Using Alibaba cloud’s VPC + ECS + load balancing to build a secure web service


With the advent of the era of cloud computing, all public cloud platforms have provided a variety of products for consumers to use, and the products have reached the “dazzling” level. Alibaba cloud, for example, provides more than 10 categories and 50 or 60 specific service products. So, when small and medium-sized enterprises build web services, which products of the public cloud can be used to build high security, high availability and scalable services quickly, conveniently and cheaply? Based on my own experience, I give the following practice process for reference to the industry with similar needs.

Open alicloud’s home page, and put the mouse on the “products” menu. The first submenu that comes out by default is “elastic computing”. Since “elastic computing” is placed in the default position, we can guess that the products provided under this classification should be frequently used by the majority of consumers, and also the most basic. In fact, the practical experience I will introduce next is realized by using the three products of ECs, VPC and load balancing under this category.

Project background

Introduce the function and structure of web service that we will implement next. This is a service that provides more than 1000 employees in the enterprise to search professional articles by keyword. It consists of two search engines and two service receivers. The service receiver receives requests from users, obtains data by calling the search engine and packages it into the format required by users and returns it to users. Considering that Alibaba itself serves many small and medium-sized enterprises, it is natural to choose to deploy the service to Alibaba cloud as the production environment.


It is strongly recommended that small and medium-sized enterprises use VPC and try not to use classic networks. Please stamp here for more differences between classic networks and VPC.

With the development of business, small and medium-sized enterprises will rent more cloud services. If the classic network is used, the network bandwidth needs to be purchased according to each ECs, and it is in a non isolated network. When using VPC, all ECS in VPC can be set to share public network traffic, which is not open to the public by default, and the security is greatly improved. Don’t worry about how to use VPC to set up switches. You can easily do this by referring to the tutorials provided by Alibaba cloud. The effort is much less than setting up ECS firewalls under classic networks.

Virtual private cloud, based on Alibaba cloud, builds an isolated network environment. You can customize IP address range, network segment, routing table, gateway, etc. In addition, you can also connect VPC with traditional data center through dedicated line / VPN / GRE and other connection methods to build hybrid cloud service.

load balancing

The load balancing service provided by alicloud is very easy to use. It not only has an easy-to-use configuration management interface, but also provides four layers of DDoS attack protection below 5Gbps free of charge, and supports the deletion and addition of back-end cloud servers to achieve seamless scaling. The billing mode is also flexible, supporting billing by traffic or bandwidth. Although the number of users of the project I mentioned is large, the amount of information transmitted is small, so we choose to charge by traffic. (there is also a secret that load balancing between intranets is free.)

Project production environment structure

Purchase 4 ECSS, the network environment is VPC, then purchase 1 public network load balancer charged by traffic, and purchase 1 free internal network load balancer, which constitutes the following topology. Deploy the application to provide services.

Project production environment structure

Using Alibaba cloud's VPC + ECS + load balancing to build a secure web service

How to access ECS in VPC remotely?

You must have known that you can point a port to the remote access port of one ECS (the default port of windows remote desktop is 3389, and the default port of SSH is 22) through public network load balancing, and then log in to this ECS remotely, and then log in to other ECS remotely.

ECS in VPC needs to actively access other services on the Internet. What should I do?

There are two ways: 1. Bind EIP to ECs, that is, elastic public IP. 2. Then purchase Alibaba cloud’s “NAT gateway service” to enable ECS access to the Internet through the port mapping of NAT network management.

In comparison, using NAT gateway service is more secure, because elastic IP will lead to “cracks” in the VPC you are easy to deploy – anyone outside can attack the ECS in your VPC through the elastic IP scan you bind.


Even in small enterprises, the security of application services can not be ignored, otherwise it will bring more or less trouble, affect the work efficiency and affect the mood of operators. If there is a convenient and cheap way to achieve high security service deployment, why not?