After you enable Internet bandwidth for an IPv6 address, you can improve network security by setting the bandwidth to 0 Mbit/s or creating an egress-only rule for the IPv6 address.
Configure a VPC for IPv6 communication
-
After you enable IPv6 for a virtual private cloud (VPC), IPv6 addresses of cloud service instances in the VPC can communicate only within the VPC by default.
-
If you have enabled Internet bandwidth for an IPv6 address, you can set the bandwidth to 0 Mbit/s to restrict the address to private communication within VPCs.
The VPC can be accessed only by authorized users, which improves data security. For more information, see Enable IPv6 for a VPC and the Modify the maximum bandwidth value section of the Enable and manage IPv6 Internet bandwidth topic.
Create an egress-only rule to control traffic
An egress-only rule allows an IPv6 address to access the Internet while the IPv6 gateway drops inbound requests from external IPv6 clients. You can create an egress-only rule in the VPC console. For more information, see Create and manage an egress-only rule.
Mitigate DDoS attacks
Alibaba Cloud provides Anti-DDoS Origin Basic free of charge for public IPv6 addresses. Anti-DDoS Origin Basic can mitigate DDoS attacks at up to 5 Gbit/s.
Anti-DDoS Origin Basic is enabled by default for public IPv6 addresses. All inbound Internet traffic passes through Alibaba Cloud Security for scrubbing before it reaches the IPv6 address. For more information, see What is an Anti-DDoS Origin paid edition?
If the amount of Internet traffic to a cluster exceeds the capacity of Anti-DDoS, the traffic is routed to a blackhole to protect the cluster. In this case, all traffic is blocked. For more information about the default thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic in each region, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic. The thresholds to trigger blackhole filtering for public IPv6 addresses are determined by the region and bandwidth. The data displayed on the Assets page of the Traffic Security console shall prevail.