Best Practices for Building Secure Global Networks (Internal and External)
Global Connection and Comprehensive Protection
One of the major challenges to cybersecurity comes from access between networks in different regions. When connecting Alibaba Cloud network products in different regions, Cloud Enterprise Network (CEN) serves as a secure, global private network that provides high performance and low latency within Alibaba Cloud. By using CEN, you can establish private network connections between Virtual Private Cloud (VPC) networks in different regions, or between VPC networks and on-premises data centers. CEN supports automatic route distribution and learning, which speeds up network convergence, improves the quality and security of cross-network communications, and interconnects all network resources. With these benefits, CEN can help you build an extended enterprise-level network with cross-network communication capabilities. As the basic component for enterprise connectivity, CEN provides outstanding security. By using typical access control policies combined with cloud services such as Cloud Firewall and PrivateZone, CEN provides enterprises with comprehensive security protection.
Private Network Isolation
As a cloud network, CEN first builds channels for private network intercommunication. Cloud enterprise networks built through CEN are fully private networks that do not need to expose public network entries. This significantly reduces their vulnerability to attacks from public networks, greatly decreasing security risks. You can define strict access control policies and customize rules to permit or deny specific traffic flows. Then, you can apply these access control policies to instances to achieve trusted communication. By implementing routing policies, you can filter route information and modify route attributes. This allows you to define cloud network intercommunication capabilities and configure a wide range of route control capabilities.
CEN access links support encrypted transmission to minimize the risks posed by intermediate links. The cloud network uses Smart Access Gateway (SAG) and establishes private encrypted channels between Alibaba Cloud access points. By rigorously preventing replay attacks and periodically updating keys, this ensures that user traffic is not tampered with or listened to on public network transmission paths. Cloud Firewall allows you to implement access control, traffic analysis, and post-event auditing in scenarios that require intercommunication over public networks and cross-VPC access.
Prevention of DNS Hijacking and Domain Name Pollution
PrivateZone is a private DNS resolution and management service based on Alibaba Cloud VPC environments. By accessing PrivateZone through CEN, you can prevent your business DNS from being exposed to a public network. This helps prevent DNS hijacking and domain name pollution.
Powerful Acceleration and Ultimate Security
Customers in any region around the world can access the same services over the Internet, but the access quality and experience vary greatly from one customer to another. Access links on the Internet are uncontrollable. Access requests hop between multiple nodes to reach the destination server, the intermediate nodes are not under control, and the request and response paths may be different. Each node a request passes through can affect performance by introducing delays or jitters. These nodes can also affect service quality due to congestion and packet loss.
To solve these problems, Alibaba Cloud’s Apsara Cloud Network Management launched Global Accelerator (GA), which is a global network acceleration service. Based on Alibaba’s high-quality BGP bandwidth and global network, this service can direct user traffic to nearby acceleration nodes and deploy applications across regions. This can reduce the negative impact of network issues such as latency, jitter, and packet loss on service quality, providing global users with a high-availability and high-performance network acceleration service.
GA integrates scheduling and acceleration capabilities to provide high-quality, high-performance, high-availability, secure, reliable, and easy-to-deploy network acceleration services. The integration of Anti-DDoS Pro and Web Application Firewall (WAF) provides tiered security protection for enterprise applications.
Work with Anti-DDOS Pro
GA provides free protection against DDoS attacks with a rate of up to 2 to 5 Gbit/s. Linked with Anti-DDoS Pro, GA can defend against attacks from hundreds of Gbit/s. Requests from terminals are cleansed of DDoS traffic before entering the acceleration network, ensuring the continuous availability of Internet application services. This provides a highly secure cross-region acceleration solution for global mobile Internet service providers.
Work with WAF Protection
For web applications, GA integrates WAF. Linked with WAF, GA provides a highly secure cross-region acceleration solution for global web application providers based on cloud security and big data capabilities.
Finding ways to empower government and enterprise users with intelligent network capabilities will be a key strategy and breakthrough point for future network development. After cloud migration, users must adopt completely new network construction services and operation methods. This means many existing network service tools and systems need to be completely reconstructed. This also represents many new opportunities for the networking industry. Improving efficiency by using intelligent network services will be a major future trend. Given the ongoing development of its digital economy, China is gradually establishing its position as the center of the global digital economy. Whether Chinese enterprises go overseas or multinational enterprises run business in China, networks will become the basic infrastructure that connects branches inside and outside the country. This will make networks the factor that most directly affects productivity. For the Alibaba Cloud Network team, our ultimate mission is to simplify the networks.