Network security prevents unauthorized access to network resources. It also detects and stops network attacks and addresses security vulnerabilities. Network security helps ensure that authorized users can safely and quickly access the network resources they need. This topic describes how Elastic Compute Service (ECS) provides network security through network isolation, traffic control, traffic monitoring and analysis, and cloud security protection.
Network isolation to avoid unnecessary network exposure
Network isolation with a virtual private cloud (VPC)
ECS uses a virtual private cloud (VPC) for network isolation. A VPC is a private network in the cloud that gives you complete control over your network. You can create multiple VPCs as needed. A VPC provides the following isolation capabilities:
VPCs are logically isolated from each other and cannot communicate by default.
ECS instances within the same VPC can communicate with each other over the internal network. This reduces their exposure to the Internet.
You can create multiple vSwitches within a VPC to segment networks and CIDR blocks. You can also configure isolation between different vSwitches.
For more information, see VPCs and vSwitches and Create and manage a VPC.
Service isolation with vSwitches
You can use vSwitches to segment CIDR blocks for different business scenarios and isolate services from each other. vSwitches are basic network devices in a VPC that connect different cloud resource instances. In each VPC, you can create, delete, and configure multiple vSwitches as needed. A vSwitch provides the following security capabilities:
Service isolation: You can segment networks based on service security levels and types.
Traffic control: VPCs provide the network ACL feature. You can attach a network ACL to a vSwitch to control the traffic that flows through it.
For more information, see VPCs and vSwitches and Create and manage vSwitches.
Private access to ECS with PrivateLink to avoid Internet access
PrivateLink lets you establish secure and stable private connections between a VPC and ECS. You can access ECS instances as if they were in your VPC without using an Internet gateway, a NAT device, or a VPN. This simplifies your network architecture, enables private access to services, improves VPC security, and helps avoid potential security risks from unnecessary Internet access. For more information, see What is PrivateLink?.
Control network traffic and allow only necessary network access
Use a network ACL for traffic control
ECS uses network ACLs within a VPC to control traffic. A network ACL is a network access control feature that you can attach to a vSwitch. You can customize network ACL rules to control the data that flows into and out of the vSwitch. This lets you control traffic to and from the ECS instances within that vSwitch. For more information, see Network ACLs and Create and manage a network ACL.
Use a security group to control NIC traffic
ECS uses security groups to control traffic at the network interface controller (NIC) level. A security group is a virtual firewall that controls the inbound and outbound traffic of an ECS instance. The inbound rules of a security group control traffic to the instance, and the outbound rules control traffic from the instance. For more information, see Security group overview and Manage resources associated with a security group.
Security groups are classified as basic and enterprise security groups. Both types are free of charge. They differ in capacity, the ability to add rules that authorize other security groups, and default access control rules. This makes them suitable for different scenarios. For more information, see Basic and enterprise security groups.
Monitor and analyze network traffic
You can monitor and analyze network traffic in ECS using VPC flow logs and traffic mirroring. This helps you check access control rules, monitor network traffic, and troubleshoot network failures.
Monitor network traffic with flow logs
Flow logs record information about inbound and outbound traffic for an Elastic Network Interface (ENI) in a VPC. This helps you check access control rules, monitor network traffic, and troubleshoot network failures. For more information, see Flow logs.
Detect network anomalies with traffic mirroring
The traffic mirroring feature copies packets that pass through an ENI and meet specified filter conditions. For example, you can copy the network traffic of an ECS instance in a VPC and forward the copied traffic to a specified ENI or Server Load Balancer (SLB) instance. You can use this feature for content inspection, threat monitoring, and troubleshooting. For more information, see Traffic mirroring.
Cloud security protection
To ensure the security of ECS instances, Alibaba Cloud provides multiple security products to protect against network attacks and reduce security risks. You can use the following security products with ECS to improve system security.
Anti-DDoS protection
Anti-DDoS Basic is enabled by default for ECS instances. Anti-DDoS protection scrubs DDoS traffic before it reaches the ECS host. This effectively protects ECS instances from DDoS attacks. For more information, see Anti-DDoS Basic.
Cloud Firewall
Cloud Firewall provides unified security isolation and control for your cloud network assets at the Internet border, VPC border, and internal border. The internal firewall can control inbound and outbound traffic for ECS instances and restrict unauthorized access to the instances. For more information, see Configure access control policies for the internal firewall.
Web Application Firewall
Web Application Firewall (WAF) identifies and blocks malicious traffic to your websites and applications. This prevents issues, such as performance degradation, that are caused by malicious intrusions into web servers. WAF can provide security protection for ECS instances. After you add an ECS instance to WAF, all web service traffic from the instance is directed to WAF for inspection. WAF filters out web application attacks and forwards normal service traffic to the ECS server. For more information, see Enable WAF protection for an ECS instance.