"App port from web tier",
rule_action: "allow",
status: "active",
created_at: datetime(),
updated_at: datetime()
});
// Database Security Group Rules
CREATE (rule5:SecurityRule {
id: "rule-db-from-app",
direction: "inbound",
protocol: "tcp",
port_range: "3306",
source_type: "security_group",
source: "sg-app67890",
description: "MySQL from app tier",
rule_action: "allow",
status: "active",
created_at: datetime(),
updated_at: datetime()
});
// 8.6 VPC Endpoints 建模
CREATE (endpoint_s3:VPCEndpoint {
id: "vpce-s3-12345",
name: "s3-gateway-endpoint",
associations_vpc: "vpc-12345678",
associations_subnet: null, // Gateway endpoint不关联subnet
type: "Gateway",
service: "com.amazonaws.cn-north-1.s3",
route_table_ids: ["rtb-private-456"],
tag: {
service_type: "storage",
environment: "production"
},
status: "available",
created_at: datetime(),
updated_at: datetime()
});
CREATE (endpoint_ec2:VPCEndpoint {
id: "vpce-ec2-67890",
name: "ec2-interface-endpoint",
associations_vpc: "vpc-12345678",
associations_subnet: ["subnet-def67890"], // Interface endpoint关联subnet
type: "Interface",
service: "com.amazonaws.cn-north-1.ec2",
network_interface_ids: ["eni-endpoint-123"],
security_group_ids: ["sg-endpoint-456"],
tag: {
service_type: "compute",
environment: "production"
},
status: "available",
created_at: datetime(),
updated_at: datetime()
});
// ==========================================
// 9. 建立高级网络组件关系
// ==========================================
// EIP与多资源的多态关联(使用泛型关系)
MATCH (eip1:EIP {allocation_id: "eipalloc-12345abc"}), (nat1:NatGateway {id: "nat-12345abc"})
CREATE (eip1)-[:ASSOCIATED_WITH {resource_type: "nat_gateway"}]->(nat1),
(nat1)-[:USES_EIP]->(eip1);
MATCH (eip1:EIP {allocation_id: "eipalloc-12345abc"}), (eni1:NetworkInterface {id: "eni-12345abc"})
CREATE (eip1)-[:ATTACHED_TO_ENI]->(eni1),
(eni1)-[:HAS_EIP]->(eip1);
// 预留EC2与EIP关联(EC2建模完成后)
// MATCH (eip2:EIP {allocation_id: "eipalloc-67890xyz"}), (ec2:EC2Instance {id: "i-1234567890abcdef0"})
// CREATE (eip2)-[:ASSOCIATED_WITH {resource_type: "ec2_instance"}]->(ec2);
// NAT Gateway关系
MATCH (nat1:NatGateway {id: "nat-12345abc"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (nat1)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_NAT_GATEWAY]->(nat1);
MATCH (nat1:NatGateway {id: "nat-12345abc"}), (subnet1:Subnet {id: "subnet-abc12345"})
CREATE (nat1)-[:DEPLOYED_IN_SUBNET]->(subnet1),
(subnet1)-[:HOSTS_NAT_GATEWAY]->(nat1);
MATCH (nat1:NatGateway {id: "nat-12345abc"}), (eni1:NetworkInterface {id: "eni-12345abc"})
CREATE (nat1)-[:USES_NETWORK_INTERFACE]->(eni1),
(eni1)-[:ATTACHED_TO_NAT_GATEWAY]->(nat1);
// Network Interface关系
MATCH (eni1:NetworkInterface {id: "eni-12345abc"}), (subnet1:Subnet {id: "subnet-abc12345"})
CREATE (eni1)-[:DEPLOYED_IN_SUBNET]->(subnet1),
(subnet1)-[:HOSTS_NETWORK_INTERFACE]->(eni1);
MATCH (eni2:NetworkInterface {id: "eni-67890def"}), (subnet1:Subnet {id: "subnet-abc12345"})
CREATE (eni2)-[:DEPLOYED_IN_SUBNET]->(subnet1),
(subnet1)-[:HOSTS_NETWORK_INTERFACE]->(eni2);
// Security Group关系
MATCH (sg_web:SecurityGroup {id: "sg-web12345"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (sg_web)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_SECURITY_GROUP]->(sg_web);
MATCH (sg_app:SecurityGroup {id: "sg-app67890"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (sg_app)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_SECURITY_GROUP]->(sg_app);
MATCH (sg_db:SecurityGroup {id: "sg-db11111"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (sg_db)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_SECURITY_GROUP]->(sg_db);
// Security Group Rules关系
MATCH (sg_web:SecurityGroup {id: "sg-web12345"}), (rule1:SecurityRule {id: "rule-web-http-in"})
CREATE (sg_web)-[:HAS_RULE]->(rule1),
(rule1)-[:APPLIES_TO_SG]->(sg_web);
MATCH (sg_web:SecurityGroup {id: "sg-web12345"}), (rule2:SecurityRule {id: "rule-web-https-in"})
CREATE (sg
rule_action: "allow",
status: "active",
created_at: datetime(),
updated_at: datetime()
});
// Database Security Group Rules
CREATE (rule5:SecurityRule {
id: "rule-db-from-app",
direction: "inbound",
protocol: "tcp",
port_range: "3306",
source_type: "security_group",
source: "sg-app67890",
description: "MySQL from app tier",
rule_action: "allow",
status: "active",
created_at: datetime(),
updated_at: datetime()
});
// 8.6 VPC Endpoints 建模
CREATE (endpoint_s3:VPCEndpoint {
id: "vpce-s3-12345",
name: "s3-gateway-endpoint",
associations_vpc: "vpc-12345678",
associations_subnet: null, // Gateway endpoint不关联subnet
type: "Gateway",
service: "com.amazonaws.cn-north-1.s3",
route_table_ids: ["rtb-private-456"],
tag: {
service_type: "storage",
environment: "production"
},
status: "available",
created_at: datetime(),
updated_at: datetime()
});
CREATE (endpoint_ec2:VPCEndpoint {
id: "vpce-ec2-67890",
name: "ec2-interface-endpoint",
associations_vpc: "vpc-12345678",
associations_subnet: ["subnet-def67890"], // Interface endpoint关联subnet
type: "Interface",
service: "com.amazonaws.cn-north-1.ec2",
network_interface_ids: ["eni-endpoint-123"],
security_group_ids: ["sg-endpoint-456"],
tag: {
service_type: "compute",
environment: "production"
},
status: "available",
created_at: datetime(),
updated_at: datetime()
});
// ==========================================
// 9. 建立高级网络组件关系
// ==========================================
// EIP与多资源的多态关联(使用泛型关系)
MATCH (eip1:EIP {allocation_id: "eipalloc-12345abc"}), (nat1:NatGateway {id: "nat-12345abc"})
CREATE (eip1)-[:ASSOCIATED_WITH {resource_type: "nat_gateway"}]->(nat1),
(nat1)-[:USES_EIP]->(eip1);
MATCH (eip1:EIP {allocation_id: "eipalloc-12345abc"}), (eni1:NetworkInterface {id: "eni-12345abc"})
CREATE (eip1)-[:ATTACHED_TO_ENI]->(eni1),
(eni1)-[:HAS_EIP]->(eip1);
// 预留EC2与EIP关联(EC2建模完成后)
// MATCH (eip2:EIP {allocation_id: "eipalloc-67890xyz"}), (ec2:EC2Instance {id: "i-1234567890abcdef0"})
// CREATE (eip2)-[:ASSOCIATED_WITH {resource_type: "ec2_instance"}]->(ec2);
// NAT Gateway关系
MATCH (nat1:NatGateway {id: "nat-12345abc"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (nat1)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_NAT_GATEWAY]->(nat1);
MATCH (nat1:NatGateway {id: "nat-12345abc"}), (subnet1:Subnet {id: "subnet-abc12345"})
CREATE (nat1)-[:DEPLOYED_IN_SUBNET]->(subnet1),
(subnet1)-[:HOSTS_NAT_GATEWAY]->(nat1);
MATCH (nat1:NatGateway {id: "nat-12345abc"}), (eni1:NetworkInterface {id: "eni-12345abc"})
CREATE (nat1)-[:USES_NETWORK_INTERFACE]->(eni1),
(eni1)-[:ATTACHED_TO_NAT_GATEWAY]->(nat1);
// Network Interface关系
MATCH (eni1:NetworkInterface {id: "eni-12345abc"}), (subnet1:Subnet {id: "subnet-abc12345"})
CREATE (eni1)-[:DEPLOYED_IN_SUBNET]->(subnet1),
(subnet1)-[:HOSTS_NETWORK_INTERFACE]->(eni1);
MATCH (eni2:NetworkInterface {id: "eni-67890def"}), (subnet1:Subnet {id: "subnet-abc12345"})
CREATE (eni2)-[:DEPLOYED_IN_SUBNET]->(subnet1),
(subnet1)-[:HOSTS_NETWORK_INTERFACE]->(eni2);
// Security Group关系
MATCH (sg_web:SecurityGroup {id: "sg-web12345"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (sg_web)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_SECURITY_GROUP]->(sg_web);
MATCH (sg_app:SecurityGroup {id: "sg-app67890"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (sg_app)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_SECURITY_GROUP]->(sg_app);
MATCH (sg_db:SecurityGroup {id: "sg-db11111"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (sg_db)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_SECURITY_GROUP]->(sg_db);
// Security Group Rules关系
MATCH (sg_web:SecurityGroup {id: "sg-web12345"}), (rule1:SecurityRule {id: "rule-web-http-in"})
CREATE (sg_web)-[:HAS_RULE]->(rule1),
(rule1)-[:APPLIES_TO_SG]->(sg_web);
MATCH (sg_web:SecurityGroup {id: "sg-web12345"}), (rule2:SecurityRule {id: "rule-web-https-in"})
CREATE (sg
