Network security protection

This topic explains how to design network layers, apply access controls at each boundary, and monitor network security events to protect your cloud workloads.

Your cloud services are accessed from multiple directions: users on the Internet, internal services communicating within a Virtual Private Cloud (VPC), and connections from external data centers. Securing each of these paths requires a layered approach — define clear network boundaries for every resource, control what crosses each boundary, and continuously monitor activity inside.

Adopt a microservices approach. Treat each component, subsystem, and microservice as separate and untrusted. Use security measures to authenticate, protect, and monitor them.

This topic covers three interconnected practices:

1. Design network layers.

2. Implement network access control at each layer.

3. Observe, analyze, and monitor network security events.

Design network layers

Group system components by security sensitivity and isolate them into separate network layers. This limits the blast radius when a layer is compromised: an attacker who breaches one layer cannot automatically reach the others.

A database cluster in a VPC, for example, should never have direct Internet access. Deploy it to a vSwitch with no route to the Internet. Traffic between components should only flow to components at the same or an adjacent security level — a web application's database should be reachable only by the web server, not by the Internet-facing Server Load Balancer (SLB) instance in front of it.

The figure below shows a recommended network layering model.

Common anti-patterns

The following designs undermine network layering and create significant security risk:

• Placing all resources in a single VPC or vSwitch. This eliminates isolation between services and widens the impact of any security breach.

• Exposing sensitive data directly to the Internet — for example, making databases publicly accessible or routing big-data query services through a public endpoint.

• Routing internal traffic between VPCs or between a data center and a VPC over the Internet, instead of using dedicated private connections.

• Configuring overly broad security group rules, such as allowing all inbound traffic on wide port ranges.

Implement network access control at each layer

After your network layers are defined, apply access controls at each boundary. The traffic flows to protect include:

• Between the Internet and resources in a VPC (inbound and outbound)

• Within the same VPC:

  • Between resources in the same vSwitch

  • Between different vSwitches in the same VPC

• Between different VPCs

• Between an external data center and resources in a VPC

• From a VPC or an external data center to Alibaba Cloud services

North-south traffic (Internet to VPC)

For traffic between the Internet and your VPC, apply security controls in layers from the broadest protection scope to the narrowest:

1. Anti-DDoS Origin

2. Anti-DDoS Pro/Premium and WAF

3. Internet firewall

4. Segmented public and private vSwitches with VPC Ingress Routing

5. Network ACLs

6. Security groups or IP address allowlists

East-west traffic (within and between VPCs)

For traffic within a single VPC, use:

1. Network ACLs to protect an entire vSwitch.

2. Security groups or IP address allowlists to protect specific instances.

For traffic between VPCs or between an external data center and a VPC, always use private dedicated channels. Products such as VPC Peering, TransitRouter, VPN Gateway, and Express Connect establish private links that keep internal traffic off the Internet.

Apply the zero trust principle at every cross-boundary point: treat different VPCs and external data centers as network borders. Use the east-west traffic protection feature of Cloud Firewall to inspect and isolate traffic crossing these borders. Once traffic enters a VPC, apply fine-grained access control using route tables, network ACLs, and security groups.

Observe, monitor, and analyze network security events

Continuous monitoring lets you detect threats early, validate that your layering is working as intended, and refine your policies over time.

At the service network layer, Anti-DDoS Pro/Premium and WAF log and block DDoS attacks and Layer 4 and Layer 7 attacks.

At the network infrastructure layer, Cloud Firewall records detailed access behavior and anomalous traffic patterns — including north-south traffic between a VPC and the Internet, and east-west traffic between VPCs or across a hybrid cloud network.

Within a VPC, enable flow logs to capture 5-tuple traffic records. Analyze these logs to identify traffic that violates your layered security policies, then tighten the relevant network ACLs or security group rules. To inspect packet content, use the traffic mirroring feature of VPC: it copies traffic and forwards it to an analysis component for deep inspection and audit.