This topic describes the risks of outbound connections from private network assets, outlines a corresponding solution with protection methods for typical business scenarios, and details deployment and maintenance procedures.
Security challenges of outbound traffic
As network attacks become more sophisticated, enterprise security faces greater challenges. An organization's cloud workloads typically handle both inbound traffic from the internet and outbound traffic initiated by business assets. However, when considering network protection, most security teams focus on inbound traffic and deploy comprehensive security measures for it. The security of outbound traffic is often overlooked, creating a weak point in the security posture of many organizations. If an attack bypasses inbound defenses and penetrates the internal network, it can lead to data theft, malware downloads, or connections to malicious command and control (C&C) servers. In addition, due to lapses in security management, internal personnel might make unauthorized external connections or visit malicious websites, leading to risks such as sensitive data leakage.
Enterprises need to be aware of the following potential security risks associated with outbound traffic:
Malware compromise risk
When attackers bypass inbound security measures and compromise internal workloads, they often establish outbound callback connections to malicious command and control (C&C) servers to perform actions such as downloading ransomware. In an attack chain, malware infection is often one of the initial stages of a larger-scale attack. Many types of malware need to communicate with a C&C server to establish a connection, receive updates, request commands, and exfiltrate stolen data. Certain types of ransomware, botnets, and crypto-mining activities all require outbound callback connections. It is crucial to promptly alert and block these malicious outbound connections to prevent further damage to an enterprise's IT infrastructure, digital assets, and development systems.
Data exfiltration risk
Stealing high-value enterprise data is often the primary goal of attackers. Once an attack is successful, an attacker can obtain valuable enterprise data, such as financial data, credentials, emails, and personally identifiable information (PII). This data is then exfiltrated over the network for malicious activities such as illicit sales, financial fraud, and identity theft. Attackers can also use the stolen information to escalate privileges or access more sensitive systems, posing even greater destructive risks to the enterprise.
Insider risk
Due to a lack of security awareness or lapses in corporate security management, internal personnel might access insecure web services, geographic locations, or IP addresses during system development or maintenance. They might also intentionally upload sensitive corporate data to public or open-source platforms like GitHub, creating risks of intrusion and data leakage. It is essential to effectively monitor these risky behaviors, issue timely alerts, block them, and conduct further audits for traceability.
Supply chain risk
Even if an enterprise has a robust security system, its business may involve third-party development systems or require interconnection with suppliers and subsidiaries. If a supplier or subsidiary is compromised due to inadequate security, the attack can spread to the enterprise and initiate malicious outbound connections. This requires the enterprise to monitor and audit traffic from its supply chain to enable rapid incident response and damage control when an attack is discovered.
Outbound traffic compliance risk
Some industry regulators and internal audit teams have imposed clear and stringent requirements for outbound traffic to enhance system security. For example, Requirement 1.3.2 of the Payment Card Industry Data Security Standard (PCI DSS) v4.0 mandates restricting outbound traffic that originates from the cardholder data environment (CDE). According to the requirement, only traffic deemed necessary is allowed, and all other outbound traffic must be blocked. This requirement aims to prevent malicious individuals and compromised system components within the entity's network from communicating with untrusted external hosts. Therefore, enterprises must also implement strict security management and auditing for outbound traffic.
Solution
To manage outbound traffic security, enterprises can adopt a solution that combines a nat gateway and a nat firewall to effectively monitor and protect outbound traffic.
A nat gateway allows cloud servers to provide public-facing services and access the internet by using custom SNAT entries. With the SNAT capability of a nat gateway, when an ECS instance initiates an outbound connection, it accesses the internet through an EIP from the SNAT address pool. This prevents the private network from being directly exposed to the public internet, enhancing asset security.
The nat firewall is a security feature of Cloud Firewall. It provides Layer 4 to Layer 7 traffic protection for resources within a VPC, such as ECS and Elastic Container Instance (ECI) instances, that access the internet through a nat gateway. The nat firewall audits and intercepts unauthorized access to reduce security risks such as unauthorized access, data exfiltration, and malicious traffic attacks. Compared to the SNAT entries of a nat gateway, the access control policies of Cloud Firewall provide fine-grained control over destination IP addresses, destination domain names, destination regions, protocols, ports, and applications.
Solution architectures
Scenario 1: Secure outbound traffic for multiple VPCs
An enterprise primarily develops data center systems in the cloud and has two VPCs: a production VPC and a test VPC. Both VPCs require outbound access for development activities, such as updating JAR packages. The enterprise needs to ensure that developers are authorized to access only legitimate business services and that all unauthorized outbound connections are blocked to prevent security risks.
Deployment
Deploy a nat gateway in each VPC. Configure SNAT entries on each nat gateway to allow ECS instances in the private network to access the internet by using the EIP of the nat gateway.
Deploy a nat firewall for each nat gateway. Configure an allowlist-based access control policy on each nat firewall to block access to unauthorized IP addresses and domain names.
Scenario 2: Secure outbound traffic for a DMZ VPC
A financial institution runs securities and insurance businesses in the cloud. It has multiple business VPCs, including a mid-tier VPC, a third-party system VPC, and a market data VPC. All VPCs access the internet through a demilitarized zone (DMZ). The environment requires access to external payment services, market data services, and regulatory services. Access must be restricted to legitimate business services, and all outbound traffic must be monitored and audited in real time to prevent security risks and detect anomalies.
Deployment
Deploy a nat gateway only in the demilitarized zone (DMZ) VPC. Configure SNAT entries on the nat gateway to allow ECS instances in the private network to access the internet by using the EIP of the nat gateway. Other VPCs connect to the DMZ VPC by using CEN to access the internet.
Deploy a nat firewall in front of the nat gateway in the DMZ VPC. Configure an allowlist-based access control policy on the nat firewall to block access to unauthorized IP addresses and domain names.
Scenario 3: Secure outbound traffic for multiple vSwitches
A large multinational organization has a single VPC in the cloud with complex business access patterns and numerous systems that access external services. It needs to apply granular security policies and protection for different assets.
Deployment
Deploy nat gateways in the business VPC based on different vSwitches. One of the nat gateways has multiple EIPs associated with it. Configure SNAT entries on each nat gateway to allow ECS instances in the private network to access the internet by using the EIP of the nat gateway.
Deploy a separate nat firewall for each nat gateway. Configure an allowlist-based access control policy on each nat firewall to block access to unauthorized IP addresses and domain names.
Deployment
Step 1: Deploy NAT Gateway
Log on to the NAT Gateway console. Based on your business scenario, create an Internet nat gateway for the corresponding VPC. For more information, see Create an Internet nat gateway.
Associate an EIP with the Internet nat gateway. For more information, see Internet nat gateway.
ImportantAn Internet nat gateway requires an associated EIP to function properly.
Create an SNAT entry for the Internet nat gateway to allow ECS instances without public IP addresses to access the internet. For more information, see Create an SNAT entry.
The nat firewall feature of Cloud Firewall supports only nat gateways that have SNAT entries and no DNAT entries. Otherwise, you cannot enable the nat firewall.
Step 2: Enable NAT Firewall
Prerequisites
You have activated Cloud Firewall and purchased a sufficient number of NAT Firewall licenses. For more information, see Purchase Cloud Firewall.
You have created an Internet NAT Gateway. For more information, see Internet NAT gateway.
ImportantCurrently, the NAT Firewall only protects Internet NAT Gateways.
The Internet NAT Gateway must meet the following conditions:
The region where the Internet NAT Gateway is deployed supports NAT Firewalls. For a list of supported regions, see Supported regions.
The Internet NAT Gateway is associated with 1 to 10 EIPs. For more information, see Internet NAT gateway.
The Internet NAT Gateway has SNAT entries configured and does not have any DNAT entries. For more information, see Create and manage SNAT entries.
To enable the NAT Firewall for an Internet NAT Gateway, first delete its existing DNAT entries. For more information, see Create and manage DNAT entries.
The VPC where the Internet NAT Gateway resides has a route entry that points 0.0.0.0/0 to the NAT gateway. For more information, see Create and manage a route table.
The VPC must have an available subnet with at least a /28 mask. Secondary CIDR Blocks are supported.
Procedure
If the nat gateway is not synchronized to the NAT Firewall asset list, you can click Synchronize Assets in the upper-right corner to manually synchronize the assets. Manual synchronization takes 5 to 10 minutes.
Log on to the Cloud Firewall console. In the left-side navigation pane, select Firewall.
Click the NAT Firewall tab. In the Actions column for the target Internet NAT Gateway, click Create.
In the Create NAT Firewall panel, create and enable the nat firewall. For more information, see NAT Firewall.
After creation, locate the target nat gateway and turn on the switch in the Firewall column to enable the nat firewall.
Step 3: Configure policy
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
On the NAT Border page, select the NAT Gateway that you want to configure and click Create Policy.
Cloud Firewall automatically syncs the NAT gateways that are associated with your Alibaba Cloud account. You can click the drop-down list to select the NAT Gateway that you want to configure.
In the Create Policy - NAT Border panel, configure the access control policy and click OK. For more information, see Configure an access control policy for a nat firewall.
Step 4: Verify solution
Log on to an ECS instance in the VPC and run a
curlcommand such ascurl www.example.comto simulate business access to the internet. For information about how to log on to an ECS instance, see Connection methods.Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, set the source IP address to the private IP address of the ECS instance and search for traffic logs. If the log entries show the policy is in effect, this indicates that the nat firewall is protecting outbound traffic from the nat gateway.
Maintenance
Analyze unusual traffic
Step 1: Check NAT Border traffic
Log on to the Cloud Firewall console. In the left-side navigation pane, click Overview.
On the Overview page, check the traffic trend for any unusual traffic spikes.
NoteIf the traffic exceeds your purchased protection bandwidth, the trend chart displays the purchased NAT Border processing capacity to help you see how much the traffic exceeds the bandwidth.
If you find an unusual traffic spike, check the details of outbound private assets to locate the anomalous IP address. For more information, see Step 2.
Step 2: Identify anomalous IPs
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, sort the assets by traffic volume and check for IP addresses with unusually high traffic to determine whether anomalous access is occurring.
If you identify an anomalous IP address, use log audit data for further analysis. For more information, see Step 3.
Step 3: Analyze traffic logs
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, set the source IP address to the private IP address of the ECS instance, search for traffic logs, and check the Source IP Address, Source Port, and Destination Port to determine whether the anomalous traffic is required for your business.
Maintenance recommendations
If you identify an unusual traffic spike and determine that the traffic is legitimate and required for your business, consider the following recommendations:
Increase the Cloud Firewall protection bandwidth
For more information, see Renewal.
Optimize workload deployment
For example, if your business needs to access Alibaba Cloud services such as OSS or SLS, use an internal endpoint to save public network bandwidth.
Disable Cloud Firewall for IP addresses that do not require protection
For more information, see Disable a nat firewall.