Logo of Trend Micro

Prevent the Use of Legacy Networks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (Should be achieved)

To improve security and gain control over network access, ensure that your ECS virtual machine (VM) instances are deployed within Virtual Private Clouds (VPCs) instead of legacy networks.

Security

In Alibaba Cloud, legacy networks are confined to a single IPv4 prefix range and rely on a sole gateway IP address for the entire network. They lack the flexibility to create subnetworks or transition to auto or custom subnet networks. Consequently, they may pose limitations for high-traffic ECS instances and are susceptible to single points of failure. Virtual Private Clouds (VPCs) provide enhanced security compared to legacy networks. VPC networks offer isolated environments, fine-grained access control, support for advanced features such as Elastic IP Addresses (EIPs), and seamless integration with other Alibaba Cloud services, ensuring better management and protection of resources.

Audit

To determine if your ECS instances are not configured to use legacy networks, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Instances & Images, choose Instances.

04 Select the cloud region where your VM instances reside from the top navigation bar.

05 Click on the ID (link) of the VM instance that you want to examine and select the Instance Details tab to view the configuration information available for the selected instance.

06 In the Network Information section, check the Network Type attribute value. If the Network Type value is not VPC, the selected ECS virtual machine (VM) instance is configured to use a legacy network instead of a Virtual Private Cloud (VPC) for network access.

07 Repeat steps no. 5 and 6 for each virtual machine (VM) instance deployed in the selected cloud region.

08 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeInstances command (OSX/Linux/UNIX) to describe the information available for each ECS virtual machine (VM) instance provisioned in the specified Alibaba Cloud region: 

aliyun ecs DescribeInstances --RegionId 'eu-west-1'

02 The command output should return the requested information (including the type of the network used by the instance, i.e. "InstanceNetworkType" value): 

{
	"Instances": {
		"Instance": [
			{
				"InstanceId": "i-abcd1234abcd1234abcd",
				"HostName": "abcd1234abcd1234abcd1234",
				"InstanceTypeFamily": "ecs.t5",
				"InternetChargeType": "PayByTraffic",

				...

				"InstanceNetworkType": "classic",
				"OSName": "Alibaba Cloud Linux 2.1903 LTS 64",
				"OSNameEn": "Alibaba Cloud Linux 2.1903 LTS 64-bit",
				"OSType": "linux"
			},
			{
				"InstanceId": "i-1234abcd1234abcd1234",
				"HostName": "1234abcd1234abcd1234abcd",
				"InstanceTypeFamily": "ecs.t5",
				"InternetChargeType": "PayByTraffic",

				...

				"InstanceNetworkType": "classic",
				"OSName": "Alibaba Cloud Linux 2.1903 LTS 64",
				"OSNameEn": "Alibaba Cloud Linux 2.1903 LTS 64-bit",
				"OSType": "linux"
			}
		]
	},
	"NextToken": "",
	"PageNumber": 1,
	"PageSize": 20,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"TotalCount": 2
}

Check the "InstanceNetworkType" attribute value for each ECS instance listed within the "Instance" array, returned by the DescribeInstances command output. If the "InstanceNetworkType" attribute value is set to classic, the ECS virtual machine (VM) instance is configured to use a legacy network instead of a Virtual Private Cloud (VPC) for network access.

03 Repeat steps no. 1 and 2 for each virtual machine (VM) instance deployed in the selected cloud region.

04 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that your ECS instances are deployed within Virtual Private Clouds (VPCs) instead of legacy networks, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Instances & Images, choose Instances.

04 Select the cloud region where your VM instances reside from the top navigation bar.

05 Not all cloud regions and instance configurations support the migration of ECS instances from classic networks to VPCs. Therefore, to enable VPC support, you have to re-create the instance with the necessary network configuration. Click on the ID (link) of the virtual machine (VM) instance that you want to redeploy in order to enable VPC support.

06 Choose All Operations and select Create Custom Image under Disks and Images.

07 Provide a unique name for the custom image in the Image Name box, ensure that the correct Resource Group is selected, and choose OK to create your custom image.

08 In the left navigation panel, under Instances & Images, choose Images.

09 Once the image is available, choose Create Instance and follow the setup wizard to create a new VM instance from the selected image:

  1. For Billing Method choose the appropriate billing method.
  2. For Region select the same cloud region as the source instance.
  3. For Network and Zone, choose an existing Virtual Private Cloud (VPC) from the first dropdown list and select the necessary availability zone from the second dropdown list. To create a new VPC, choose Create VPC, provide the required details, configure the vSwitch component, and choose OK to create the VPC resource. A vSwitch is a basic network component of a Virtual Private Cloud (VPC), that acts like a virtual subnet.
  4. For Instances & Images, select the same instance type as the source VM instance and ensure that your image is selected in the Image section.
  5. For Storage, ensure that both system and data disks are encrypted. (Optional) If required, configure automatic snapshot policies for instance disks and set the NAS file systems.
  6. For Bandwidths & Security Groups, choose whether to assign a public IPv4 address, choose whether to use an existing security group or to create a new one, and configure the Elastic Network Interface (ENI) settings (optional).
  7. For Management, set the necessary logon credentials and apply tags (key-value pairs) for better resource management.
  8. Choose Advanced Settings (Optional), provide a unique name for your new instance in the Instance Name box, then configure any required advanced settings such as Resource Group, Instance RAM Role, and Release Protection.
  9. On the summary panel, review the instance configuration settings, select the ECS Terms of Service checkbox, and choose Create Order to deploy your new virtual machine (VM) instance to the selected VPC network.
  10. In the confirmation box, choose Console to return to the ECS console.

10 Repeat steps no. 5 - 9 for each ECS instance that you want to redeploy, available in the selected cloud region.

11 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 Not all cloud regions and instance configurations support the migration of ECS instances from classic networks to VPCs. Therefore, to enable VPC support, you have to re-create the instance with the necessary network configuration. To get started, create a custom image from the source VM instance. Run CreateImage command (OSX/Linux/UNIX) to create a new ECS custom image: 

aliyun ecs CreateImage
  --RegionId 'eu-west-1'
  --ImageName 'tm-legacy-instance-image'
  --InstanceId 'i-12341234123412341234'

02 The command output should return the ID of the new custom image: 

{
	"ImageId": "m-abcabcabcabcabcabcab",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
 }

03 Run CreateInstance command (OSX/Linux/UNIX) to create a new ECS instance from the image registered at the previous steps and deploy it to a Virtual Private Cloud (VPC). Use the --VSwitchId parameter to specify the ID of the vSwitch component within your chosen VPC. The security group specified by the --SecurityGroupId parameter and the vSwitch specified by --VSwitchId must belong to the same VPC network: 

aliyun ecs CreateInstance 
  --InstanceName 'tm-encrypted-instance' 
  --InstanceChargeType 'PostPaid' 
  --RegionId 'eu-west-1' 
  --ImageId 'm-abcabcabcabcabcabcab' 
  --InstanceType 'ecs.t6-c4m1.large' 
  --VSwitchId 'vsw-1234abcd1234abcd1234a'
  --SecurityGroupId 'sg-abcdabcdabcdabcdabcd'

04 The command output should return the ID of the new ECS instance: 

{
	"InstanceId": "i-abcdabcdabcdabcdabcd",
	"OrderId": "1234567890",
	"TradePrice": 0.016,
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

05 Repeat steps no. 1 - 4 for each ECS instance that you want to redeploy, available within the selected cloud region.

06 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 30, 2024

Related AlibabaCloud-VPC rules