Requirements
Last week, I was designing a cloud solution in the Alibaba Cloud platform for a customer. Nothing special, just creating a simple networking layer with a VPC, virtual switches, and route tables. The requirement was just one: the environment cannot be accessed from the Internet and have no access to the internet. In other words, a VPC with no internet connection at all, also known as private VPC.
Implementing and testing
My first statement was: OK no problem, should be straight forward. I started creating the VPC and configuring all the subnets and routing connections. I will definitely not create a NAT gateway since I do not want to have an internet connection.
My second step was testing the solution. For that, I started an ECS instance in the private VPC I created in the step before, I connected to it using SSH and I tried to connect to the internet with the following command ‘ping www.alibabacloud.com’. Surprisingly, I was able to connect to the internet. How is that possible if the VPC has no internet connection?
After checking the whole configuration, it couldn’t be more obvious. During the initial creation process of the ECS instance, I allocate an instance-bound public IP. I basically assigned a public IP to my ECS instance. This way, logically, I was able to connect to and from the internet directly to the ECS instance.
I stared then testing again, disabling the allocation of the instance-bound public IP during the creation process of the instance. Now, and after connecting me to the ECS instance, I didn’t have an internet connection at all. Good, but from a customer perspective, this will never be approved, since the user can decide whether to allocate a public IP to the ECS instance or not. This will definitely be a no-go and I have to find a way to disable this on an account-level and not on a user-level.
Another thing I tested was creating an EIP (elastic IP) and associating it to an ECS instance. Again, I was able to connect to the internet. How is that possible if the VPC has no internet connection? And again, I need to find a way to disable this on an account-level and not on a user-level.
Solution to the identified security risks
I did two tests and I identified two security risks that need to be solved:
1) Denying allocation of an instance-bound public IP during the initial creation process of a ECS instace
Unfortunately, there is no easy and fast way to do this. The only way I found is building workaround to automatically stop or delete ECS instance with an instance-bound public IP by monitoring the ActionTrail and trigger a FunctionCompute on according events.
In the following figure you can see how it the architecture looks like:
2) Denying the association of an EIP after an ECS instance has been created without an instance-bound Public IP
The easiest and fastest solution to avoid the association of EIP to ECS instances is by creating a Resource Access Management (RAM) custom policy that denies the following API call “AssociateEipAddress”.
In the following figure you can see how it the architecture looks like:
This is the code you can use to create the custom policy:
http(s)://vpc.aliyuncs.com/? Action=AssociateEipAddress
&AllocationId=eip-2zeerraiwb7ujsxdc****
&InstanceId=i-2zebb08phyczzawe****
&<CommonParameters>
Thus, we can protect the association of EIPs to ECS, SLB, NAT gateway, and ENI. See https://www.alibabacloud.com/help/doc-detail/36017.html for details about this API.
Conclusion:
Never deliver anything that is not tested. There is always a solution for every problem.
