A virtual private cloud (VPC) is a logically isolated network in a cloud computing environment. VPCs allow you to build a completely isolated private network in the public cloud. This is useful for scenarios that require strict network domain isolation. For example, you can divide networks into different security domains based on business requirements or regions. You can also create red, yellow, and green zones, separate office, testing, and production networks, or create different network planes for services and operations and maintenance (O&M).
Security risks
Different network domains often have different security levels and network access control requirements. If networks are not properly isolated, security risks can spread. This can lead to the lateral movement of attacks and unauthorized access.
For example, an office network needs to access the Internet and is more susceptible to viruses. A production network, however, must provide services to the Internet in a controlled manner. Machines on the production network must be modified or accessed only through authorized publishing or O&M systems. Without network isolation, it is difficult to manage network access control policies for Internet traffic. A virus on an office computer can easily spread laterally to machines on the production network. Office computers might also bypass authorized systems to directly access machines on the production network.
Security groups are not suitable for isolating network domains or security domains. This is because VPCs are naturally isolated from each other and have independent address spaces. This removes the need for complex address space planning. To allow limited service access between VPCs, you can use services such as PrivateLink. In contrast, dividing a single VPC into different network domains requires careful address space planning. By default, resources in different address spaces within the same VPC can fully communicate with each other. You must carefully configure security group rules to block or allow traffic based on address groups. Configuration errors can easily lead to unintended network permissions and security risks.
Best practices
Isolate VPCs and use PrivateLink for cross-VPC service access
When you need to control communication between VPCs, you can use PrivateLink or a VPC firewall. PrivateLink enables cross-VPC service access through a service virtual IP address (VIP). The following figure shows a scenario where VPCs are used for network isolation. In this scenario, PrivateLink is used to enable a service in VPC1 to access a service in VPC2. For more information, see Access a CLB instance in another VPC by using PrivateLink.
You can use PrivateLink endpoint policies to control which Alibaba Cloud entities, such as Resource Access Management (RAM) users or roles, can access Alibaba Cloud services through an endpoint. For more information, see Endpoint policies.
After you attach a security group to a PrivateLink endpoint, you can use the security group to allow only specific IP addresses or security groups to access the private IP address of the endpoint. For more information, see Add and manage security groups.
This method is suitable for scenarios involving untrusted parties. For example, VPC1 and VPC2 in the preceding figure can belong to two different companies.
Isolate VPCs, connect with CEN, and use a VPC firewall for network access control
Cloud Enterprise Network (CEN) connects multiple VPCs across regions and accounts in a hub-spoke topology using route forwarding, as shown in the following figure. For configuration steps, see Scenario-based networking for VPC connections.
CEN lets you configure routing policies. This is suitable for coarse-grained access control between VPCs. In the preceding figure, you can configure rules to allow communication between VPC1 and VPC3, and between VPC1 and VPC2, but not between VPC2 and VPC3.
For network access control at the business layer, you can configure a VPC firewall for a Basic Edition transit router. For example, consider a CEN Basic Edition transit router, as shown in the following figure. The VPC firewall automatically diverts traffic at the VPC border. It uses deep packet inspection (DPI) traffic analysis, intrusion prevention system (IPS) rules, threat intelligence, virtual patching, and access control policies. It filters traffic between VPCs to determine whether the traffic is allowed. This effectively blocks unauthorized access traffic and secures traffic between private network assets.
