Users of cloud-based business systems may be located anywhere on the network, such as end customers accessing services over the internet, or business systems that call each other within a VPC. Therefore, a comprehensive security system is required at each network level to ensure secure access to various business services. It is recommended to adopt the concept of microservices, considering components, subsystems, and microservices as discrete and untrusted entities, and implementing authentication, protection, and monitoring measures. One of the key elements in network planning and design is defining the network boundaries for each resource and the access control mechanisms between different network boundaries, VPCs. This process can be divided into three steps:
Design network layers.
Implement network access control at each layer.
Observe, analyze and monitor network security events.
Design Network Layers
Network layers need to be classified and divided into multiple levels based on the security requirements of various system components, ensuring that the impact of illegal access is minimized. For example, database clusters in a VPC should not have internet access capability and should be deployed in vSwitches without internet access routes. The traffic flow between components should also follow the principle of layering and only flow to components with the same or adjacent security levels. For example, a basic web application includes a public network load balancer entrance, web servers, and databases. The database can only be accessed by the web server and not through the load balancer entrance. The layered network model can refer to the following diagram:
The following are some common anti-patterns:
All resources are created in one VPC or vSwitch without isolation between different business, which may expand the scope of security exposure.
Direct access to sensitive data, such as direct access to databases via the internet, direct exposure of query services for big data on the public network, and so on.
Internal applications between different network locations (between VPCs, between IDC and VPC, etc.) communicate through the public network.
Security groups are overly permissive.
It should be noted that a layered network is the basis for secure network architecture, and also the best practice from Alibaba Cloud.
Implement Network Access Control at Each Layer
Based on the layered network model in the diagram, common cross-layer traffic flows include but are not limited to:
Traffic between the Internet and the VPC (outbound and inbound)
Traffic within the VPC
Traffic among different VPCs
Traffic between external IDC and the VPC
VPC/external IDC accessing cloud services
For traffic between the Internet and the VPC, the following security measures can be used at each layer, with the protection range from larger to smaller:
Basic DDoS protection (requires security support): protection effect, protection range.
Anti-DDoS Pro and Web Application Firewall (requires security support)
Internet Firewall (requires security support)
Separation of public and private vSwitches, VPC Ingress Routing
Network ACL
Security groups/IP whitelists
For traffic within the VPC, common traffic control tools include:
Network ACL: to protect the entire vSwitch
Security groups/IP whitelists: to protect specific instances
For traffic between different VPCs and between external IDCs and the VPC, private intranet channels should be used for connections, such as VPC peering, transit router, VPN Gateway, and Express Connect, to establish private and dedicated connections and avoid exposing public network access to components that do not provide services to the public network. In addition, networks such as different VPCs and external IDCs are network boundaries. When accessing across boundaries, according to the zero-trust principle, consider using east-west cloud firewalls to isolate and protect network traffic. After the traffic enters the VPC through the network boundary, all security capabilities within the VPC, including routing tables, network ACLs, security groups, etc., can further implement fine-grained access control.
Observe, Monitor, and Analyze Network Security Events
Continuous observation, monitoring, and analysis of network security events help strengthen security policies to rapidly respond to security threats. In terms of business network, Anti-DDoS Pro and Web Application Firewall can record and protect against DDoS attacks and attacks at the transport (layer 4) and application (layer 7) layers. At the basic network level, Cloud Firewall can record detailed information about north-south traffic (between VPC and the Internet) and east-west traffic (between VPCs or hybrid cloud networks) and detect abnormal traffic. Internally within the VPC, detailed five-tuple logs can be recorded through VPC Flow Logs. By analyzing VPC Flow Logs, traffic that does not comply with the security layering and access policies can be identified, and security policies can be reinforced using network ACLs or security groups. If there is a further requirement for monitoring and auditing the content of packets, traffic mirroring can be used to duplicate the traffic and import it into traffic analysis components for further monitoring and analysis.