_web)-[:HAS_RULE]->(rule2),
(rule2)-[:APPLIES_TO_SG]->(sg_web);

MATCH (sg_web:SecurityGroup {id: "sg-web12345"}), (rule3:SecurityRule {id: "rule-web-all-out"})
CREATE (sg_web)-[:HAS_RULE]->(rule3),
(rule3)-[:APPLIES_TO_SG]->(sg_web);

MATCH (sg_app:SecurityGroup {id: "sg-app67890"}), (rule4:SecurityRule {id: "rule-app-from-web"})
CREATE (sg_app)-[:HAS_RULE]->(rule4),
(rule4)-[:APPLIES_TO_SG]->(sg_app);

MATCH (sg_db:SecurityGroup {id: "sg-db11111"}), (rule5:SecurityRule {id: "rule-db-from-app"})
CREATE (sg_db)-[:HAS_RULE]->(rule5),
(rule5)-[:APPLIES_TO_SG]->(sg_db);

// Security Group间的引用关系
MATCH (rule4:SecurityRule {id: "rule-app-from-web"}), (sg_web:SecurityGroup {id: "sg-web12345"})
CREATE (rule4)-[:REFERENCES_SG]->(sg_web);

MATCH (rule5:SecurityRule {id: "rule-db-from-app"}), (sg_app:SecurityGroup {id: "sg-app67890"})
CREATE (rule5)-[:REFERENCES_SG]->(sg_app);

// VPC Endpoints关系
MATCH (endpoint_s3:VPCEndpoint {id: "vpce-s3-12345"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (endpoint_s3)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_VPC_ENDPOINT]->(endpoint_s3);

MATCH (endpoint_ec2:VPCEndpoint {id: "vpce-ec2-67890"}), (vpc1:VPC {id: "vpc-12345678"})
CREATE (endpoint_ec2)-[:BELONGS_TO_VPC]->(vpc1),
(vpc1)-[:CONTAINS_VPC_ENDPOINT]->(endpoint_ec2);

MATCH (endpoint_ec2:VPCEndpoint {id: "vpce-ec2-67890"}), (subnet2:Subnet {id: "subnet-def67890"})
CREATE (endpoint_ec2)-[:DEPLOYED_IN_SUBNET]->(subnet2),
(subnet2)-[:HOSTS_VPC_ENDPOINT]->(endpoint_ec2);

// 更新Route Table中NAT Gateway路由
MATCH (rt_private:RouteTable {id: "rtb-private-456"})
SET rt_private.routes = [
{
destination: "10.0.0.0/16",
target: "local",
status: "active"
},
{
destination: "0.0.0.0/0",
target: "nat-12345abc",
status: "active"
}
];

// ==========================================
// 10. VPC Flow Logs与S3关联关系预留
// ==========================================
// 注意:这里预留了与S3资源的关联关系,当S3建模完成后建立
// (vpc1)-[:LOGS_TO_S3]->(s3_bucket)

// ==========================================
// 11. 网络资源验证查询示例
// ==========================================

// 查询完整的网络安全架构
// MATCH (vpc:VPC {id: "vpc-12345678"})-[:CONTAINS_SECURITY_GROUP]->(sg:SecurityGroup)-[:HAS_RULE]->(rule:SecurityRule)
// RETURN vpc.name as vpc, sg.name as security_group,
// collect({direction: rule.direction, protocol: rule.protocol, port: rule.port_range, source: rule.source}) as rules;

// 查询NAT Gateway的完整配置
// MATCH (nat:NatGateway {id: "nat-12345abc"})
// OPTIONAL MATCH (nat)-[:USES_EIP]->(eip:EIP)
// OPTIONAL MATCH (nat)-[:USES_NETWORK_INTERFACE]->(eni:NetworkInterface)
// OPTIONAL MATCH (nat)-[:DEPLOYED_IN_SUBNET]->(subnet:Subnet)
// RETURN nat.name as nat_gateway, eip.address as public_ip, eni.private_ip as private_ip, subnet.name as subnet;

// 查询Security Group间的依赖关系
// MATCH (sg1:SecurityGroup)-[:HAS_RULE]->(rule:SecurityRule)-[:REFERENCES_SG]->(sg2:SecurityGroup)
// RETURN sg1.name as source_sg, rule.description as rule_desc, sg2.name as referenced_sg;

// 查询VPC的所有网络流量出口
// MATCH (vpc:VPC {id: "vpc-12345678"})
// OPTIONAL MATCH (vpc)-[:ATTACHED_IGW]->(igw:InternetGateway)
// OPTIONAL MATCH (vpc)-[:CONTAINS_NAT_GATEWAY]->(nat:NatGateway)
// OPTIONAL MATCH (vpc)-[:CONTAINS_VPC_ENDPOINT]->(endpoint:VPCEndpoint)
// RETURN vpc.name as vpc_name,
// collect(DISTINCT igw.name) as internet_gateways,
// collect(DISTINCT nat.name) as nat_gateways,
// collect(DISTINCT endpoint.name) as vpc_endpoints;
 
 
Back to Top