Infrastructure security

更新时间:
复制 MD 格式

Server Load Balancer (SLB) uses network isolation and network traffic control to secure your infrastructure and improve reliability.

Network isolation

Virtual private clouds (VPCs) are logically isolated virtual networks on Alibaba Cloud. A subnet specifies a range of IP addresses in a VPC. When you create an SLB instance, you can specify one or more subnets. You can deploy Elastic Compute Service (ECS) instances in VPC subnets and add them to backend server groups. For more information, see What is VPC

  • Application Load Balancer (ALB) and Network Load Balancer (NLB) instances support the following network types:

    • Internal-facing: A private IP address is assigned to each zone of the ALB or NLB instance. The instance is accessible only over internal networks.

    • Internet-facing: A public IP address and a private IP address are assigned to each zone of the instance. Internet-facing ALB or NLB instances can access the Internet by using Elastic IP addresses (EIPs). Internet-facing instances are charged an EIP fee and a bandwidth or data transfer fee.

  • Classic Load Balancer (CLB) instances support the following network types:

    • Internal-facing: An internal-facing CLB instance is assigned only a private IP address, and is accessible only over internal networks.

    • Internet-facing: An Internet-facing CLB instance is assigned a public IP address and is accessible over the Internet.

SLB instances communicate with backend ECS instances over internal networks. If the ECS instances receive requests only from the SLB instance, they do not require public IP addresses or EIPs.

Network traffic control

ALB, CLB, and NLB provide the following measures to protect network traffic.

ALB

Measure

Description

References

SSL-encrypted transmission

Encrypts data packets with SSL to prevent interception and tampering.

Web Application Firewall (WAF)

Monitors and filters network traffic to defend against attacks.

Enable WAF protection for an ALB instance

Security groups

Security groups control the traffic that is allowed to reach instances within them.

Access control lists (ACLs)

Whitelists and blacklists block unauthorized access and malicious requests.

Network ACLs

Anti-DDoS services

Mitigates large volumes of attacks in real time. Anti-DDoS Origin, Anti-DDoS Pro, and Anti-DDoS Premium are supported.

TLS security policies

TLS security policies improve service security.

You can select a TLS security policy when you create an HTTPS listener. Custom and default TLS security policies are supported.

TLS security policy

NLB

Measure

Description

References

SSL-encrypted transmission

Encrypts data packets with SSL to prevent interception and tampering.

Anti-DDoS services

Mitigates large volumes of attacks in real time. Anti-DDoS Origin, Anti-DDoS Pro, and Anti-DDoS Premium are supported.

Security groups

Security groups regulate access control.

TLS security policies

TLS security policies improve service security.

You can select a TLS security policy when you create a listener that uses SSL over TCP. Custom and default TLS security policies are supported.

TLS security policies

CLB

Measure

Description

References

SSL-encrypted transmission

Encrypts data packets with SSL to prevent interception and tampering.

WAF

Monitors and filters network traffic to defend against attacks.

Enable WAF protection for CLB

ACLs

Whitelists and blacklists block unauthorized access and malicious requests.

Enable access control

Anti-DDoS services

Mitigates large volumes of attacks in real time. Anti-DDoS Origin is supported.

Anti-DDoS Origin Basic

TLS security policies

TLS security policies improve service security.

You can select a TLS security policy when you create an HTTPS listener. Custom and default TLS security policies are supported.

TLS security policies