All Products
Search
Document Center

Server Load Balancer:Infrastructure security

Last Updated:Aug 02, 2023

Network isolation is an important security measure in the system of Server Load Balancer (SLB). This measure isolates traffic among networks to improve system security and reliability. The infrastructure of SLB includes network isolation and network traffic control.

Network isolation

Virtual private clouds (VPCs) are virtual networks that are isolated on Alibaba Cloud. A subnet specifies a range of IP addresses in a VPC. When you create an SLB instance, you can specify one or more subnets. You can deploy Elastic Compute Service (ECS) instances in the subnets of your VPC and add the ECS instances to backend server groups. For more information, see What is a VPC?

  • Application Load Balancer (ALB) and Network Load Balancer (NLB) instances support the following network types:

    • Internal-facing: A private IP address is assigned to each zone of the ALB or NLB instance. The instance is accessible only over internal networks.

    • Internet-facing: A public IP address and a private IP address are assigned to each zone of the instance. Internet-facing ALB or NLB instances can access the Internet by using Elastic IP addresses (EIPs). Internet-facing instances are charged an EIP fee and a bandwidth or data transfer fee.

  • Classic Load Balancer (CLB) instances support the following network types:

    • Internal-facing: An internal-facing CLB instance is assigned only a private IP address, and is accessible only over internal networks.

    • Internet-facing: An Internet-facing CLB instance is assigned a public IP address and is accessible over the Internet.

SLB instances communicate with backend ECS instances over internal networks. If backend ECS instances only receive requests from the SLB instance, no public IP address is required. The ECS instances do not need to be associated with EIPs.

Network traffic control

ALB, CLB, and NLB use different measures to protect network traffic, as described in the following tables.

ALB

Measure

Description

References

SSL-encrypted transmission

Data packets can be encrypted based on SSL to prevent interception and tampering.

Web Application Firewall (WAF)

WAF can be used to monitor and filter network traffic in case of attacks.

Activate and manage WAF-enabled ALB instances

Access control lists (ACLs)

Whitelists and blacklists can be used to block unauthorized access and malicious requests.

Network ACLs

Anti-DDoS services

Anti-DDoS services can be used to mitigate large volumes of attacks in real time. Anti-DDoS Origin, Anti-DDoS Pro, and Anti-DDoS Premium are supported.

TLS security policies

TLS security policies can be used to improve service security.

You can select a TLS security policy when you create an HTTPS listener. Custom and default TLS security policies are supported.

TLS security policies

NLB

Measure

Description

References

SSL-encrypted transmission

Data packets can be encrypted based on SSL to prevent interception and tampering.

Anti-DDoS services

Anti-DDoS services can be used to mitigate large volumes of attacks in real time. Anti-DDoS Origin, Anti-DDoS Pro, and Anti-DDoS Premium are supported.

Security groups

Security groups can be used to regulate access control.

TLS security policies

TLS security policies can be used to improve service security.

You can select a TLS security policy when you create a listener that uses SSL over TCP. Custom and default TLS security policies are supported.

TLS security policies

CLB

Measure

Description

References

SSL-encrypted transmission

Data packets can be encrypted based on SSL to prevent interception and tampering.

WAF

WAF can be used to monitor and filter network traffic in case of attacks.

How do I enable WAF protection for CLB?

ACLs

Whitelists and blacklists can be used to block unauthorized access and malicious requests.

Enable access control

Anti-DDoS services

Anti-DDoS services can be used to mitigate large volumes of attacks in real time. Anti-DDoS Origin is supported.

Anti-DDoS Origin Basic

TLS security policies

TLS security policies can be used to improve service security.

You can select a TLS security policy when you create an HTTPS listener. Custom and default TLS security policies are supported.

TLS security policies