EIP network security - Elastic IP Address - Alibaba Cloud Documentation Center

EIP supports Internet access over IPv4 connections. It is also integrated with Anti-DDoS services to enhance network security for resources.

Internet access control by using IPv4 gateways

IPv4 gateways can connect virtual private clouds (VPCs) to the Internet. An IPv4 gateway can enable a VPC to access the Internet by routing IPv4 traffic and translating private IP addresses to public IP addresses. When a VPC accesses the Internet by using an IPv4 gateway, IPv4 traffic flows through the IPv4 gateway.

Internet access control

If resources in a VPC are assigned an EIP, the sources can access the Internet regardless of route table configurations. To minimize security risks caused by direct Internet access, you can use IPv4 gateways and subnet routing to regulate access from VPCs to the Internet by granting or revoking Internet access permissions for subnets.

Routing policies for inbound traffic

You can use the subnet routing feature together with an IPv4 gateway to route inbound traffic to a virtual firewall, such as Cloud Firewall. This protects your Elastic Compute Service (ECS) instances against malicious requests.

For more information about IPv4 gateways, see IPv4 gateway overview.

DDoS mitigation

DDoS attacks are cyberattacks against targeted systems to make services unavailable to users. Alibaba Cloud Anti-DDoS Origin Basic provides up to 5 Gbit/s of bandwidth that is free of charge for DDoS mitigation. If your service requires a higher mitigation capacity, you can purchase EIPs protected by Anti-DDoS Pro/Premium.

Anti-DDoS Origin Basic

By default, Anti-DDoS Origin Basic is enabled for an EIP and can mitigate DDoS attacks at up to 5 Gbit/s. All traffic from the Internet must pass through Alibaba Cloud Security before the traffic reaches an EIP. Alibaba Cloud Security scrubs the traffic to mitigate attacks. For more information, see What is an Anti-DDoS Origin paid edition?.

Note If the amount of Internet traffic to a cluster exceeds the capacity of Anti-DDoS, the traffic is routed to a blackhole to protect the cluster. In this case, all traffic is blocked. For more information about the default thresholds at which Anti-DDoS Origin Basic automatically triggers blackhole filtering in each region, see View the thresholds that trigger blackhole filtering in Anti-DDoS Origin Basic. The thresholds to trigger blackhole filtering for EIPs are determined by the region and bandwidth. For more information, see Assets.

For more information, see Anti-DDoS Origin Basic.

Anti-DDoS Pro/Premium

Alibaba Cloud provides EIPs protected by Anti-DDoS Pro/Premium, which can mitigate DDoS attacks at the Tbit/s level.

You do not need to perform additional configurations for Anti-DDoS Pro/Premium or change your service IP addresses when you use EIPs protected by Anti-DDoS Pro/Premium. EIPs protected by Anti-DDoS Pro/Premium are ideal for scenarios that require high security and low latency, such as large-scale gaming and important livestreaming activities.

For more information, see Best practices for using EIPs protected by Anti-DDoS Pro/Premium.