SLB infrastructure security-Server Load Balancer(SLB)-阿里云帮助中心

Network isolation is a key security measure for SLB. It isolates network traffic to enhance system security and reliability. SLB infrastructure security consists of network isolation and network traffic control.

Network isolation

A Virtual Private Cloud (VPC) is a virtual network that is logically isolated within Alibaba Cloud. A subnet is a range of IP addresses within a VPC. When you create an SLB instance, you can specify one or more subnets for the instance. You can create Elastic Compute Service (ECS) instances in the subnets of your VPC and add these instances to a backend server group of the SLB instance. For more information, see What is a VPC?.

Application Load Balancer (ALB) and Network Load Balancer (NLB) instances support the following network types:
- Private network: The instance is assigned a private IP address in each availability zone. The ALB or NLB instance can be accessed only over the Alibaba Cloud private network and not from the internet.
- Public network: The instance is assigned a public IP address and a private IP address in each availability zone. Public ALB or NLB instances use Elastic IP Addresses (EIPs) to provide public-facing capabilities. If you select Public network, charges apply for the EIP instance, bandwidth, and data transfer.
Classic Load Balancer (CLB) instances support the following network types:
- Private network: The instance is assigned only a private IP address and can be accessed only over the Alibaba Cloud private network, not from the internet.
- Public network: The instance is assigned a public IP address and can be accessed from the internet.

SLB instances communicate with backend ECS instances over the private network. If your backend ECS instances only need to receive requests from an SLB instance, they do not require public IP addresses. This means you do not need to associate EIPs with the ECS instances.

Network traffic control

Each SLB product provides different methods for securing network traffic.

ALB

Method	Description	References
SSL-encrypted transmission	SSL certificates encrypt data in transit to prevent it from being intercepted or tampered with.	Deploy an HTTPS service on an ALB instance (one-way authentication) Deploy an HTTPS service on an ALB instance (mutual authentication) Host multiple HTTPS websites on a single ALB instance
WAF	Enable Web Application Firewall (WAF) to monitor and filter network traffic in real time, protecting your services from malicious attacks.	Enable WAF for an ALB instance
Security groups	Configure security group rules to control inbound traffic.	Add an ALB instance to a security group Use a security group to control access to an ALB instance by listener or port Use a security group to configure a blacklist or whitelist for an ALB instance
ACL	Use an Access Control List (ACL) to create a blacklist/whitelist that blocks unauthorized and malicious traffic.	Access control for ALB
DDoS protection	Use DDoS protection services to defend against large-scale attacks in real time. ALB supports both Anti-DDoS Origin and Anti-DDoS Pro/Premium.	What is Anti-DDoS Origin? What is Anti-DDoS Pro/Premium? Use an Anti-DDoS-enabled EIP to provide public access for an ALB instance
TLS security policies	A TLS security policy enhances service security. When configuring an HTTPS listener, you can apply a custom or system default policy.	TLS security policies for ALB

NLB

Method	Description	References
SSL-encrypted transmission	SSL certificates encrypt data in transit to prevent it from being intercepted or tampered with.	Use an NLB instance for TCP/SSL offloading (one-way authentication) Use an NLB instance for TCP/SSL offloading (mutual authentication)
DDoS protection	Use DDoS protection services to defend against large-scale attacks in real time. NLB supports both Anti-DDoS Origin and Anti-DDoS Pro/Premium.	Use an Anti-DDoS-enabled EIP to provide public access for an NLB instance Change the network type of an NLB instance
Security groups	Configure security group rules to control inbound traffic.	Add an NLB instance to a security group Use a security group to control access to an NLB instance by listener or port
TLS security policies	A TLS security policy enhances service security. When configuring a TCP/SSL listener, you can apply a custom or system default policy.	TLS security policies for NLB

CLB

Method	Description	References
SSL-encrypted transmission	SSL certificates encrypt data in transit to prevent it from being intercepted or tampered with.	Deploy an HTTPS service on a CLB instance (one-way authentication) Deploy an HTTPS service on a CLB instance (mutual authentication) Host multiple HTTPS websites on a single CLB instance
WAF	Enable Web Application Firewall (WAF) to monitor and filter network traffic in real time, protecting your services from malicious attacks.	Instructions for enabling WAF for CLB
ACL	Use an Access Control List (ACL) to create a blacklist/whitelist that blocks unauthorized and malicious traffic.	Access control for CLB
DDoS protection	Use DDoS protection services to defend against large-scale attacks in real time. CLB supports only Anti-DDoS Origin.	Anti-DDoS Origin Basic for CLB
TLS security policies	A TLS security policy enhances service security. When you configure an HTTPS listener, you can apply a custom or system default policy.	TLS security policies for CLB