In Security Center, host and container security quotas refer to the number of servers and compute cores that are protected by your subscription instance. For pay-as-you-go instances, quotas refer to the number of servers that are bound to a paid protection level. You can bind a protection edition or level to a server to enable the corresponding security features. This topic describes how to manage protection editions and levels for subscription and pay-as-you-go instances of Security Center.
Subscription instances
Edition guide
To protect hosts and containers in different scenarios, Security Center provides the following editions:
Edition | Description | Fee |
Basic | Provides only basic security detection, such as identifying unusual server logons, DDoS, common server vulnerabilities, and some cloud product configuration risks. It lacks active protection features. | Free |
Anti-virus | Detects and removes common viruses on your hosts. | USD 1 per core per month |
Advanced | Provides host virus detection and removal, vulnerability detection and fixing, and security reports. | USD 9.5 per server per month |
Enterprise | Meets host security requirements for intrusion prevention, identity authentication, and security audit. | USD 23.5 per server per month |
Ultimate | Provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers. Capabilities include K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis. | USD 23.5 per server per month + USD 1 per core per month |
For more information about the features and billing rules of different editions, see Features and Billing overview.
Prerequisites
You have purchased a subscription to the Anti-virus, Advanced, Enterprise, or Ultimate edition of Security Center. For more information, see Purchase Security Center.
You have onboarded a server to Security Center. For more information, see Install the Security Center agent.
Usage notes
Edition limits
For a subscription instance, you can purchase only one edition at a time. After you purchase a subscription, you can bind only that edition to your servers.
Default binding rules
Automatic binding: If you subscribe to the Anti-virus, Advanced, Enterprise, or Ultimate Edition of Security Center but do not perform a custom on-demand binding, the system automatically and randomly binds an edition to available servers to prevent your subscribed resources from remaining idle. You can remove these bindings in batches at any time.
LINGJUN, Container Service for Kubernetes (ACK), and added self-managed clusters:
If your Security Center edition is Ultimate Edition, the Ultimate Edition is bound by default and cannot be changed.
If your Security Center edition is Anti-virus, Advanced, or Enterprise, the Basic Edition is bound by default and cannot be changed.
Security Center trial edition: The trial edition provides full protection and is bound to all servers by default. This setting cannot be changed.
Container binding limits
Assets that run container services can be bound only to the Ultimate Edition quota. You cannot bind quotas from the Anti-virus, Advanced, or Enterprise Edition. The following asset types can be bound only to the Ultimate Edition:
Intelligent Computing LINGJUN assets
On the page, on the Servers tab, set the Server Type filter to LINGJUN GPU-accelerated Bare Metal Instance to view the list of LINGJUN assets for your account.
ACK assets
Self-managed Kubernetes cluster assets connected to Security Center
If your container asset is not in the preceding list but is added to Security Center and bound to the Enterprise Edition, the asset can use only the security features of the Enterprise Edition. This means that container runtime security detection and protection are not supported.
Edition change limits
In the following two cases, you must use the paid edition for at least 30 days before downgrading to the Basic Edition.
Quotas that are automatically bound based on the default binding rules are not subject to this time limit when you downgrade to the Basic Edition for the first time.
Servers that are manually bound to a paid edition.
Servers to which a paid edition is automatically bound when they are added.
Automatic quota revocation
Security Center automatically revokes quotas in the following scenarios:
An Elastic Compute Service (ECS) instance is released.
A server on a third-party cloud is unbound from the Security Center console.
A server that is not deployed on Alibaba Cloud is automatically removed by a scheduled cleanup rule.
If you manually uninstall the Security Center agent from a server, the asset status on the Host page changes to Agent Offline. In this case, Security Center does not automatically revoke the quota.
Description of the entry point for managing quotas
If Manage is displayed next to Protected Servers in the Subscription section of the Overview page in the Security Center console, your Alibaba Cloud account is in on-demand protection mode and you can manage quotas.
If the quota management entry point is not displayed in the Security Center console, your account is in full protection mode.
NoteIn full protection mode, quotas are attached to all servers in Security Center by default.
Security Center no longer supports full protection mode. We recommend that you manually switch to on-demand protection mode. For more information, see Switch from Full Protection Mode to On-demand Protection Mode.
Manage protection editions for servers
You can bind a protection edition to a server in Security Center to enable security protection for that server. You can view information about the server on the Host page. If you have available quotas, you can bind a paid edition to a server that is using the Basic Edition. You can downgrade to the Basic Edition only after the server has been bound to a paid edition for at least 30 days.
Log on to the Security Center console.
In the navigation pane on the left, click Overview.
In the Subscription section, click Quota Management next to Protected Servers.
You can also go to the page and click Manage in the Remaining Quota section.
In the Quota Management dialog box, select the region where the server is located, select an edition for the server, and then click View Change Details. After you confirm that the edition is correct, click OK.
To automatically bind a protection edition to new servers, select Automatically Add New Servers to Security Center.
NoteAfter you select Automatically Add New Servers to Security Center, new Intelligent Computing LINGJUN, ACK, or self-managed cluster assets are automatically bound to the Ultimate Edition if you purchased it. If you purchased any other edition, these new assets are automatically bound to the Basic Edition.
Pay-as-you-go instances
Protection levels
Protection level | Description | Monthly fee (30-day reference price) |
Unprotected | Provides only basic security detection, such as identifying unusual server logons, DDoS, common server vulnerabilities, and some cloud product configuration risks. It does not include active protection features. | Free |
Antivirus | Detects and removes common viruses on your hosts. | 1.5 USD/core/month |
Advanced | New purchases and changes are no longer supported. | USD 14.25/instance/month |
Host Protection | Meets host security requirements for intrusion prevention, identity authentication, and security audit. | USD 35.25/host/month |
Hosts and Container Protection | Provides full-stack security for hosts, containers, and Intelligent Computing LINGJUN servers. Capabilities include K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis. | USD 35.25/instance/month+USD 1.5/core/month |
Prerequisites
You have enabled the pay-as-you-go feature for host and container security. For more information, see Purchase Security Center.
You have added a server to Security Center. For more information, see Install the Security Center agent.
Usage notes
After you enable pay-as-you-go for host and container security, you can bind any protection level to your servers at any time. Security Center calculates fees based on the number of servers that are bound to each level and the actual protection duration. The duration is measured in seconds and is calculated only when the agent status is Online. Bills are settled daily. For more information, see Billing overview.
If you do not configure Custom Quota Binding when you enable pay-as-you-go, Security Center automatically binds a protection level to all servers in your Alibaba Cloud account: Host Protection or Host and Container Protection.
ImportantServer assets that run container environments, such as Alibaba Cloud ACK cluster nodes, Intelligent Computing LINGJUN, and servers added to self-managed Kubernetes (K8s) clusters, are automatically bound to Host and Container Protection. All other assets are automatically bound to Host Protection.
To ensure that risks on assets that are added to Security Center are comprehensively monitored, you can bind only the Host and Container Protection level to assets that run container services. You cannot bind other protection levels. This applies to the following container assets:
Intelligent Computing LINGJUN assets
NoteOn the page, on the Servers tab, set the Server Type filter to LINGJUN GPU-accelerated Bare Metal Instance to view the list of LINGJUN assets for your account.
ACK assets
Self-managed Kubernetes cluster assets connected to Security Center
If your container asset is not on the preceding list but is added to Security Center and bound to a protection level, it can only use the security capabilities provided by Host Protection. Container runtime security detection and protection are not supported.
Manage protection levels for servers
You can bind a protection level to a server in Security Center to enable security protection for that server. You can view information about the server on the Host page.
Log on to the Security Center console.
In the navigation pane on the left, click Overview.
In the Pay-as-you-go section, click Quota Management next to Host and Container Security.
You can also go to the page and click Quota Management.
In the Quota Management dialog box, select the region where the server is located, and select a protection level for the server.
In the Automatically Add New Servers to Security Center section, select the protection level that you want to automatically bind to new servers.
NoteFor LINGJUN, ACK, and self-managed cluster assets connected to Security Center, the Host and Container Protection level is attached to these assets only if you select Host and Container Protection from the Automatically Add New Servers to Security Center section. If you select a protection level other than Host and Container Protection, the Unprotected level is attached to the assets.
Click View Change Details, verify that the updated protection level is correct, and then click OK.
View the protection editions of servers
Log on to the Security Center console.
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your assets are deployed: Chinese Mainland or Outside Chinese Mainland.
On the Host page, on the Server tab, view the edition in the Binding Status or Protection Level column for the target server.
Subscription instances:
Anti-virus, Advanced, Enterprise, or Ultimate Edition: The server is bound to a paid protection edition and is protected by the features of that edition.
Basic Edition: The server is not bound to a paid protection edition. It uses the security detection features of the Basic Edition and is in an unprotected state. For more information, see Security Center Basic Edition Overview.
Pay-as-you-go instances:
Anti-virus, Host Protection, Host and Container Protection, or Advanced Edition: The server is bound to a paid protection level and is protected by the security features of that level.
Unprotected: The server is not bound to a paid protection level. It uses the free detection features provided by Security Center and is in an unprotected state. For more information, see Security Center Basic Edition Overview.
What to do next
After you bind a protection edition or level, you can configure host and container protection settings. For more information, see Host protection settings.
References
If you have too few or too many quotas, you can upgrade or downgrade your Security Center instance to adjust the number of quotas. For more information, see Upgrade and downgrade.
If you want to reduce or increase quotas for the next billing cycle, you can change the specifications when you renew. For more information, see Renewal policy.
To view the bills for pay-as-you-go services, see View bill details.