Alibaba Cloud is committed to providing you with stable, reliable, secure, and compliant cloud computing services to ensure the confidentiality, integrity, and availability of your systems and data. This topic describes the security system of Virtual Private Cloud (VPC) and how the security control mechanism works.
Security system
How VPC works
A VPC is a private network in the cloud. VPCs are logically isolated from each other. VPCs are isolated from each other based on tunneling technology. Each VPC is identified by a unique tunnel ID, which corresponds to a virtual network.
Data packets are encapsulated with a unique tunnel ID and transmitted over a physical network between Elastic Compute Service (ECS) instances in a VPC.
Data packets transmitted over ECS instances in different VPCs have different tunnel IDs. Therefore, ECS instances in different VPCs cannot communicate with each other.
Security protection features
VPC supports the following features to ensure the security and reliability of cloud services.
Feature | Description |
ECS security group | Security groups act as virtual firewalls and provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups to define security domains in the cloud. You can configure security group rules to control the inbound and outbound traffic of one or more ECS instances in a group. For more information, see Overview of security groups. |
Network access control list (ACL) | You can use a network ACL to regulate access control for a VPC. You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to control inbound and outbound traffic of ECS instances in the vSwitch. For more information, see Overview of network ACLs. |
Flow log | VPC provides the flow log feature. The feature records information about inbound and outbound traffic of an elastic network interface (ENI). You can check access control rules, monitor network traffic, and troubleshoot network errors based on the flow logs. For more information, see Overview of flow logs. |
Traffic mirroring | The traffic mirroring feature can mirror packets that pass through an ENI and that meet specific filter conditions. The traffic mirroring feature mirrors network traffic from an Elastic Compute Service (ECS) instance in a VPC and forwards the traffic to a specified ENI or an internal-facing Classic Load Balancer (CLB) instance. You can use this feature in scenarios such as content inspection, threat monitoring, and troubleshooting. For more information, see Overview of traffic mirroring. |
Use Resource Access Management (RAM) policies
You can use RAM policies to regulate access control for VPCs.
You can specify permissions in a RAM policy to grant the permissions to a RAM user, a user group, or a RAM role. You can use RAM policies to specify the scope of resources that RAM users and RAM roles can access or manage.
Policy configuration
You can use the following common RAM policies to regulate access control for VPCs. For more information, see RAM authorization (VPC) and RAM authorization (VPC peering connection).
Permission policies | Description |
AliyunVPCFullAccess | Grants a RAM user the permissions to manage VPCs. |
AliyunVPCReadOnlyAccess | Grants a RAM user the read-only permissions on VPCs. |
You can attach system RAM policies to a RAM user. If the system RAM policies cannot meet your requirements, you can create custom RAM policies. For more information about how to create a custom RAM policy, see Use RAM roles to manage VPC permissions.