Help Center/
Well-Architected Framework/
Well-Architected Framework and Practices/
Security Pillar/
Infrastructure Security/
SEC04 Network Security/
SEC04-02 Controlling Network Traffic Access
Updated on 2025-05-22 GMT+08:00
SEC04-02 Controlling Network Traffic Access
Controlling network traffic helps ensure that traffic between network partitions is predictable and allowed. Based on the zero-trust principle, all incoming and outgoing traffic must be verified at the network level. Ensure that the capacity of network devices and bandwidth for each network area meets service requirements during peak hours.
- Risk level
High
- Key strategies
- When designing the network topology, check the connection requirements of each component. For example, you can check whether Internet accessibility (inbound and outbound), VPC connection, edge services, and external data centers are required. Do not place resources in a public subnet of a VPC unless the resources have to receive traffic from the Internet.
- Use an in-depth defense method for inbound and outbound traffic. For example, all inbound traffic must receive intrusion detection to block malicious cyber attacks. NAT gateways can be used to establish unidirectional connections for outbound traffic.
- Filter traffic. Firewalls and ACLs can be used to control the access traffic between internal and external networks, and to control the incoming and outgoing traffic of sensitive areas on internal networks. All network traffic must be checked to block traffic that does not comply with security standards in use. This safeguards system components against unauthorized access attempts originating from untrusted networks.
- When using application load balancers, use secure certificates for layer-7 load balancers.
- Enable VPC flow logs. VPC flow logs record information about traffic going to and coming from VPCs. You can use flow logs to monitor network traffic, analyze network attacks, and determine whether security groups and firewall rules need to be changed.
For more details about security logs, see SEC09-01 Implementing Standardized Log Management.
- Related cloud services and tools
- Virtual Private Cloud (VPC) and VPC Endpoint (VPCEP)
- Enterprise Router (ER)
- Cloud Connect
- Cloud Firewall (CFW) protects Internet and Virtual Private Cloud (VPC) borders on the cloud by real-time intrusion detection and prevention, global unified access control, full traffic analysis and visualization, log audit, and tracing. CFW employs AI for intelligent defense, and can be elastically scaled to meet changing business needs, helping you easily handle security threats. CFW is a basic service that enhances network security on the cloud.
- Web Application Firewall (WAF) protects web applications, such as websites, from common web attacks, helping keep customer workloads stable, secure, and compliant with applicable laws and regulations.
- Anti-DDoS Service (AAD) mitigates DDoS attacks in milliseconds to ensure continuity of your global services based on machine learning, protection policy tuning, and precise identification of DDoS attacks. Anti-DDoS is helpful to improve bandwidth utilization. Anti-DDoS protects EIPs against layer 4 to layer 7 DDoS attacks and notifies of alarms in real time. It helps improve bandwidth utilization and keep customer workloads stable.
- NAT Gateway (NAT): An NAT gateway sits between the Internet and your VPC. It hides the IP addresses of internal networks, reducing the risk of attacks on virtual environments.
- Elastic Load Balance (ELB) distributes traffic across multiple backend nodes.
Parent topic: SEC04 Network Security
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
