RECOMMEND_
根据指定回顾窗口内的成功访问,为入站网络策略生成建议的允许列表。
如果您当前没有网络策略或想要重新设计现有策略,此存储过程旨在作为一个起点。
该过程分析成功的入站请求,将单个 IPs 优化为 CIDR 块,并返回管理员可以审查、细化和执行的可读 SQL。
- See also:
语法
实参
必填:
LOOKBACK_DAYS => 'integer'要分析的成功入站访问的天数。
可选:
USER_NAME => 'string'过滤建议以仅包含来自指定用户的流量。
默认值:None。无(包含账户中的所有用户)。
返回
返回包含示例 SQL 语句的可读文本。输出包括以下信息:
- 分析的非重复 IP 地址数量以及生成的 CIDR 块数量的摘要。
- 入站网络规则的示例 CREATE OR REPLACE NETWORK RULE 语句。
- 引用该规则的网络策略的示例 CREATE OR REPLACE NETWORK POLICY 语句。
访问控制要求
用户至少必须具有 SECURITYADMIN 角色才能运行此存储过程。
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
使用说明
- The procedure is read-only with respect to account configuration. It does not create or modify any network rules or policies.
- Recommendations are based only on historical successful ingress. Blocked or failed access is not recommended for allow-listing.
- This procedure can’t determine which IP addresses are correct or safe for your organization. You must validate results with your IT and security teams before executing the generated SQL.
- SQL 以文本形式提供,以支持复制粘贴工作流。
- 输出可能会根据流量大小和回顾窗口而有所不同。
- USER_NAME 过滤器是可选的。省略时,建议涵盖账户中的所有用户。
- The procedure enforces a hard limit of 1,000 CIDR blocks. If the recommendation exceeds this limit, the procedure returns an error. To stay within the limit, try a shorter lookback window or filter by user.
- The generated recommendation uses
TYPE = IPV4network rules. If your account receives IPv6 ingress traffic, you may need to create additional network rules withTYPE = IPV6to cover IPv6 addresses. For more information, see Network rules.
示例
根据特定用户过去 1 天的流量生成建议的网络策略:
根据所有用户过去 30 天的流量生成建议的网络策略: