Overview
Background information
With the development of businesses and upgrade of networks, 20% of network traffic of a large-sized enterprise is exchanged between the internal and Internet. 80% of network traffic is exchanged within the internal network. Attacks can cause great losses if they bypass the Internet border defense. Therefore, east-west traffic control is a great challenge.
Network security in traditional data centers usually relies on the use of a large number of security devices to form a security domain. This can implement protection and access control on enterprise systems. Network traffic must pass through different devices in the security domain based on business logic and protection levels. This is called a service chain. In recent years, the concept of service chains has extended to cloud environments. A service chain ensures that instances, containers, and microservices deployed on public clouds use the same security policy for access control between each other. For example, data exchange between virtual private clouds (VPCs) in the same region or between VPCs and data centers requires rule-based filtering and protection provided by security services. Such security measures improve the security of the internal network and prevent potential security risks.
Terms
VPC: A VPC is a custom private network that you can create on Alibaba Cloud. VPCs are logically isolated from each other. You can create and manage cloud service instances in your VPC, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), and ApsaraDB RDS.
Cloud Enterprise Network (CEN): CEN can establish private network communication between VPCs in different regions and between VPCs and data centers. In addition, CEN supports custom communication, isolation, and routing policies within a region. CEN helps you build an enterprise-class global network that supports flexible adjustment and high reliability.
Transit routers: Transit routers provide multiple network communication and route management features. For example, you can use transit routers to connect network instances, create custom route tables, add routes, and add routing policies.
Cloud Firewall: Cloud Firewall is a cloud security solution that provides firewalls as a service. Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, VPC, and host boundaries. Cloud Firewall is the first line of defense to protect your workloads on Alibaba Cloud.
Design principles
Scalability: In cases of east-west traffic spikes, such as data synchronization and migration, the architecture automatically scales out to cope with traffic fluctuations without the need to perform manual operations. This prevents business loss.
Sustainable architecture: When customers deploy more and more businesses in the cloud, more VPC connections, route entries, and security policies are required without the need to change the architecture.
Managed services: More cloud-native services are used to increase resource utilization. This simplifies O&M and reduces resource waste caused by self-managed components.
Key design
Stability
To improve the stability of the overall architecture and implement zone disaster recovery, you must select at least two zones when you create a transit router. To improve architecture reliability, we recommend that you deploy backend servers in different vSwitches in different zones to implement zone disaster recovery.
If you use Express Connect to connect your data center to Alibaba Cloud points of presence (PoPs), we recommend that you use different physical routers and deploy two Express Connect circuits that are provided by different Internet service providers (ISPs) to ensure service stability.
To connect Express Connect circuits to each other, we recommend that you enable BGP and Bidirectional Forwarding Detection (BFD) to implement failover and quick convergence if one of the Express Connect circuits fails.
Security
Deploy a dedicated security VPC for Cloud Firewall. Make sure that the security VPC is used as an independent security component and do not deploy other business resources in the security VPC.
On the transit router, create a route table for trusted traffic and another route table for untrusted traffic. The route tables divide the network into two planes. Use Cloud Firewall to implement access control for east-west traffic in a centralized manner.
Performance
Select zones for cloud resources and services based on the network latency, security, and disaster recovery requirements of your business. We recommend that you deploy ECS, ApsaraDB RDS, transit routers, and Cloud Firewall in primary and secondary zones to prevent latency increases caused by traffic bypassing between zones. For Express Connect circuits, select access points that are close to the zones of the cloud resources.
Scalability
VPCs, transit routers, and Cloud Firewall support automatic scaling to a certain range. If you require larger bandwidth, such as more than 100 Gbit/s per transit router, contact Alibaba Cloud for technical support.
Connections over Express Connect do not support elastic scaling. You need to estimate the bandwidth capacity required by your business in advance.
Observability
Network Intelligence Service (NIS) is a cloud service that monitors the health status and performance of Internet traffic and load balancing services, performs diagnostics and troubleshooting, and analyzes and measures network traffic. NIS is integrated with Artificial Intelligence for IT Operations (AIOps) methods such as machine learning and knowledge graphs to simplify network management and implement automated O&M. NIS allows network architects and O&M engineers to design and use networks with higher efficiency.
Transit routers and VPCs support flow logs, which record business traffic as log entries. You can analyze flow logs for traffic details. Cloud Firewall automatically records all traffic in logs and provides the Log Audit page to display event logs, traffic logs, and operation logs. This allows you to trace the sources of attacks and audit traffic in a convenient manner.
Best practice
Enterprises can combine transit routers with Cloud Firewall to implement monitoring, access control, and real-time attack mitigation for east-west traffic in the cloud. You can configure routing between transit routers and VPC firewalls before you use the VPC firewall to protect the traffic between VPCs that are connected by the transit routers.
A transit router supports multiple route tables. You can use transit routers to isolate trusted network traffic (filtered by firewalls) from untrusted network traffic (not filtered by firewalls).
Associate Business VPC1 and Business VPC2 with the transit router route table for untrusted traffic. Internal network traffic that reaches the transit router is forwarded to the security VPC based on the route table for untrusted traffic.
Deploy a security VPC and Cloud Firewall in the VPC to filter internal network traffic. Associate the security VPC with the transit router route table for trusted traffic.
Network traffic from Business VPC1 to Business VPC2 or to a data center through a VBR is forwarded to the security VPC based on the transit router route table for untrusted traffic. Then, Cloud Firewall filters and forwards the traffic back to the transit router, which forwards the traffic to the destination based on the transit router route table for trusted traffic.
Scenarios
Enterprise Multi-Level Protection Scheme (MLPS) requirements: Help enterprises meet the laws and regulations, avoid deploying business-critical network regions on the boundaries, and isolate business-critical network regions from other network regions. Deploy transit routers and Cloud Firewall to analyze east-west traffic, virtualize network-wide traffic, analyze and block outbound connections, and create or modify whitelists.
Protection for hybrid-cloud networks: Help you build a secure network architecture in the cloud and develop a protection system for hybrid-cloud networks. You can detect and analyze inbound and outbound traffic in the cloud that is transmitted over Express Connect circuits to reduce security risks for VPCs and data centers.
Protection for cloud businesses: Help you manage fine-grained microsegmentation policies for east-west traffic between cloud businesses based on protocols, ports, regions, and applications. Such policies prevent security events from spreading in the internal network. This reduces the impact of security events.