CliQr is now part of Cisco Learn More About Cisco

Security Profiles


A security profile is a policy that can contain ingress and egress rules and can be dynamically attached to a CloudCenter deployment based on the specified tag rules thus enabling you to configure security on the cloud.

Security profiles can be associated with System Tags so while in Governance mode, the security profile is automatically selected and attached.

You need to configure a security profiles at the tenant level.

Add Security Profiles

The Security Profile link in the CCM UI (Admin > Security Profiles) enables you to automatically assign run time policies, deployment environment, and firewall rule sets based on System Tags.

Associate Security Profiles

When you add a new Security Profile in the Security Profiles page, you can associate this profile with one or more System Tags.

To associate the security profile with a system tag, follow this procedure.

  1. Click the Associate Profiles link for the corresponding system profile.
  2. In the tag associate popup for the selected security profile, specif any or all of the tags (configured using System Tags) that you need to associate (match). The following image, the JavaApp profile is associated with the Doc system tag.

Administrative Tasks

The Security Profiles tab enables administrators to:

  • Define a set of system tags to define policies.
  • Create a security profile and add a list of rules. The source and destinations of these rules could be IP CIDRs or other security profiles.
  • Define a security policy using a set of system tags (defined as part of tag-based Governance) and profile and apply the security policy to an application profile when modeling the application.
  • Add tags during the profile creation process. When deploying a profile, end users cannot mute these tags. Instead, users can add their own tags to each tier.

During the deployment process, all security profiles are applied to the application tier based on the matching tag rules.

Updating/Deleting Security Profiles


You cannot delete a security profile if the CCO is down or not reachable.

You can successfully add security policy tags, post the deployment at the application level, and apply it to the native cloud portal. But when removing the security tag from the application level, the tag is removed from the CCM UI, but not removed from the native cloud portal.

When updating a job, CloudCenter merely removes the association of the instance to the security profile – CloudCenter does not delete the security profile. If required, you can manually delete the security profile (as long as it not have any running job associated) from the Security profile page so it is also deleted in the cloud provider console .

For example, if Job1 is deployed with SecurityGroup1, then when the job is deployed, Instance1 comes up and the CloudCenter platform associates the Instance1 with SecurityGroup1. At this point, users performing the following actions see a corresponding consequence as identified in the following table:

Action Performed by a Permitted UserResulting Consequence
Remove the tag from Job1Instance1 cannot display the attached SecurityGroup1 even if it still exist in the cloud (and consequently still displays in the Security Profile page)
Update the security profile on the Security Profile pageThe rules are propagated to all cloud providers
Delete SecurityGroup1 from the Security Profile page

It is deleted from all the cloud providers who used SecurityGroup1


You can only delete a Security Group if it is not attached to any running job in any cloud.

When you try to delete a security profile, the CloudCenter platform also deletes the firewall rules on all the configured CCOs. If for any reason, one of the configured CCOs is down or not reachable, the CloudCenter platform deletes the firewall rules on the other CCOs and alerts the user to the firewall rules not being deleted on this CCO.

Azure Cloud Nuances


Due to the Azure limitation on the number of Security Groups, the Azure security group lifecycle is tied to an Instance – the security group is created when you create an instance is deleted when you delete the instance.



  • No labels