Network security is essential for preventing unauthorized access to network resources, detecting and stopping ongoing network attacks, and ensuring that authorized users have safe and timely access to necessary network resources. This topic describes how Elastic Compute Service (ECS) secures networks through network isolation, network traffic control, network traffic monitoring and analysis, and cloud security protection.
Network isolation
Network isolation with VPC
ECS ensures network isolation with Virtual Private Cloud (VPC), a customizable private network in the cloud that provides complete control over your network environment. You can create multiple VPCs in the cloud according to your needs. VPC offers rich isolation capabilities:
VPCs are logically separated from one another and do not communicate by default.
ECS instances within a VPC can communicate over the internal network, thus reducing exposure to the public network.
You can create multiple vSwitches within a VPC to manage network segmentation and CIDR block division, enhancing isolation between different switches.
For more information, see Overview of VPCs and vSwitches and Create and manage a VPC.
Service isolation with vSwitches
We recommend that you use vSwitches to divide CIDR blocks for different business scenarios to achieve service isolation. vSwitches, fundamental components of a VPC, connect various instances and allow for easy management. They provide the following security features:
Service isolation: It enables the segregation of websites based on security levels and service types.
Traffic control: VPC offers network access control lists (ACLs) that can be associated with vSwitches to regulate the traffic they handle.
For more information, see Overview of VPCs and vSwitches and Create and manage a vSwitch.
PrivateLink for private network access to ECS
PrivateLink is a service used to establish private, stable, and secure connections between VPC and ECS, allowing access to ECS as though it were within the VPC, without the need for an Internet gateway, NAT device, or VPN. This simplifies network architecture, enables private network access services, enhances VPC security, and mitigates potential security risks associated with public network access. For more information, see What is PrivateLink?.
Network traffic control
Use network ACLs for traffic control
ECS uses network ACLs within VPCs to manage traffic. Network ACLs offer a network access control mechanism and can be associated with vSwitches. By customizing network ACL rules, you can control the flow of data in and out of the vSwitches, thus controlling access to ECS instances within those vSwitches. For more information, see Overview of network ACLs and Create and manage a network ACL.
Use security groups to control NIC traffic
ECS uses security groups to control Network Interface Controller (NIC) traffic. A security group is a virtual firewall that controls inbound and outbound traffic for ECS instances. You can configure inbound rules for a security group to control traffic to ECS instances in the group and outbound rules to control traffic from the instances. For more information, see Overview and Manage resources associated with security groups.
Security groups are classified into basic security groups and advanced security groups, both available for free. Basic and advanced security groups are suitable for different scenarios and differ in the following items: security group capacity, support for security group rules that reference security groups as authorization objects, support for the internal interconnectivity policy, and default access control rules. For more information, see Basic security groups and advanced security groups.
Network traffic monitoring and analysis
ECS supports the monitoring and analysis of network traffic through VPC flow logs and traffic mirroring, helping you with the access control rule verification, network traffic monitoring, and network troubleshooting.
Flow logs monitor network traffic
Flow logs can record information about inbound and outbound traffic of an elastic network interface (ENI). You can use the flow log feature to check ACL rules, monitor network traffic, and troubleshoot network errors. For more information, see Overview of flow logs.
Traffic mirroring detects network exceptions
You can use the traffic mirroring feature to mirror network traffic that flows through an ENI based on specified filters. You can use traffic mirroring to mirror network traffic from an ECS instance in a VPC and forward the traffic to a specified ENI or an internal-facing Classic Load Balancer (CLB) device. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting. For more information, see Overview of traffic mirroring.
Cloud security protection
Alibaba Cloud offers a suite of security products to protect ECS instances from potential network attacks and reduce security risks. The following products can be integrated with ECS to improve system security:
Anti-DDoS
Anti-DDoS Basic is enabled for ECS instances by default. This feature helps scrub the DDoS traffic before it reaches the ECS host, effectively protecting ECS instances from DDoS attacks. For more information, see Anti-DDoS Basic.
Cloud Firewall
Cloud Firewall provides unified security management with Internet firewall, VPC firewall, and internal firewall. The internal firewall can protect inbound and outbound traffic between ECS instances, and prevent unauthorized access. For more information, see Create an access control policy for an internal firewall.
Web Application Firewall
Web Application Firewall (WAF) filters out malicious traffic, protecting websites and applications from performance issues due to intrusions. You can add an ECS instance to WAF for protection. After you add an ECS instance to WAF, all web traffic of the instance is routed to WAF by using a specific gateway for inspection. WAF filters out malicious traffic and forwards normal traffic to the ECS instance. For more information, see Add an ECS instance to WAF.