Network Layer Security Description

Overview

Help users build a multi-layered, in-depth defense system on the cloud, reducing potential operational risks through traffic analysis, visualization, fault diagnosis, and network architecture optimization.

Requirement scenarios

Requirement Scenario 1: Network access control

The threshold for launching network attacks is increasingly low, and server breaches are frequent. Once a company faces a network attack, the losses can be significant. Implementing network control measures is essential to prevent such attacks.

• Virtual Private Cloud (VPC)

A VPC is a customizable virtual network that allows flexible configuration of network address spaces to achieve isolation between different services.

The most common operational and maintenance challenges engineers face include IP address overlaps, exhaustion, and public IP misuse, which hinder rapid and efficient scaling. To prevent address conflicts during VPC scaling or when establishing VPNs or dedicated channels with IDC and other public cloud platforms later, early-stage network planning is essential to allocate address space appropriately.

Currently, Baidu AI Cloud's available address spaces include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. It is generally recommended to reserve a relatively large address space and avoid allocating small VPCs to ensure flexibility. Group similar services within the same subnet for unified server management. Baidu AI Cloud supports integrating BCC, DCC sub-instances, BBC, and other products into the VPC.

For more details: Virtual Private Cloud VPC

• Route table

The route table acts as the traffic controller in the VPC, enabling global and subnet-level traffic management through a single global route table. By default, subnets within the same VPC can communicate with one another. Users can also customize routing rules to control network traffic destinations. Currently, Baidu AI Cloud supports Peering Connections, NAT gateways, VPN gateways, dedicated gateways, and custom forwarding instances to provide routing solutions for various scenarios.

For more details: Route Table

• NAT Gateway

The NAT gateway provides Internet access services for cloud servers and supports SNAT and DNAT. It allows multiple cloud server instances to share public IP resources for Internet access and lets cloud server instances offer Internet services.

The network address translation gateway facilitates internal access to the external network while concealing internal servers from external exposure, thereby enhancing network privacy and security.

For more details: NAT gateway,

• VPN gateway and dedicated access ET

When cross-border connections exist, Internet data is highly vulnerable to hacker attacks. Utilizing VPN and dedicated line services to establish end-to-end encrypted tunnels or dedicated transmission channels can significantly mitigate attack risks.

Baidu AI Cloud’s VPN gateway allows quick and flexible establishment of VPN tunnels with multiple user data centers. Built on a highly reliable active-standby architecture, the VPN gateway supports features like automatic health detection and fault recovery.

For users seeking both ultra-low network latency and high stability, Baidu AI Cloud's dedicated line service is the ideal solution. It provides a fast and dependable connection between IDCs and Baidu AI Cloud, comprising two components: physical dedicated lines and dedicated gateways. Users can subdivide physical lines into virtual link resources, and maintain dedicated gateways in their VPCs, binding channels and configuring routes to achieve seamless traffic interconnectivity.

For more details:VPN gateway, Dedicated line access ET

• Security groups and ACLs

Hackers can utilize socket programming to establish TCP connections with specific ports on a target host, validate transport protocols, detect active service ports (from the range 0 to 65535), identify the server’s services, and assess vulnerabilities.

High-risk ports are frequently exploited by hackers to penetrate servers and deploy malware, posing significant security threats. Securing server ports is crucial, with commonly targeted ones including TCP 135, 139, 445, 1433, 3306, 5900, among others.

Exposing all ports without restrictions increases the risk of severe losses if the server is compromised. Servers are designed to provide services only to legitimate clients while blocking unauthorized access. How can we effectively minimize such access?

Security groups are instance-level static firewalls for Baidu Cloud Compute that define ingress and egress policies using IP and port parameters. Default settings allow all inbound and outbound traffic, but for enhanced security, users should restrict ingress permissions to services-only traffic and limit unnecessary outbound traffic by configuring minimum external access rules.

ACLs are subnet-level firewall components that allow flexible traffic configuration for one or more subnets, meeting users’ diverse security needs during network deployments.

For more details: Security Group, ACL, Security Group Best Practices (Beginner), Security Group Best Practices (Advanced)

Requirement scenario 2: Diagnostic logs and monitoring systems

Network issues require prompt attention; during jitter or unexpected traffic spikes, manual log collection may be infeasible, making failure analysis difficult once the issue resolves, let alone preemptively addressing future problems.

• Flow log

Flow logs capture network traffic data sent and received by cloud server instances within a VPC, enabling users to analyze traffic, visualize data, diagnose faults, and optimize network architecture.

Flow logs retain contextual fault data to facilitate quick network issue diagnosis and resolution, such as determining whether a Baidu Cloud Compute instance’s inaccessibility stems from misconfigured security groups or ACLs.

Flow logs track NIC traffic to enhance data-driven operations and enable network optimizations, like analyzing past data to benchmark networks, identifying bottlenecks for capacity adjustments, mapping user regions to expand coverage, and refining security policies by studying traffic flows.

Installing traditional traffic checkpoints can degrade cloud host performance. Conversely, flow logs detect network threats without performance impacts, strengthening security by identifying wide IP range connections, interactions with threat-related IPs, or unusual protocol communications.

For more details, refer to Flow Logs

• Baidu Cloud Monitor (BCM)

BCM lets users monitor the health of various Baidu AI Cloud products, including Baidu Cloud Compute, cloud databases, object storage, and content delivery networks. Through features like site, application, and custom monitoring, BCM enhances operational tracking and preserves stable performance.

Alarm strategies enable users to receive instant notifications via SMS and email when cloud services encounter anomalies or resource shortfalls. Historical monitoring data helps diagnose issues and facilitate their resolution.

BCM is automatically activated upon registering a Baidu AI Cloud account, without requiring extra purchases or activation. Once users buy Baidu AI Cloud products, they can view operational statuses and set alarms using the management console.

For more details: BCM

Requirement scenario 3: Cloud-based network attack protection

• What is a DDoS attack?

A Distributed Denial of Service (DDoS) attack involves multiple attackers in varied locations jointly targeting one or more victims, or a single attacker controlling multiple devices to launch simultaneous attacks.

DDoS attacks typically fall into two categories: traffic-based attacks that overload network bandwidth with malicious packets, blocking legitimate traffic, and resource exhaustion attacks that drain server memory or CPU via excessive malicious packets, disabling network services. Key symptoms during DDoS attacks include:

(1) Hosts under attack will experience an excessive number of pending TCP connections.

(2) Networks become inundated with spoofed-address packets, rendering them largely non-functional.

(3) High-volume useless data is generated to create network congestion, disrupting the victim host's ability to communicate normally.

(4) Vulnerabilities in the victim host's services or transport protocols are exploited, with specific service requests sent repeatedly at high speed, preventing the host from processing regular requests efficiently.

(5) In extreme cases, this can lead to system crashes.

• DDoS protection

Baidu AI Cloud offers free basic DDoS protection to support daily security operations and ensure stable performance of cloud resources for users. Baidu AI Cloud users receive up to 5Gbps of free DDoS protection (basic protection in Hong Kong is capped at 1Gbps).

Can protect against the following attacks:

Network-layer attacks:

(1) SYN flood attacks;

(2) ACK flood attacks;

(3) FIN/RST flood attacks;

(4) UDP flood attacks;

（5）ICMP flood；

(6) TCP connection exhaustion attacks, etc.;

Application-layer attacks:

(1) Effectively mitigate HTTP GET/POST flood attacks;

(2) CC attacks;

(3) HTTP slow header/post attacks, among others.

Related products

Virtual Private Cloud, Baidu Cloud Monitor, DDoS Protection Service