Workload-Level Reference Architecture

For some small and medium-sized enterprises, a single Huawei Cloud account is sufficient for their IT system management. In such cases, customers deploy all their workloads within that one account.

Huawei Cloud provides a workload-level security reference architecture for a single account.

The security design of this architecture is as follows:

• Network security
  • Anti-DDoS Service is used to defend against DDoS attacks.
  • Web Application Firewall (WAF) is used to defend against web attacks.
  • SSL certificates are used for communication encryption.
  • Cloud Firewall (CFW) is implemented between Internet borders and VPCs.
• Operating environment security
  • Host Security Service (HSS) protects host and container security.
  • Network ACLs and security groups are used for access control in a VPC.
  • Vulnerability Scan Service (VSS) is used to periodically scan vulnerabilities of cloud resources.
• Data security
  • Data Security Center (DSC) ensures data security throughout the data lifecycle.
  • Data encryption is enabled by default.
  • Database Security Service (DBSS) is deployed for key databases.
  • Cloud Backup and Recovery (CBR) is used to prevent loss of key data.
• Security operations
  • SecMaster monitors the overall security of the cloud.
  • Services such as Cloud Log Service (LTS), Cloud Trace Service (CTS), Config, and Cloud Eye are used to manage cloud resources.
  • Threat Detection Service (TDS) is used to detect malicious activities and unauthorized behaviors in logs of various cloud services.
  • Cloud Bastion Host (CBH) is used for O&M.