demand
The backend service port does not allow users to access it directly, such as 80, 443:3389, etc., and only allows access through Alibaba Cloud's SLB load balancer. Since ECS uses SLB for public network forwarding and load, users do not need to access the ECS public network address, so security group rules are configured to block users from accessing the ECS address directly.
Solution:
The IP address block of the load balancer, 100.64.0.0/10 (100.64.0.0/10 is the reserved address of Alibaba Cloud, and other users cannot be assigned to this network block, so there is no security risk) and the IP address block of Anti-Pro is not a security risk.
Reference address:
The hyperlink login is visible.
The hyperlink login is visible.
Then the IP address starting with 100.64 corresponds to the address block is 100.64.0.0/10, the address range is 100.64.0.0~100.127.255.255, containing a total of 4,194,304 IP addresses, this reserved address is also used for the intranet, but this intranet is not a general intranet but a carrier-grade NAT, and the corresponding translation in English is "carrier-grade NAT". Further search revealed that RFC 6598 (IANA-Reserved IPv4 Prefix for Shared Address Space) of April 2012 uses the 100.64.0.0/10 (Shared Address Space) address block for carrier ISPs:
NetRange: 100.64.0.0 - 100.127.255.255
CIDR: 100.64.0.0/10
OriginAS:
NetName: SHARED-ADDRESS-SPACE-RFCTBD-IANA-RESERVED
NetHandle: NET-100-64-0-0-1
Parent: NET-100-0-0-0-0
NetType: IANA Special Use 
Note:You need to allow SLBs to access ECS first (priority 1), and then create a generic rule (priority 2) to deny other connections.
|
Posted on 7/18/2020 5:36:52 PM
|
|
|
|
