VPC uses a layered security model to protect your cloud resources. This page covers network isolation, traffic control at the instance and subnet level, and access management with RAM policies.
How network isolation works
Each VPC is a logically isolated private network. VPCs are separated from each other using tunnel technology: every VPC gets a unique tunnel ID, and data packets are encapsulated with that ID before being transmitted over the physical network between Elastic Compute Service (ECS) instances within the VPC. Because packets from different VPCs carry different tunnel IDs, ECS instances in separate VPCs cannot communicate with each other by default.
Use separate VPCs to isolate workloads with different security requirements, such as production vs. development environments, or different business units.
Traffic control features
VPC provides four features to control traffic at different layers of your network.
ECS security group
Security groups act as virtual firewalls at the instance level. They provide Stateful Packet Inspection (SPI) and packet filtering, letting you define security domains in the cloud. Configure inbound and outbound rules to control traffic to one or more ECS instances in a group. For more information, see Overview of security groups.
Network ACL
Network access control lists (ACLs) operate at the subnet level. Create network ACL rules and associate the ACL with a vSwitch to control inbound and outbound traffic for all ECS instances in that vSwitch. For more information, see Overview of network ACLs.
Flow log
Flow logs capture inbound and outbound traffic metadata for an elastic network interface (ENI). Use flow logs to audit access control rules, monitor network activity, and troubleshoot connectivity issues. For more information, see Overview of flow logs.
Traffic mirroring
Traffic mirroring copies packets that pass through an ENI and meet specific filter conditions, then forwards them to a specified ENI or an internal-facing Classic Load Balancer (CLB) instance. Use traffic mirroring for content inspection, threat monitoring, and network troubleshooting. For more information, see Overview of traffic mirroring.
Manage access with RAM policies
Use Resource Access Management (RAM) policies to control who can create, view, and modify VPC resources. Grant permissions to a RAM user, a user group, or a RAM role.
Built-in policies
Attach the following system policies to grant standard VPC permissions quickly.
| Policy | Description |
|---|---|
| AliyunVPCFullAccess | Grants a RAM user the permissions to manage VPCs |
| AliyunVPCReadOnlyAccess | Grants a RAM user the read-only permissions on VPCs |
For a full list of VPC permissions, see RAM authorization (VPC). For VPC peering connection permissions, see RAM authorization (VPC peering connection).
Custom policies
If the built-in policies don't meet your requirements, create a custom RAM policy to define a more granular permission set. For guidance, see Use RAM roles to manage VPC permissions.