Avoid directly assigning an Elastic IP Address (EIP) or a static public IP address to an Elastic Compute Service (ECS) instance to access the Internet or provide network services.
Security risks
When you assign a public IP address, such as an EIP or a static public IP address, directly to an ECS instance, the instance can access the Internet and be accessible from the Internet. This expands the attack surface and introduces the following security risks:
Passive scanning and discovery: After an ECS instance exposes a service port to the Internet, it can be discovered by scanners. This can lead to DDoS attacks or allow attackers to exploit remote vulnerabilities in the service associated with the port, which can result in a compromised host.
Attacks on vulnerable ports: Exposing sensitive ports significantly increases security risks. If a security group is misconfigured, management ports for logon and operations and maintenance (O&M), such as Secure Shell Protocol (SSH) (port 22), Remote Desktop Protocol (RDP) (port 3389), and Server Message Block (SMB) (port 445), might be accidentally exposed to the Internet. After these ports are exposed, they are highly susceptible to brute-force attacks, password guessing, and credential theft. This can lead to severe consequences, such as compromised hosts and data breaches.
Increased management complexity: Attaching a public IP address directly to an instance means you must manage the public IP address and access control policy for each instance independently. This increases the complexity of network O&M. When you have many instances, the risk of configuration errors and policy omissions increases. This can also create single points of failure, which affects the availability and security of the entire system.
Non-compliance with classified protection standards: Network security is a critical part of a corporate compliance system. For example, standards such as the "Basic Requirements for Classified Protection of Cybersecurity" (MLPS 2.0) require all public network access to be secure, controllable, and auditable. Enterprises should avoid exposing cloud hosts directly to the Internet. Instead, you can use secure architectures such as Server Load Balancer (SLB), NAT Gateway, and Bastionhost to centralize control and protection of public network access.
Best practices
Use security groups correctly
Before discussing advanced network solutions, you must master the most basic security defense for ECS: the security group. A security group is a virtual firewall that controls inbound and outbound traffic for one or more ECS instances.
Core principle: Least privilege When you configure inbound or outbound rules, strictly follow the principle of least privilege. This means:
Specify authorization objects: When you grant access to IP addresses, use specific IP addresses or CIDR blocks whenever possible, such as your company's egress IP address or the private IP addresses of other cloud resources. Do not use 0.0.0.0/0 unless your service must be accessible from the entire Internet, such as for web services on ports 80/443.
Specify authorized ports: Open only the ports required for your business. Never expose ports for remote management or databases to the Internet.
A bad example:
For example, a user attached a public IP address to an ECS instance for convenience. In the security group, the user set the source address for both the SSH (22) and Redis (6379) ports to 0.0.0.0/0. The user also set a weak password for the root user and did not set a password for Redis. As a result, less than 5 minutes after the public IP address was attached, an automated tool scanned and compromised the server, which led to data theft.
If the user had restricted the source IP address for port 22 to only the company's IP address and restricted access to port 6379 to only the VPC's internal network, attackers would not have been able to exploit these vulnerabilities directly from the Internet, even with a weak password.
List of common vulnerable ports When you configure security groups, be highly cautious with the ports listed in the following table. Always restrict their source IP address range.
Port Category | Port/Protocol | Service Name | Core Risk |
Remote management | 22/TCP, 3389/TCP | SSH, RDP | Brute-force attacks, gaining full control of the server |
Database | 3306/TCP, 6379/TCP, 1433/TCP | MySQL, Redis, SQL Server | Unauthorized access, data breach, arbitrary code execution (RCE) |
File sharing | 445/TCP, 139/TCP | SMB, NetBIOS | Worm propagation (such as EternalBlue), file theft |
Web application management | 7001/TCP, 8080/TCP | WebLogic, Tomcat | Weak backend passwords, deserialization vulnerabilities, leading to RCE |
Connect to ECS instances securely
Scenario: Remotely log on to and manage Linux or Windows ECS instances using a command line or a graphical user interface.
Exposing SSH (port 22) or RDP (port 3389) to the Internet makes your host vulnerable to attacks. Alibaba Cloud provides several secure and convenient O&M tools that eliminate the need to expose these vulnerable ports.
The following table compares three main solutions to help you choose the best one:
Solution | Scenarios |
Workbench terminal connection | Quick, temporary daily management, suitable for beginners |
Session Manager | Daily use by developers and O&M engineers, with zero port exposure |
Bastionhost | Enterprise-level use with strict compliance and audit requirements |
Solution 1 (Convenient and easy to use): Connect using Workbench
Connecting to an instance using Workbench is the recommended method for daily management. This method lets you open a secure Shell or RDP session directly in your browser to manage the instance.
How it works: Access requests are first authenticated and relayed through Alibaba Cloud's official, security-hardened Workbench service cluster before reaching the ECS instance. The ECS instance only needs to grant access to the Workbench service's IP address range in its security group for the management port. This significantly minimizes the attack surface.
How to use:
Solution 2 (Flexible and powerful): Use Session Manager
Connecting to an instance using Session Manager in the console is a more flexible management method with zero port exposure.
How it works: The Cloud Assistant Agent on the ECS instance actively establishes an encrypted reverse connection to the Cloud Assistant service. All O&M operations are conducted through this established tunnel, which eliminates the need for the instance to listen on any inbound ports.
How to use:
Solution 3 (Enterprise-grade compliance): Use Bastionhost
For enterprises with strict security compliance requirements, such as those that must meet the "4A" audit requirements (Authentication, Authorization, Accounting, and Auditing) of MLPS 2.0, you can use Bastionhost.
Core value: Bastionhost provides centralized account management, access control, operation auditing, and session recording. It is the standard solution for enterprise-grade security O&M administration.
Let ECS instances securely access the Internet (outbound traffic)
Scenario: A program running on an ECS instance needs to access the Internet to download software packages, update the system, or call third-party API operations.
Recommended solution: Use a NAT Gateway
How it works:
Multiple ECS instances within a VPC are not attached to any public IP addresses.
All outbound traffic is directed to the NAT Gateway through VPC routes.
The NAT Gateway translates the source private IP addresses into its own public IP address and then sends the requests to the Internet.
Core advantages:
Hide backend instances: Only the public IP address of the NAT Gateway is visible from the Internet. The backend ECS instances cannot be discovered or directly accessed. This greatly reduces the risk of attacks.
Centralized management: Centrally manage the outbound traffic egress for the VPC to simplify network configuration.
Save public IP addresses: Multiple ECS instances can share one or more public IP addresses to access the Internet.
For more information, see Use the SNAT feature of an Internet NAT gateway to access the Internet.
Security hardening: Configure outbound security group rules
Even if an instance can only access the Internet in one direction, security risks still exist. If an instance is infected with a Trojan horse, the malicious program actively connects to an external command and control (C&C) server. By configuring outbound security group rules, you can effectively block such malicious connections.
Configuration steps:
Set a default deny policy: In the outbound rules of the security group, add a rule with the lowest priority (largest value, such as 100). Set the policy to "Deny", the destination to 0.0.0.0/0, and the port range to all.
Allow necessary Alibaba Cloud services: Add high-priority allow rules to permit access to basic Alibaba Cloud service addresses required for the normal operation of ECS. For example:
Security Center Agent: 100.100.0.0/16, 106.11.0.0/16, and others on ports 80/443.
Cloud Assistant Agent: 100.100.100.200:80 and the Cloud Assistant service domain names for each region.
Alibaba Cloud mirror source/OSS/SLS: Based on your region, you can resolve the domain names of the corresponding services and add their IP addresses.
Allow required destination addresses for your business: If your business needs to access a specific domain name, such as github.com, you can use the `dig` or `nslookup` command on the ECS instance to resolve its IP addresses. Then, you can add these IP addresses to the outbound allow rules.
Securely provide services to the Internet (inbound traffic)
Scenario:You have deployed a website, app backend, or API operation on an ECS instance and need to provide stable and reliable services to Internet users.
Recommended solution: Use SLB
Providing services by attaching a public IP address directly to an ECS instance exposes the real server to the Internet and does not provide high availability. The best practice for a production environment is to use an SLB product, such as an Application Load Balancer (ALB) or a Network Load Balancer (NLB).
How it works:
User requests first reach the public endpoint of the SLB instance.
The SLB instance distributes the requests to a group of healthy backend ECS instances based on the configured forwarding rules and health check results.
The ECS instances are not directly exposed to the Internet. They only communicate with the SLB instance over the internal network.
Core advantages:
Hide backend servers: The user's access endpoint is the SLB instance. This hides the originating IP addresses of the backend ECS instances, which effectively protects the backend servers.
High availability: Automatically removes unhealthy ECS instances and performs failover to ensure business continuity.
Load distribution: Distributes traffic across multiple ECS instances to easily achieve horizontal scaling and handle high concurrency.
Integrated security protection: Can be integrated with security products such as Web Application Firewall (WAF) to protect against application-layer attacks.
For more information, see Quickly implement load balancing for IPv4 services.
Integrated security group configuration
For optimal security, configure the security groups of the backend ECS instances as follows:
In the inbound rules, allow only traffic from the SLB service IP address range to access the service ports, such as 80/443.
Deny all other source IP addresses from accessing the service ports.
Use Cloud Assistant remote port forwarding to access cloud services locally
If you have a small number of ECS instances that are used only for internal private network access or temporary trials, have low requirements for network communication quality, and want to avoid public bandwidth costs, you can use the port forwarding feature of Cloud Assistant. This solution is suitable for scenarios where a complete security defense system has not yet been established but small-scale testing or remote service calls are needed.
Example: Access a PostgreSQL service on an ECS instance from a local machine
Assume you have deployed a PostgreSQL service on an ECS instance that listens on the default port 5432. You can securely access this service locally without attaching a public IP address to the ECS instance or opening port 5432 to any external IP addresses in the security group.
Using port forwarding of the Session Manager CLI to access an instance that has no public IP address, you can map a remote port on the ECS instance, such as 5432, to a port on your local computer, such as 8080. When you access 127.0.0.1:8080 on your local machine, the traffic is securely forwarded end-to-end through an encrypted channel established by the Cloud Assistant service and the Cloud Assistant Agent on the ECS instance.
On your local computer, run the following command to map port
5432of the target ECS instance to port8080on your local machine.ali-instance-cli.exe portforward -i <instance_id> -r <target_port> -l <local_port>instance_id: The ID of the instance.target_port: The port of the target instance.local_port: The local port.As shown in the following figure, start pgAdmin on the same local machine and connect to
127.0.0.1:8080. All requests are then securely forwarded to port5432on the ECS instance through the Cloud Assistant channel, which enables secure remote access to the database.
Compliance capabilities
Check
Query ECS instances that are attached to public IP addresses
Go to the Security Center console.
In the navigation pane on the left, choose . On the Cloud Service Configuration Risk tab, find the check item named Logons Using SSH Key Pairs and click Scan in the Actions column.
If the status is Failed, it indicates that there are Linux instances that do not use key pair authentication for logon. You can click Details to view them.
Check security groups that have exposed sensitive ports
Go to ECS Insight.
On the Security tab, click the Unrestricted Access to Specific Security Group Ports check item to view instances with unrestricted access to sensitive ports.
Block
Prohibit attaching public IP addresses to ECS instances
For enterprise users:
Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Create a custom policy and paste the following JSON content.
{ "Version": "1", "Statement": [ { "Effect": "Deny", #Deny "Action": [ "ecs:RunInstances", #Create an instance "ecs:CreateInstance", #Create an instance "ecs:ModifyInstanceSpec", #Modify an instance "ecs:ModifyInstanceNetworkSpec" #Modify a network interface card ], "Resource": "*", #For all resources "Condition": { "Bool": { "ecs:AssociatePublicIpAddress": [ #Attach a public IP address "true" ] } } }, { "Effect": "Deny", #Deny "Action": [ "vpc:AllocateEipAddress", #Request an EIP "vpc:AllocateEipAddressPro", #Request an EIP "vpc:AllocateEipSegmentAddress", #Request contiguous EIPs "eipanycast:AllocateAnycastEipAddress" #Request an Anycast EIP ], "Resource": "*" #For all resources } ] }In the resource directory, attach the policy to the appropriate node. The policy will block the specified operations for all accounts under that node.
For non-enterprise users:
Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account. In the navigation pane on the left, click Policies and create a custom policy with the same content as above.
You can use authorization management for access policies to grant the policy to a RAM user, RAM user group, or RAM role.
Restrict access to sensitive ports from any address
For enterprise users:
Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Create a custom policy and paste the following JSON content.
{ "Version": "1", "Statement": [ { "Effect": "Deny", #Deny "Action": [ "ecs:AuthorizeSecurityGroup", #Add an inbound security group rule "ecs:ConfigureSecurityGroupPermissions", #Add or modify security group rules "ecs:ModifySecurityGroupRule" #Modify a security group rule ], "Resource": "acs:ecs:*:*:securitygroup/*", #For all security groups "Condition": { "StringEquals": { "ecs:SecurityGroupSourceCidrIps": [ #Source IP address for access "0.0.0.0/0", "::/0" ] }, "ForAllValue:StringEquals": { "ecs:SecurityGroupPort" : [ #Includes the following destination port numbers "22", "3389", "445" ] } } } ] }In the resource directory, attach the policy to the appropriate node. The policy will block the specified operations for all accounts under that node.
For non-enterprise users:
Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Policies and create a custom policy with the same content as above.
You can use authorization management for access policies to grant the policy to a RAM user, RAM user group, or RAM role.
Remediate: Detach public IP addresses from ECS instances
Detach a static public IP address: When you change the bandwidth to 0 Mbps, the static public IP address is released. For more information, see Modify for subscription instance and Modify for pay-as-you-go instance.
Detach an EIP: For more information, see Disassociate an EIP from an ECS instance.