ECS secures networks through network isolation, traffic control, traffic monitoring, and cloud security protection.
Network isolation
Network isolation with VPC
Virtual Private Cloud (VPC) is a customizable private network that gives you full control over your network environment. VPC provides the following isolation capabilities:
-
VPCs are logically separated from one another and do not communicate by default.
-
ECS instances within a VPC communicate over the internal network, reducing public network exposure.
-
You can create multiple vSwitches within a VPC for network segmentation and CIDR block division, enhancing isolation between switches.
Service isolation with vSwitches
Use vSwitches to divide CIDR blocks for different business scenarios. vSwitches are fundamental VPC components that connect instances and provide the following security features:
-
Service isolation: Segregate resources by security level and service type.
-
Traffic control: Associate network access control lists (ACLs) with vSwitches to regulate traffic.
PrivateLink for private network access to ECS
PrivateLink establishes private, secure connections between VPCs and ECS without requiring an Internet gateway, NAT device, or VPN Gateway (VPN). This simplifies network architecture and mitigates security risks of public network access. See What is PrivateLink?.
Network traffic control
Use network ACLs for traffic control
Network ACLs can be associated with vSwitches to control inbound and outbound data flow, restricting access to ECS instances. See Network ACLs and Create and manage a network ACL.
Use security groups to control NIC traffic
A security group is a virtual firewall that controls inbound and outbound network interface controller (NIC) traffic for ECS instances. Configure inbound rules to control traffic to instances and outbound rules to control traffic from instances. See Overview and Manage resources associated with security groups.
Security groups are classified into basic and advanced types, both free. They differ in capacity, rule referencing, internal interconnectivity policy, and default access control rules. See Basic and advanced security groups.
Network traffic monitoring and analysis
ECS supports network traffic monitoring and analysis through VPC flow logs and traffic mirroring for access control verification, traffic monitoring, and troubleshooting.
Flow logs
Flow logs record inbound and outbound traffic of an Elastic Network Interface (ENI). Use flow logs to verify ACL rules, monitor traffic, and troubleshoot network errors. See Flow log.
Traffic mirroring
Traffic mirroring mirrors ENI traffic based on specified filters and forwards it to a designated ENI or an internal-facing Classic Load Balancer (CLB). Use this feature for content inspection, threat monitoring, and troubleshooting. See Traffic mirror.
Cloud security protection
Alibaba Cloud offers security products that protect ECS instances from network attacks. The following products integrate with ECS:
Anti-DDoS
Anti-DDoS Basic is enabled by default. It scrubs DDoS traffic before it reaches the ECS host, protecting instances from DDoS attacks. See Anti-DDoS Basic.
Cloud Firewall
Cloud Firewall provides unified security management with Internet, VPC, and internal firewalls. The internal firewall protects traffic between ECS instances and prevents unauthorized access. See Security group configuration.
Web Application Firewall
Web Application Firewall (WAF) routes web traffic through a gateway for inspection, filters out malicious traffic, and forwards normal traffic to ECS instances. See Enable WAF protection for ECS instances.