Use IPv4 gateway to centrally control public network access traffic to enhance system security - Virtual Private Cloud

When a VPC is connected to the Internet, the lack of constraints on Internet access can lead to leaks of sensitive data or exposure to DDoS attacks. To mitigate these risks, you can use an IPv4 gateway to centrally manage outbound traffic to the Internet and configure unified security policies. This reduces the security risks associated with decentralized access.

Scenario

As companies embrace digital transformation, they increasingly deploy business systems and resources on the cloud, taking advantage of the convenience and flexibility offered by cloud services. However, this shift introduces new challenges in network management. One of the challenges is the autonomy given to the business departments to create and manage resources, such as configuring public IPs for ECS instances without necessary approvals. This makes it difficult for operation and maintenance teams to manage Internet access in a centralized manner.

In response to the issue, you can employ the IPv4 gateway as a unified ingress and egress between corporate VPCs and the Internet. When complemented by custom route tables and NAT gateways, it allows for centralized control over Internet-bound traffic. By enabling the enforcement of cohesive security policies and audits, the solution mitigates security risks associated with distributed access.

This topic describes a scenario where a company deploys its business in China (Hangzhou) with a network architecture that provides direct Internet access. To centralize access control, the company creates an IPv4 gateway, configures routes directed to it, and activates the gateway, thereby transitioning to an architecture with centralized control.

Usage notes

After creating an IPv4 gateway, you need to configure routes that point to it and activate the gateway. Instances in the VPC can access the Internet only after the IPv4 gateway is activated and the route table includes routes directed to it:

Gateway activation does not disrupt intra-VPC traffic. However, the transient connection may be interrupted during activation due to traffic rerouting.
A default route entry with the destination CIDR block 0.0.0.0/0 is automatically created to point to the IPv4 gateway upon activation. This allows the associated vSwitch to access the Internet and prevents access failures caused by a lack of configuration.
If a route entry with the destination CIDR block 0.0.0.0/0 already exists in the route table, you cannot add another default route to point to the gateway and the route table cannot be selected upon gateway activation. We recommend that you plan the routing configuration cautiously if vSwitches require access to the Internet.

Prerequisites

The direct Internet access demonstrated in the scenario is achieved by following these steps:

Create a VPC in China (Hangzhou) and four vSwitches in it. For more details, refer to Create and manage a VPC.
Create an Internet NAT Gateway and associate it with vSwitch3. Set the Access Mode as Configure Later. For more information, see Create and manage public NAT gateway instances.
Deploy ECS instances in four vSwitches. Enable Assign Public IPv4 Address for ECS2, while keeping it disabled for the rest. For more information, see Create and manage an ECS instance in the console.
Create two Elastic IP Addresses (EIPs) and associate them with ECS1 and the Internet NAT Gateway respectively. For more information, see Associate an EIP with an ECS instance and Associate an EIP with a NAT gateway.
To configure an SNAT entry for the Internet NAT Gateway, select Specify ECS Instance/ENI and choose ECS3 and ECS4. Then, set Select EIP to the EIP associated with the Internet NAT Gateway. For more information, see Create an SNAT entry.

In the direct Internet access architecture, you can click the Basic Information tab and see the IPv4 Internet Access Mode turned to Direct Internet Access. Each ECS instance connects to the Internet either through its public IPv4 address allocated to it or an associated EIP.

Procedure

To centralize control over the access of cloud resources to the Internet in the VPC, you can create and activate an IPv4 gateway. This transition from direct Internet access to centralized control by the IPv4 gateway enhances security by preventing unauthorized or malicious access.

Step 1: Configure route tables

Log on to the VPC console.
Create four route tables and associate each with one of the four vSwitches respectively.
Add a custom route entry in the route table of vSwitch 4, specify the destination CIDR block as 0.0.0.0/0, and set the Internet NAT gateway as the next hop.

Note

Configuring the route tables before activating the IPv4 gateway is essential to prevent the VPC from losing Internet access.

Step 2: Create and activate the IPv4 gateway

On the IPv4 Gateway page, click Create IPv4 Gateway.
In the Create IPv4 Gateway page, fill in the following information, and click Create.
- VPC: Choose the VPC to which the IPv4 Gateway belongs.
In the Activate IPv4 Gateway page, choose the route tables of vSwitch 1 and vSwitch 3, and click Activate.
As the route tables belong to vSwitches that have a NAT gateway or an instance associated with an EIP, the system automatically adds a default route entry with the destination CIDR block of 0.0.0.0/0 to point to the IPv4 gateway. This allows the associated vSwitches to have Internet access. Failure to configure them properly leads to network inaccessibility.

Step 3: Verify results

Click the Basic Information tab. IPv4 Internet Access Mode changed from Direct Internet Access to Centralized Control.
Log on to ECS instances to test the Internet access. The results should show that ECS2 cannot access the Internet.
ECS2 resides in a private vSwitch without a route pointing to the IPv4 gateway, which prevents it from accessing the Internet, even though it has a public IPv4 address.

References

For more information about the IPv4 gateway, the available regions, limits, and how to use it, see IPv4 gateways.
If there are ECS instances with direct Internet access and instances that access the Internet through the NAT gateway in a vSwitch, you can centralize traffic control through the IPv4 gateway by creating a new Internet NAT gateway while keeping the existing one. For more information, see Create and enable an IPv4 gateway in a VPC associated with an Internet NAT gateway.
To centrally manage Internet access in a dual-stack VPC with IPv4 and IPv6, you can use IPv4 and IPv6 gateways to control IPv4 and IPv6 traffic respectively. For more information, see Allow an ECS instance in a VPC to communicate with external IPv6 clients over the Internet.