When you deploy applications on Edge Node Service (ENS) to achieve ultra-low latency, you are placing workloads outside the traditional security perimeter of Alibaba Cloud's central regions. This distributed architecture creates a fundamental security challenge: how to apply robust, centralized security controls to these geographically scattered instances. This topic describes how to use Security Center, the network security capabilities of the edge cloud, Bastionhost, and Anti-DDoS Proxy to protect your edge assets.
Host-level security with Security Center
Alibaba Cloud Security Center uses cloud-native technologies and extensive security expertise to provide comprehensive host protection. It covers key areas such as cloud asset management, security configuration assessment, proactive defense, security hardening, and security visualization. It detects real-time risks, including configuration flaws, compliance issues, vulnerabilities, and leaked AccessKey pairs. It also defends against threats like ransomware, crypto-mining malware, trojans, webshells, and web page tampering. For a detailed introduction, see Security Center.
Security Center capabilities supported on ENS
Category | Path in the navigation pane on the left | Feature |
Assets | Assets > Overview | Asset overview |
Assets > Host | Synchronize the latest assets | |
Add multicloud assets | ||
Security check | ||
Troubleshoot client issues | ||
Asset collection | ||
Perform batch O&M and monitoring (requires Cloud Assistant) | ||
Enable or pause protection | ||
Remove binding | ||
Investigate asset fingerprints | ||
Risk Governance | Risk Governance > Vulnerabilities | Linux software vulnerabilities (detect/fix) |
Windows system vulnerabilities (detect/fix) | ||
Web-CMS vulnerabilities (detect/fix) | ||
Emergency vulnerabilities (detect) | ||
Application vulnerabilities (SCA detection) | ||
Risk Governance > CSPM | Baseline check (check/fix) | |
Risk Governance > Cloud Honeypot | Host honeypot | |
Risk Governance > SDK for Malicious File Detection | Malicious File Detection SDK | |
Risk Governance > Log Analysis | Host logs | |
Security logs | ||
Detection and Response | Detection and Response > Alerts | Web directory definition |
Alert handling rules | ||
Data archiving | ||
View and restore quarantined files | ||
Detection and Response > Log Management | Attack analysis | |
Protection Settings | Protection Settings > Host Protection > Anti-ransomware | Anti-ransomware |
Protection Settings > Host Protection > Virus Detection and Removal | Virus scan | |
Protection Settings > Host Protection > Web Tamper Proofing | Web tamper proofing | |
Protection Settings > Host Protection > Host-specific Rule Management | Malicious behavior defense | |
Common logon management | ||
Protection Settings > Container Protection > Container Image Scan | Scan images for system vulnerabilities | |
Scan images for application vulnerabilities | ||
Image Baseline Check | ||
Scan images for malicious samples | ||
Fix system vulnerabilities in images | ||
Fix application vulnerabilities in images | ||
Remediate malicious samples in images | ||
Protection Settings > Container Protection > Proactive Defense for Containers | Proactive defense for containers | |
Protection Settings > Container Protection > Container File Protection | Container firewall | |
Protection Settings > Application Protection | Application protection | |
System Settings | System Settings > Security Reports | Security reports |
System Settings > Feature Settings | Feature settings | |
System Settings > Notification Settings | Notification settings |
Activate and deploy Security Center
Purchasing Security Center:
You can purchase Security Center directly from the product page on the Alibaba Cloud official website. Security Center offers multiple editions and value-added services for different security needs. You can purchase the edition and services that best suit your needs. For more information, see Purchase Security Center.
Install the Security Center agent on an ENS instance:
To protect an ENS instance with Security Center, install the Security Center agent on it. This lightweight agent collects host data to monitor and detect potential security threats.
Before you install the Security Center agent, make sure that your Edge Node Service instance can access the internet.
Log on to the ENS instance and run the installation command with administrator or root permissions.
Installation command for Linux
wget "https://aegis.alicdn.com/download/install/2.0/linux/AliAqsInstall.sh" && chmod +x AliAqsInstall.sh && ./AliAqsInstall.sh -k=v342lkInstallation command for CMD on Windows
powershell -executionpolicy bypass -c "(New-Object Net.WebClient).DownloadFile('http://aegis.alicdn.com/download/install/2.0/windows/AliAqsInstall.exe',$ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath('.\AliAqsInstall.exe'))"; "./AliAqsInstall.exe -k=Az481e"
Verify the installation:
After installation, the Security Center agent downloads its components and starts the corresponding processes on your server. You can verify the installation by checking the agent's process status or by viewing its status in the Security Center console.
The figure shows an ENS instance successfully added to the Hosts asset list in Security Center.
NoteAn edge instance is displayed as a Server Outside Cloud in the Security Center console because its computing power is distributed across nodes outside the central Alibaba Cloud.
Network-level security: Security groups and network ACLs
1. Security groups
A security group acts as a virtual firewall for ENS, controlling inbound and outbound traffic for your ENS instances at the edge nodes. Inbound rules control incoming traffic, while outbound rules control outgoing traffic.
The workflow for using security groups consists of four steps:
Create a security group:
The process of creating a security group for the edge cloud is different from creating one for the central cloud. When you create a security group for the edge cloud, you only need to specify a name for the security group. Security groups for the edge cloud do not belong to a specific node or VPC. The security group and its rules can take effect on any node and VPC globally.
Add security group rules:
Security group rules control the inbound and outbound traffic of ENS instances. You can use them for scenarios such as allowing or denying specific network traffic, blocking unnecessary ports, restricting traffic of specific protocols, and configuring application access permissions.
You can add security group rules when you create a security group or add them after the security group is created.
Add an ENS instance to a security group:
When you create an ENS instance, you can add it to one security group. Later, you can add the instance to multiple security groups from the ENS instance list page as needed. To determine whether traffic can pass through an ENS instance, the rules of all associated security groups are aggregated, sorted by a fixed policy, and applied to the ENS instance along with the default access control rules. This process determines whether to allow or deny the traffic.
Manage security group rules:
Improperly configured security group rules can lead to serious security risks. You must manage security group rules as needed to ensure the network security of your ENS instances.
You can modify the inbound and outbound rules of a security group on its details page. After a rule is modified, it applies to all ENS instances in that security group across all edge cloud nodes.
2. Network ACLs
A network ACL is a network access control feature in a virtual private cloud (VPC). You can customize network ACL rules and bind the network ACL to a VPC to control traffic from ENS instances in the edge cloud VPC.
Both network ACLs and security groups are network features that control inbound and outbound traffic. However, a network ACL applies to an entire VPC. Its rules control the data streams that enter and leave the VPC for all ENS instances within that VPC. A security group applies to specific ENS instances and controls only the inbound and outbound data streams for the ENS instances added to that security group.
If your services deployed in an edge cloud VPC have consistent rules for internet access, you can configure a network ACL to control traffic for all ENS instances. If your services deployed in the edge cloud VPC are diverse, you can use more granular security groups to control traffic for specific ENS instances.
Secure operations and auditing with Bastionhost
BBastionhost is an operations and maintenance (O&M) security and audit platform that provides centralized, secure access to your resources. It lets you manage permissions, control operations, and audit all activity through session recordings, ensuring that all actions are identifiable, controllable, and auditable. It helps enterprises manage numerous assets, clarify O&M responsibilities, trace incidents, and meet compliance requirements. For more information about Bastionhost, see Product Overview.
O&M Security Center for ENS:
To manage ENS resources, use the Enterprise Dual-Engine edition of Bastionhost, which supports the network domain proxy mode to achieve unified O&M control over edge assets.
Feature | Description |
User management | Supports multiple user roles, such as administrator, O&M engineer, and auditor. |
Supports creating individual users and importing users in batches from a file. | |
Supports automatic synchronization of RAM, AD, and LDAP users. | |
Supports connecting to IDaaS to synchronize users from various identity sources, such as DingTalk and Azure AD, as Bastionhost users. | |
Supports user status tags, including expired, locked, and inactive. | |
Supports policies such as user lockout and password expiration. | |
Asset management |
|
Supports O&M control and auditing for RDS and self-managed databases, such as MySQL, SQL Server, PostgreSQL, and Oracle. | |
Supports manual creation and one-click import of Alibaba Cloud and third-party cloud assets. | |
Supports credential hosting (passwords or keys) for assets. O&M engineers can access assets for O&M without knowing the asset passwords. | |
Supports asset status detection. You can periodically or manually check the status of ECS and RDS instances and their network connectivity. | |
Interacts with Security Center's asset risk monitoring. It provides timely reminders of the status and number of risks, such as alerts, vulnerabilities, and baseline risks. It also supports quick navigation to Security Center to handle risks. | |
Supports unified O&M for hybrid scenarios, including multicloud, on-premises, and offline IDC servers. | |
Supports network domain proxy mode. A bastion host can connect to assets in other internal network environments through a proxy server. | |
Supports manual or scheduled password change tasks for Linux servers. | |
O&M control | Supports two-factor authentication using text messages, email, mobile TOTP tokens, and DingTalk. |
Supports using client tools, such as Mstsc, XShell, SecureCRT, and PuTTY, to log on to the bastion host and access hosts. | |
Supports using local SFTP client tools, such as WinSCP, Xftp, and SecureFX, to log on to the bastion host for file transfers. | |
Supports an independent O&M portal. | |
Supports web-based access to hosts. | |
Supports real-time monitoring of ongoing sessions and lets you block sessions at any time. | |
Supports control over operations during RDP-based O&M, such as clipboard uploads or downloads and disk mapping. | |
During SSH-based O&M, supports setting command blacklists, whitelists, and approval policies to control the execution of high-risk and sensitive commands. | |
During O&M, supports control over file operations, such as upload, download, delete, and rename, and folder operations, such as create and delete. | |
Supports enabling secondary approval for O&M. An O&M engineer can access an asset only after an administrator approves the access request. | |
Supports restricting the source IP addresses and logon times for users and assets that log on to the bastion host. | |
Supports setting limits on idle time and total duration for O&M sessions. | |
Log auditing | Supports full logging and video recording for O&M operations. You can clearly restore and trace the O&M process through video playback. |
Supports auditing of file transfers. | |
Supports generating O&M reports. Reports can be exported in PDF, HTML, and Word formats. | |
Supports storing session audit logs in SLS and downloading them locally using the log backup feature. | |
API | Supports OpenAPI calls. |
Activate and deploy Bastionhost
Purchase Bastionhost:
You can purchase Bastionhost from its product page on the Alibaba Cloud website. Bastionhost provides multiple editions to meet O&M security needs in different scenarios. For more information, see Activate a free trial.
Manage ENS instances:
After you purchase a Bastionhost instance, you can manage it on the Bastionhost management page.
Create a network domain:
Bastionhost runs on the Alibaba Cloud central cloud. Edge cloud computing power is distributed across nodes outside the central cloud. Therefore, edge cloud computing resources cannot connect to the internal network of the VPC where Bastionhost resides. We recommend using the network domain feature of Bastionhost to manage ENS instances.
You can configure a proxy server for your ENS assets. Then, in Bastionhost, you can create a network domain, add the proxy server, and add the assets to the network domain. This lets you perform O&M on the assets using Bastionhost.
On the Network Domain list page, you can create a network domain. Set the connection method to Proxy and configure the primary proxy server.
For the primary proxy server, configure the Proxy Type, Server Address, Server Port, Host Account, and Password. The Proxy Type can be SSH Proxy, HTTP Proxy, or SOCKS5 Proxy.
Asset management - Import an ENS instance:
On the host list page, select Import Other Source Hosts, and then use the Create Host method to manage the ENS instance.
In the Create Host panel, you must configure parameters such as Operating System, Host IP, Hostname, and Network Domain.
If you set Network Domain to Proxy, set the host IP to an internal IP address. If you set Network Domain to Direct Connection, set the host IP to a public IP address.
Asset management - Create a host account:
After you import an ENS instance as a host asset, go to the Host list page. In the Actions column, click Create Host Account. Configure the Protocol, Logon Name, Authentication Type, and the corresponding Password or Key for daily O&M access.
User management - Authorize a host:
After importing a host, navigate to the User Management > Users page to grant a RAM user Operations and Maintenance (O&M) permissions on the host resource.
Asset O&M:
After logging in, an authorized RAM user can navigate to the Asset O&M > Host O&M page to view their authorized host resources. From there, they can perform O&M on the hosts using the Remote Connection method.
DDoS attack protection
Anti-DDoS is a proxy-based protection service from Alibaba Cloud. It mitigates volumetric DDoS attacks and resource exhaustion DDoS attacks. It supports the protection of servers on Alibaba Cloud, outside Alibaba Cloud, or in other clouds. After you connect your service to Anti-DDoS, if a large-volume DDoS attack occurs, Anti-DDoS uses DNS resolution to reroute the traffic to anti-DDoS scrubbing centers for traffic scrubbing. It then forwards only the clean traffic to your server.
For more information about Anti-DDoS Pro and Anti-DDoS Premium, see What is Anti-DDoS Pro and Anti-DDoS Premium?.
Anti-DDoS capabilities supported on ENS
Anti-DDoS Proxy is available in two versions based on the deployment region of your business servers: Anti-DDoS Proxy (Chinese Mainland) and Anti-DDoS Proxy (Outside Chinese Mainland).
Anti-DDoS Pro: Suitable for services with servers deployed in the Chinese mainland. It uses unique T-level, eight-line Border Gateway Protocol (BGP) bandwidth resources in the Chinese mainland to defend against large-volume DDoS attacks for connected services. It provides Professional and Premium instance types.
Anti-DDoS Premium: Suitable for services with servers deployed outside the Chinese mainland. It uses advanced, distributed, near-origin traffic scrubbing capabilities to provide unlimited, best-effort protection against DDoS attacks for connected services.
Category | Anti-DDoS Pro | Anti-DDoS Premium | ||
IPv4 Protection | IPv6 Protection | |||
Connection type | Website Config |
|
|
|
Port Config |
|
|
| |
Sec-Traffic Manager | Support details:
| Supported items include the following:
| The following are supported:
| |
Protection for Infrastructure | Configure global mitigation policy |
|
|
|
Configure blacklists and whitelists (for Anti-DDoS instance IPs) |
|
|
| |
Configure Location Blacklist | Supported only by the Enhanced function plan | × | Supported only by the Enhanced function plan | |
Deactivation of blackhole filtering |
| × | × | |
Configure near-origin traffic diversion |
| × | × | |
Configure UDP reflection attack mitigation feature | Supported only by the Enhanced function plan | × | Supported only by the Enhanced function plan | |
Protection for Website Services | Configure intelligent protection |
|
|
|
Configure Anti-DDoS Global Mitigation Policy |
|
|
| |
Configure blacklists and whitelists (for domain names) |
|
|
| |
Configure Location Blacklist (for domain names) | Supported only by the Enhanced function plan | Supported only by the Enhanced function plan | Supported only by the Enhanced function plan | |
Configure CC attack protection |
|
|
| |
Protection for non-website services | Configure Layer 4 intelligent protection |
| × |
|
False Source |
|
|
| |
Advanced Attack Mitigation Only TCP port services are supported. |
|
|
| |
Speed Limit for Destination |
|
|
| |
Packet Length Limit |
|
|
| |
Source Rate Limiting |
| × |
| |
Scenario-specific policies |
|
|
| |
Mitigation Analysis | Attack analysis |
| × |
|
Full log analysis |
|
|
| |
System logs |
|
|
| |
Operation logs |
|
|
| |
Advanced mitigation logs |
|
|
| |
CloudMonitor alerts |
|
|
| |
Activate and deploy Anti-DDoS
Purchase Anti-DDoS instance:
You can purchase Anti-DDoS instance on the Anti-DDoS page. For more information, see: Anti-DDoS Proxy.
Access management:
Website Config
To protect a website, add its domain to Anti-DDoS. The service provides you with a CNAME record. You then update your domain's DNS settings to point to this CNAME record, which directs traffic through Anti-DDoS for protection.
Port Config
For non-website services (such as client applications), configure port forwarding rules. This ensures that traffic is first routed through Anti-DDoS for scrubbing before being forwarded to your origin server.
Verify the configuration:
After successfully adding a website or port configuration, Anti-DDoS forwards requests sent to the protection IP to the corresponding port on your origin server. Before directing production traffic to Anti-DDoS, verify the forwarding configuration to ensure that legitimate traffic can reach your origin server correctly and to prevent service disruptions.