This topic describes the infrastructure security of Virtual Private Cloud (VPC).
Network isolation
A virtual private cloud (VPC) is a private network on Alibaba Cloud. VPCs are isolated from each other.
vSwitches are basic components in VPCs and are used to connect different instances. You can create multiple vSwitches to divide a VPC and deploy Elastic Compute Service (ECS) instances in different vSwitches. You can isolate vSwitches from each other. Each vSwitch has a CIDR block and a route table. You can use a route table to enable access control.
Control network traffic
You can control the network traffic of a VPC by using one of the following methods:
When you create an ECS instance in a VPC, you can use the default security group rule or add the ECS instance to a custom security group to control inbound and outbound traffic. A security group serves as a virtual firewall that can enable fine-grained access control for ECS instances. In addition, you can create a custom network access control list (ACL) and associate the network ACL with a vSwitch to enable access control for ECS instances in the vSwitch. A network ACL can apply to all ECS instances in a vSwitch. You can use network ACLs in scenarios where you need to control traffic for large-scale applications. You can use security groups and network ACLs to improve the security and stability of resources in VPCs. For more information, see Security group overview and Network ACL overview.
An IPv4 gateway is a network component that connects a VPC to the Internet. An IPv4 gateway can enable a VPC to access the Internet by routing IPv4 traffic and translating private IP addresses to public IP addresses. When a VPC accesses the Internet by using an IPv4 gateway, IPv4 traffic flows through the IPv4 gateway. For more information, see IPv4 gateway overview.
An IPv6 gateway is used to control IPv6 traffic of a VPC. You can configure IPv6 Internet bandwidth and egress-only rules to control inbound and outbound IPv6 traffic. For more information, see What is an IPv6 gateway?
You can create a custom route table in a VPC, add custom routes to the route table, and then associate the route table with a vSwitch to control the traffic of the vSwitch. For more information, see Subnet routing.
You can use a VPN gateway to connect a VPC to a data center over the Internet in a secure manner. You can use VPN gateways to establish site-to-site connections over IPsec-VPN or connect clients to servers over SSL-VPN. For more information, see What is a VPN gateway?
You can establish high-speed, low-latency, and reliable connections between data centers and VPCs by using Express Connect circuits. You can use an Express Connect circuit to connect multiple VPCs to a data center. For more information, see What is Express Connect?
You can establish VPC peering connections to enable data transfer and resource sharing for VPCs. You can use VPC peering connections to enable communication and resource sharing between VPCs. For more information, see VPC peering connections.
You can use Cloud Enterprise Network (CEN) to enable communication among multiple VPCs. You can use CEN to create a flexible, reliable, and large-scale cloud network where you can connect all VPCs in your enterprise. For more information, see What is CEN?
A gateway endpoint serves as a virtual gateway device. You can create a gateway endpoint in your VPC for an endpoint service and associate the endpoint with a route table. Then, the system automatically adds a route that points to the gateway endpoint to the VPC route table. This way, your VPC can access the endpoint service. For more information, see Gateway endpoints.
You can use the flow log feature to capture inbound and outbound traffic of the elastic network interface (ENI) of an ECS instance in a VPC. You can use the flow log feature to check access control rules, monitor network traffic, and troubleshoot network errors. For more information, see Flow log overview.
Comparison between network ACLs and security groups
Network ACLs control data transmitted through associated vSwitches while security groups control data transmitted through associated ECS instances. The following table describes the differences between network ACLs and security groups.
Item | Network ACL | Security group |
Feature | You can configure network ACL rules and associate a network ACL with a vSwitch to control traffic of ECS instances in the vSwitch. | A security group serves as a virtual firewall that applies to ENIs and ECS instances. |
Application scope | vSwitches. | ECS instances. |
Status of returned traffic | Stateless: Returned traffic must be allowed by inbound rules. | Stateful: Returned traffic is automatically allowed and not affected by rules. |
Whether rules are evaluated | The system attempts to match requests against rules in descending order of priority. Not all rules are matched. | The system matches a request against all rules before a rule is applied. |
Association with ECS instances | The vSwitch to which an ECS instance belongs can be associated with only one network ACL. | Each ECS instance can be added to more than one security group. |