Alibaba Cloud Tech Share – Build safe web services using Alibaba Cloud VPC+ECS+SLB

Abstract: Which public cloud products can be used for medium-sized and small enterprises to quickly and conveniently build up highly secure, available and scalable web services at a low cost? I provide the following practice from my personal experience for the reference of insiders who may need it.

With the cloud computing age approaching, various public cloud platforms have provided a wide variety of products for customers. Alibaba Cloud, for example, provides 50 to 60 service products in a dozen categories. So which public cloud products can be used for medium-sized and small enterprises to quickly and conveniently build up highly secure, available and scalable web services at a low cost? I provide the following practice from my personal experience for the reference of insiders who may need it.
Go to the Alibaba Cloud homepage, and move your cursor over the “Products” menu. The first item in the pop-up sub-menu is “Elastic Computing”. Given the default position of “Elastic Computing”, we can surmise that products listed in this category should be the most basic and frequently used by consumers. As a matter of fact, the practical experience I will introduce next was accumulated through using the three products under this category, namely “ECS”, “VPC” and “SLB”.

Project background
Next let me introduce the functions and composition of the web service we will implement. This is a service for searching professional articles by key words targeting the 1,000-plus employees in the enterprise. It is composed of two search engines and two service receivers. The service receiver receives requests from users, and calls the search engine to get the data, encapsulates the data into the user-desired format and returns the data to the user. Since Alibaba provides services for many medium-sized and small enterprises, it is natural to deploy this service on Alibaba Cloud which serves as the production environment.

VPC
I strongly recommend VPC to medium-sized and small enterprises, and a classic network should be avoided.

As the business grows, medium-sized and small enterprises will surely lease more cloud services. In a classic network, you have to purchase the network bandwidth quotas according to every ECS instance and the ECS instances are non-isolated on the network.But with VPC, you can set all the ECS instances in the VPC to share the internet traffic. Besides, the ECS instances are by default not open to the public, greatly enhancing the security. Don't worry about how to configure the switches in the VPC, as the configuration is quite simple following the tutorial provided by Alibaba Cloud. The effort it takes is much less than setting up ECS firewalls in a classic network.

Virtual Private Cloud (VPC) helps you establish an isolated network environment based on Alibaba Cloud. You can customize the IP address range, segments, route tables and gateways. In addition, you can connect the VPC with traditional data centers through leased lines, VPN or GRE to build hybrid cloud businesses.

Server Load Balancer (SLB)
The SLB service provided by Alibaba Cloud is very useful. SLB not only has an easy-to-use configuration management interface, but also provides Layer-4 anti-DDoS protection of up to 5Gbps for free. It supports deletion and addition of backend cloud servers to achieve seamless scaling. The billing mode is also elastic and supports billing by traffic or bandwidth. The project I mentioned, despite a large user base, has a small data transmission volume. So the bills are based on traffic. (Another secret is that the SLB service on the intranet is free of charge.)

Structure of project production environment
We purchase four ECS instances, all in the VPC, one billed-by-traffic public SLB, and one free private SLB. They constitute the following topology. Deploy your applications and they will be able to provide services.

How to visit an ECS instance in the VPC remotely?
You surely know the answer: through the public SLB. You can point a port to the remote access port of an ECS instance (The default port is 3389 for remote desktop in Windows, and 22 for SSH), log in to this ECS remotely and then log in to other ECS instances remotely.

What should I do if an ECS instance in the VPC needs to access other services on the internet?
There are two solutions: 1. Bind an EIP for the ECS instance, that is, the elastic internet IP address. 2. You can purchase Alibaba Cloud “NAT Gateway Service” and achieve ECS's internet access through NAT gateway port mapping.
Comparatively speaking, the NAT gateway service is safer, because elastic IP address may easily lead to “cracks” in your deployed VPC - any external party can scan and attack the ECS in your VPC through the bound elastic IP address.

Postscript
The security of application services shall never be ignored even for small enterprises; otherwise troubles may find their way to you, impairing working efficiency and employees' mood. There are convenient and cheap ways to ensure high security of service deployment. There's no harm in trying.