Securing a private Virtual Private Cloud (VPC) in Alibaba Cloud is essential for protecting your cloud resources. This guide covers best practices and step-by-step instructions for locking down a VPC to ensure maximum security and isolation.

Understanding VPC Security

Security Layers

• Network Isolation: Isolate VPC from public internet
• Security Groups: Control instance-level access
• Network ACLs: Control subnet-level access
• Route Tables: Control traffic routing

Security Principles

• Least Privilege: Grant minimum necessary access
• Defense in Depth: Multiple security layers
• Network Segmentation: Segment network resources
• Monitoring: Comprehensive monitoring and logging

Step 1: Create Private VPC

Create VPC Without Internet Gateway

# Create VPC without internet gateway
aliyun vpc CreateVpc \
  --RegionId cn-hangzhou \
  --CidrBlock "172.16.0.0/16" \
  --VpcName "private-vpc" \
  --Description "Private VPC without internet access"

Create Private VSwitches

# Create private VSwitch (no internet gateway)
aliyun vpc CreateVSwitch \
  --VpcId vpc-xxxxx \
  --CidrBlock "172.16.1.0/24" \
  --ZoneId cn-hangzhou-a \
  --VSwitchName "private-subnet-1"

Step 2: Configure Security Groups

Create Restrictive Security Group

# Create security group
aliyun ecs CreateSecurityGroup \
  --RegionId cn-hangzhou \
  --VpcId vpc-xxxxx \
  --SecurityGroupName "private-sg" \
  --Description "Restrictive security group for private VPC"

Deny All Inbound Traffic by Default

# Security groups deny all by default
# Only add specific allow rules as needed

Allow Only Necessary Traffic

# Allow SSH from specific IP (if needed for management)
aliyun ecs AuthorizeSecurityGroup \
  --SecurityGroupId sg-xxxxx \
  --IpProtocol tcp \
  --PortRange "22/22" \
  --SourceCidrIp "10.0.0.0/8" \
  --Description "Allow SSH from internal network only"

# Allow internal VPC communication
aliyun ecs AuthorizeSecurityGroup \
  --SecurityGroupId sg-xxxxx \
  --IpProtocol -1 \
  --SourceCidrIp "172.16.0.0/16" \
  --Description "Allow all traffic within VPC"

Step 3: Configure Network ACLs

Create Network ACL

# Network ACLs provide subnet-level filtering
# Create restrictive ACL rules

Deny Internet Traffic

• Default Deny: Deny all traffic by default
• Allow Internal: Allow only internal VPC traffic
• Specific Rules: Add specific allow rules as needed

Step 4: Configure Route Tables

Private Route Table

# Create route table
aliyun vpc CreateRouteTable \
  --VpcId vpc-xxxxx \
  --RouteTableName "private-routes"

# Associate with VSwitch
aliyun vpc AssociateRouteTable \
  --RouteTableId vtb-xxxxx \
  --VSwitchId vsw-xxxxx

Remove Internet Routes

# Ensure no routes to internet gateway
# Only local VPC routes should exist
aliyun vpc DescribeRouteTables \
  --VpcId vpc-xxxxx

Step 5: Remove Internet Gateway

Verify No Internet Gateway

# Check for internet gateways
aliyun vpc DescribeNatGateways \
  --VpcId vpc-xxxxx

# Delete any NAT gateways if found
aliyun vpc DeleteNatGateway \
  --NatGatewayId ngw-xxxxx

Remove EIP Associations

# Ensure no EIPs are associated
aliyun ecs DescribeEipAddresses \
  --RegionId cn-hangzhou

# Release EIPs if not needed
aliyun ecs ReleaseEipAddress \
  --AllocationId eip-xxxxx

Step 6: Configure Instance Security

Launch Instances Without Public IP

# Launch ECS instance without public IP
aliyun ecs RunInstances \
  --InstanceType ecs.t5-lc1m1.small \
  --ImageId m-xxxxx \
  --VpcId vpc-xxxxx \
  --VSwitchId vsw-xxxxx \
  --SecurityGroupId sg-xxxxx \
  --InternetChargeType PayByTraffic \
  --InternetMaxBandwidthOut 0  # No public bandwidth

Use Private IPs Only

• No Public IPs: Don’t assign public IPs
• Private IPs Only: Use only private IP addresses
• Internal Communication: Use private IPs for communication

Step 7: Implement Access Controls

RAM Policies

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AllocatePublicIpAddress",
        "ecs:AssociateEipAddress"
      ],
      "Resource": "*"
    }
  ]
}

Restrict VPC Modifications

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "vpc:CreateNatGateway",
        "vpc:CreateInternetGateway"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "vpc:VpcId": "vpc-xxxxx"
        }
      }
    }
  ]
}

Step 8: Enable Monitoring and Logging

VPC Flow Logs

# Enable VPC Flow Logs
aliyun vpc CreateFlowLog \
  --ResourceId vpc-xxxxx \
  --ResourceType VPC \
  --TrafficType All \
  --LogStoreName vpc-flow-logs

ActionTrail

• Enable ActionTrail: Enable audit logging
• VPC Events: Log all VPC-related events
• Access Logs: Log all access attempts
• Compliance: Meet compliance requirements

CloudMonitor

• Network Monitoring: Monitor network traffic
• Security Events: Monitor security events
• Alerts: Set up security alerts
• Dashboards: Create security dashboards

Step 9: Additional Security Measures

Bastion Host (If Needed)

If management access is needed:

• Dedicated Instance: Use dedicated bastion host
• Restricted Access: Restrict access to bastion only
• MFA: Require multi-factor authentication
• Audit Logging: Comprehensive audit logging

VPN Access (If Needed)

For secure access:

• VPN Gateway: Set up VPN gateway
• IPsec VPN: Use IPsec VPN
• Client VPN: Configure client VPN
• Access Control: Strict access controls

Express Connect (If Needed)

For hybrid connectivity:

• Dedicated Connection: Use Express Connect
• Private Connection: Private, dedicated connection
• Access Control: Control access via routing
• Monitoring: Monitor connection usage

Step 10: Verification and Testing

Verify No Internet Access

# Test from instance
ping 8.8.8.8  # Should fail
curl https://www.google.com  # Should fail

Verify Internal Communication

# Test internal communication
ping <other-instance-private-ip>  # Should succeed

Security Audit

1. Review Security Groups: Review all security group rules
2. Check Route Tables: Verify route table configuration
3. Audit Logs: Review audit logs
4. Penetration Testing: Conduct security testing

Best Practices

Network Design

1. Private Subnets: Use private subnets only
2. Network Segmentation: Segment by function
3. No Internet Gateway: Don’t create internet gateway
4. Restrictive Routes: Use restrictive routing

Security

1. Default Deny: Deny all by default
2. Least Privilege: Grant minimum access
3. Regular Audits: Regular security audits
4. Monitoring: Comprehensive monitoring

Access Management

1. RAM Policies: Use RAM for access control
2. MFA: Require multi-factor authentication
3. Regular Reviews: Review access regularly
4. Documentation: Maintain security documentation

Troubleshooting

Common Issues

• Cannot Access Instances: Check security groups and routes
• Internal Communication Fails: Verify security group rules
• Unexpected Internet Access: Check for NAT gateways or EIPs
• Access Denied: Review RAM policies

Diagnostic Commands

# Check VPC configuration
aliyun vpc DescribeVpcs --VpcId vpc-xxxxx

# Check security groups
aliyun ecs DescribeSecurityGroups --SecurityGroupId sg-xxxxx

# Check route tables
aliyun vpc DescribeRouteTables --VpcId vpc-xxxxx

# Check NAT gateways
aliyun vpc DescribeNatGateways --VpcId vpc-xxxxx

Conclusion

Locking down a private VPC in Alibaba Cloud requires careful configuration of security groups, network ACLs, route tables, and access controls. By following this guide and implementing defense-in-depth security measures, you can create a highly secure private VPC that isolates your resources from the public internet while maintaining necessary internal connectivity.

Regular security audits, monitoring, and adherence to security best practices ensure your private VPC remains secure and compliant with your organization’s security requirements.