• UID157
  • Fans1
  • Follows1
  • Posts5

The Application Security Solution in VPC

More Posted time:Dec 16, 2015 11:30 AM
Implementing a firewall policy is just basic survival when it comes to internet-facing servers. AliCloud provides Security Groups as a mandatory whitelisting firewall to limit inbound open ports on ECS. You can allow specific ports/protocols for an IP or CIDR.This allows you to create tiers of protection mapping to your application tiers.Creating these layered firewall policies makes your applications significantly more secure.

1.A security group acts as a virtual firewall for your instance to control the traffic. Here it allows the web servers to receive incoming 80/443 traffic.
2.For App server, the SG allows it to receive requests from web server and also SSH traffic from your network. The app servers can also initiate read and write requests to the DB servers in the private subnet.
3.The DB server is placed in private subnet which means all the internet traffic will be denied. It only accept the certain requests from the app server.
4.The public subnet and private subnet are logical concepts to place the ECS instance. It helps the Ops team to manage the instances. Generally only the instances in public sunbet have EIP.
[Cloudy edited the post at Dec 16, 2015 18:13 PM]

  • UID4565
  • Fans2
  • Follows0
  • Posts25
1st Reply#
Posted time:Dec 12, 2017 10:06 AM
You need to have a NAT GW for accessing internet from private subnet.

You may want to read more on the following:

  • UID3460
  • Fans1
  • Follows0
  • Posts1
2nd Reply#
Posted time:Sep 11, 2017 23:09 PM
This is fairly good way to protect critical instances.
But, there is one confusion regarding building.
The reference document on below link talks about creating custom entries.

Our VPC is and it's split into multiple smaller subnets.
Only one subnet we will have public IP and rest will not have it.
As explained in the link, it's added accordingly, but with we try to access internet from instances in private sunet, the traceroute shows that it goes in circular references and hence the access to public network is not available from private subnet.

Are we missing anything obvious?