Network isolation is an important security measure in the system of Server Load Balancer (SLB). This measure isolates traffic among networks to improve system security and reliability. The infrastructure of SLB includes network isolation and network traffic control.
Network isolation
Virtual private clouds (VPCs) are virtual networks that are isolated on Alibaba Cloud. A subnet specifies a range of IP addresses in a VPC. When you create an SLB instance, you can specify one or more subnets. You can deploy Elastic Compute Service (ECS) instances in the subnets of your VPC and add the ECS instances to backend server groups. For more information, see What is a VPC?
Application Load Balancer (ALB) and Network Load Balancer (NLB) instances support the following network types:
Internal-facing: A private IP address is assigned to each zone of the ALB or NLB instance. The instance is accessible only over internal networks.
Internet-facing: A public IP address and a private IP address are assigned to each zone of the instance. Internet-facing ALB or NLB instances can access the Internet by using Elastic IP addresses (EIPs). Internet-facing instances are charged an EIP fee and a bandwidth or data transfer fee.
Classic Load Balancer (CLB) instances support the following network types:
Internal-facing: An internal-facing CLB instance is assigned only a private IP address, and is accessible only over internal networks.
Internet-facing: An Internet-facing CLB instance is assigned a public IP address and is accessible over the Internet.
SLB instances communicate with backend ECS instances over internal networks. If backend ECS instances only receive requests from the SLB instance, no public IP address is required. The ECS instances do not need to be associated with EIPs.
Network traffic control
ALB, CLB, and NLB use different measures to protect network traffic, as described in the following tables.
ALB
Measure | Description | References |
SSL-encrypted transmission | Data packets can be encrypted based on SSL to prevent interception and tampering. | |
Web Application Firewall (WAF) | WAF can be used to monitor and filter network traffic in case of attacks. | |
Access control lists (ACLs) | Whitelists and blacklists can be used to block unauthorized access and malicious requests. | |
Anti-DDoS services | Anti-DDoS services can be used to mitigate large volumes of attacks in real time. Anti-DDoS Origin, Anti-DDoS Pro, and Anti-DDoS Premium are supported. | |
TLS security policies | TLS security policies can be used to improve service security. You can select a TLS security policy when you create an HTTPS listener. Custom and default TLS security policies are supported. |
NLB
Measure | Description | References |
SSL-encrypted transmission | Data packets can be encrypted based on SSL to prevent interception and tampering. | |
Anti-DDoS services | Anti-DDoS services can be used to mitigate large volumes of attacks in real time. Anti-DDoS Origin, Anti-DDoS Pro, and Anti-DDoS Premium are supported. | |
Security groups | Security groups can be used to regulate access control. | |
TLS security policies | TLS security policies can be used to improve service security. You can select a TLS security policy when you create a listener that uses SSL over TCP. Custom and default TLS security policies are supported. |
CLB
Measure | Description | References |
SSL-encrypted transmission | Data packets can be encrypted based on SSL to prevent interception and tampering. | |
WAF | WAF can be used to monitor and filter network traffic in case of attacks. | |
ACLs | Whitelists and blacklists can be used to block unauthorized access and malicious requests. | |
Anti-DDoS services | Anti-DDoS services can be used to mitigate large volumes of attacks in real time. Anti-DDoS Origin is supported. | |
TLS security policies | TLS security policies can be used to improve service security. You can select a TLS security policy when you create an HTTPS listener. Custom and default TLS security policies are supported. |