip`)	VPC 过滤器 (`vpce`)
目的	将公共 IP 地址或 CIDR 块加入允许列表	将流量限制在特定的 AWS VPC 端点 ID
用例	办公室 IP、CI/CD 运行器、合作伙伴访问	无需暴露于公共互联网的私有连接
源格式	IP 地址或 CIDR（例如，`203.0.113.0/24`）	AWS VPC 端点 ID（例如，`vpce-0abc123def456`）
网络路径	公共互联网	AWS PrivateLink（私有，不离开 AWS 网络）
前提条件	无	首先需要在 AWS 控制台中创建 VPC 端点和 DNS 记录

关键概念： AWS 中的私有连接在 Elastic Cloud 中默认被接受。创建 VPC 过滤器仅用于限制流量到特定的 VPC 端点 ID。如果只需要私有连接（无需过滤），请在 AWS 中创建 VPC 端点和 DNS 记录 —— Elastic Cloud 端不需要过滤器。

将办公室 IP 范围加入允许列表

提示： “仅允许来自我们办公室网络 203.0.113.0/24 的流量访问 us-east-1 中的项目。”

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Office IP allowlist" \
  --type ip \
  --region us-east-1 \
  --rules '[{"source": "203.0.113.0/24", "description": "Office network"}]'

然后使用 cloud-manage-project 将过滤器与特定项目关联。

将流量限制到 VPC 端点

提示： “将我的可观测性项目锁定为仅接受来自我们 VPC 端点的流量。”

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Production VPC" \
  --type vpce \
  --region us-east-1 \
  --rules '[{"source": "vpce-0abc123def456", "description": "Production VPC endpoint"}]'

列出区域中的所有过滤器

提示： “显示 eu-west-1 中的所有网络安全策略。”

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region eu-west-1

更新过滤器以添加新 IP

提示： “将 VPN IP 198.51.100.5 添加到我们现有的办公室过滤器。”

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-filter --filter-id tf-12345
# 查看当前规则，然后使用完整的规则集进行更新：
python3 skills/cloud/network-security/scripts/cloud_network_security.py update-filter \
  --filter-id tf-12345 \
  --body '{"rules": [{"source": "203.0.113.0/24", "description": "Office network"}, {"source": "198.51.100.5", "description": "VPN"}]}'

查找区域的 PrivateLink 元数据

提示： “我需要 us-east-1 的什么 PrivateLink 服务名称？”

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-metadata --region us-east-1

删除未使用的过滤器

提示： “移除旧的暂存 IP 过滤器。”

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890 --dry-run
# 查看将要删除的内容，然后确认：
python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890

如果未设置 EC_API_KEY，不要提示用户 —— 指示代理先调用 cloud-setup。
在执行破坏性操作（删除过滤器）之前，始终与用户确认。
过滤器是按区域划分的：在 us-east-1 创建的过滤器只能与该区域中的项目关联。
过滤器管理 —— 重用、划分范围和清理：
- 在创建过滤器之前，始终运行 list-filters 并检查是否已存在用于相同目的且具有所需源规则的过滤器。过滤器可以与多个项目关联，因此一个具有正确规则的过滤器优于重复项。
- 重复过滤器指的是用于相同目的且具有相同源规则的过滤器 —— 不仅仅是 IP 重叠。两个覆盖不同项目组但使用相同 CIDR 的过滤器是合理的。
- 定期审查未使用的过滤器。如果某个过滤器不再与任何项目关联，提示用户删除它以减少混乱。
更新规则会替换整个规则集。 使用 PATCH 添加规则时，请包含所有现有规则加上新规则。省略现有规则会将其移除。
如果过滤器仍与项目关联，删除操作将失败。 首先使用 cloud-manage-project 取消关联（通过 PATCH 项目，从 traffic_filters 列表中移除该过滤器），然后再删除。
include_by_default 会自动将该过滤器与该区域中所有新项目关联。请谨慎使用 —— 它会影响未来的每个项目。
对于项目的关联和取消关联，请委托给 cloud-manage-project 技能。此技能仅管理过滤器定义。
关于身份和访问管理（用户、角色、API 密钥），请参阅 cloud-access-management。
关于 Elasticsearch 级别的安全性（原生用户、角色映射、DLS/FLS），请参阅 elasticsearch-authz。

🇺🇸English

Cloud Network Security

Manage network security policies for Elastic Cloud Serverless projects: IP filters to allowlist specific IPs or CIDRs, and VPC filters (AWS PrivateLink) to restrict traffic to specific VPC endpoints.

Prerequisite: This skill assumes the cloud-setup skill has already run — EC_API_KEY is set in the environment and the organization context is established. If EC_API_KEY is missing, instruct the agent to invoke cloud-setup first. Do NOT prompt the user for an API key directly.

For project creation and day-2 operations (including associating filters with projects), see cloud-create-project and cloud-manage-project. For identity and access management (users, roles, API keys), see cloud-access-management.

For detailed API endpoints and request schemas, see references/api-reference.md.

Terminology

This skill uses network security as the umbrella term, aligned with the Elastic Cloud UI direction. The underlying API uses traffic filters — you will see traffic-filters in endpoint paths and traffic_filters in JSON fields. When a user or agent says "traffic filter," they mean the same thing as "network security policy." The two filter types are IP filters (type ip) and VPC filters (type vpce).

Jobs to Be Done

Create an IP filter to restrict ingress to specific IPs or CIDR blocks
Create a VPC filter (AWS PrivateLink) to restrict traffic to specific VPC endpoint IDs
List, inspect, update, and delete network security policies
Look up PrivateLink region metadata (service names, domain names, availability zones)
Associate or disassociate filters with Serverless projects (delegates to cloud-manage-project)
Audit the current network security posture for an organization

Prerequisites

Item	Description
EC_API_KEY	Cloud API key (set by cloud-setup). Required for all operations.
Region	Filters are region-scoped. The user must specify the target region when creating filters.
Project IDs	Required only when associating filters with projects (handled by cloud-manage-project).

Run python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters to verify that EC_API_KEY is valid before proceeding with any operation.

Decomposing Network Security Requests

When the user describes a network security need in natural language (for example, "restrict my search project to our office IP"), break the request into discrete tasks before executing.

Step 1 — Identify the components

Component	Question to answer
Filter type	IP filter (public IPs/CIDRs) or VPC filter (AWS PrivateLink endpoint)?
Region	Which AWS region are the target projects in?
Rules	What source IPs, CIDRs, or VPC endpoint IDs should be allowed?
Scope	Apply to all new projects by default, or specific projects only?
Projects	Which existing projects should this filter be associated with?

Step 2 — Check existing state

Before creating a new filter, check what already exists:

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region us-east-1

Filter hygiene: If an existing filter already covers the same source rules for the same purpose , reuse it instead of creating a duplicate. Filters are region-scoped and can be associated with multiple projects, so a single filter with the right rules serves many projects. Two filters with identical source rules are fine when they serve different purposes (for example, different teams managing their own policies), but creating a second filter for the same purpose is unnecessary.

Step 3 — Create the filter

Run the appropriate command from skills/cloud/network-security/scripts/cloud_network_security.py.

Step 4 — Associate with projects

Filter association is managed using the project PATCH endpoint. Use cloud-manage-project to associate or disassociate filters:

PATCH /api/v1/serverless/projects/{type}/{id}
Body: { "traffic_filters": [{ "id": "filter-id-1" }, { "id": "filter-id-2" }] }

When updating associations, provide the complete list of filter IDs. Any filter not included in the list is disassociated from the project.

Step 5 — Verify

After execution, list filters again or GET the project to confirm the change took effect.

IP Filters versus VPC Filters

Aspect	IP Filter (`ip`)	VPC Filter (`vpce`)
Purpose	Allowlist public IP addresses or CIDR blocks	Restrict traffic to specific AWS VPC endpoint IDs
Use case	Office IPs, CI/CD runners, partner access	Private connectivity without public internet exposure
Source format	IP address or CIDR (for example, `203.0.113.0/24`)	AWS VPC endpoint ID (for example, `vpce-0abc123def456`)
Network path	Public internet	AWS PrivateLink (private, never leaves AWS network)

Key concept: Private connectivity in AWS is accepted by default in Elastic Cloud. Creating a VPC filter is only needed to restrict traffic to specific VPC endpoint IDs. If you only need private connectivity (without filtering), create the VPC endpoint and DNS record in AWS — no filter is needed on the Elastic Cloud side.

Examples

Allowlist an office IP range

Prompt: "Only allow traffic from our office network 203.0.113.0/24 to projects in us-east-1."

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Office IP allowlist" \
  --type ip \
  --region us-east-1 \
  --rules '[{"source": "203.0.113.0/24", "description": "Office network"}]'

Then associate the filter with specific projects using cloud-manage-project.

Restrict traffic to a VPC endpoint

Prompt: "Lock down my observability project to only accept traffic from our VPC endpoint."

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Production VPC" \
  --type vpce \
  --region us-east-1 \
  --rules '[{"source": "vpce-0abc123def456", "description": "Production VPC endpoint"}]'

List all filters in a region

Prompt: "Show me all network security policies in eu-west-1."

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region eu-west-1

Update a filter to add a new IP

Prompt: "Add the VPN IP 198.51.100.5 to our existing office filter."

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-filter --filter-id tf-12345
# Review current rules, then update with the complete rule set:
python3 skills/cloud/network-security/scripts/cloud_network_security.py update-filter \
  --filter-id tf-12345 \
  --body '{"rules": [{"source": "203.0.113.0/24", "description": "Office network"}, {"source": "198.51.100.5", "description": "VPN"}]}'

Look up PrivateLink metadata for a region

Prompt: "What PrivateLink service name do I need for us-east-1?"

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-metadata --region us-east-1

Delete an unused filter

Prompt: "Remove the old staging IP filter."

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890 --dry-run
# Review what would be deleted, then confirm:
python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890

Guidelines

If EC_API_KEY is not set, do not prompt the user — instruct the agent to invoke cloud-setup first.
Always confirm destructive actions (delete filter) with the user before executing.
Filters are region-scoped : a filter created in us-east-1 can only be associated with projects in that region.
Filter hygiene — reuse, scope, and clean up:
- Before creating a filter, always run list-filters and check whether an existing filter for the same purpose already has the required source rules. Filters can be associated with multiple projects, so one filter with the right rules is better than duplicates.
- Duplicate filters means filters for the same purpose with identical source rules — not merely overlapping IPs. Two filters covering different project groups with the same CIDR are legitimate.
- Review unused filters periodically. If a filter is no longer associated with any project, prompt the user to delete it to reduce clutter.
Updating rules replaces the entire rule set. When adding a rule using PATCH, include all existing rules plus the new one. Omitting an existing rule removes it.
Deleting a filter fails if it is still associated with a project. Disassociate first using cloud-manage-project (PATCH the project with the filter removed from the traffic_filters list), then delete.

Weekly Installs

113

Repository

elastic/agent-skills

GitHub Stars

First Seen

11 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

cursor102

github-copilot96

opencode95

gemini-cli95

codex95

amp95

include_by_default automatically associates the filter with all new projects in the region. Use with caution — it affects every future project.

For project association and disassociation, delegate to the cloud-manage-project skill. This skill manages filter definitions only.

For identity and access management (users, roles, API keys), see cloud-access-management.

For Elasticsearch-level security (native users, role mappings, DLS/FLS), see elasticsearch-authz.