Skip to content

Network Security

Firewall app provides only the basic level of protection for VM instances.

In production environment, there can be complex security threats to the entire account infrastructure, like DDoS attacks, brute-force attacks, and exploitation of zero-day vulnerabilities in applications exposed to the Internet. Thus, the account administrator may consider that more advanced tools and techniques are required to mitigate those threats.

DDoS protection

Each location provides only a limited bandwidth of Internet connectivity for an account. A DDoS volumetric attack may consume all available bandwidth with unexpected traffic from botnets causing denial-of-service to the normal traffic of legitimate users.

At the moment, we recommend using third-party DDoS protection service providers which have a large network capacity across multiple datacenters to handle and filter all unexpected traffic.

Recommended provider

We recommend using a well-known and trusted DDoS protection provider Cloudflare. It has free plan and DDoS protection is on by default.

The best option usually is to configure a full DNS Setup, where the DNS domain is moved to the nameservers of the DDoS protection provider.
These nameservers resolve requested domain names to different IP addresses across the globe to distribute and filter traffic on the provider's servers before traffic reaches the IP address of the real server where the application is running.

To protect websites that use the Application LoadBalancer (ALB), create at the DDoS protection interface the CNAME record pointing to the ALB hostname:

ACC.alb.LOC.icdc.io

The DDoS protection method is effective only when the IP address of the real application server is kept secret. There are many security services that track the history of changing DNS records and can reveal the IP address of the application server, allowing an attacker to flood this IP address bypassing the DDoS protection.
Therefore, consider changing the primary IP address of the account after configuring DDoS protection to secure the real server's location.

Web Application Firewall

Another threat is hacking attempts via brute-force attacks or exploitation of vulnerabilities in applications. Usually such attacks have special patterns like SQL-injection (e.g. ' or '1'='1) or XSS attack (e.g. JS-code '><script>...). Additionally, your organization may have specific requirements to block users from specific countries or IP subnets.

Such attacks can be tracked and prevented by web application firewall (WAF), which can recognize those patterns and prevent malicious access to applications in your account.

Currently, the platform does not provide an embedded web-application firewall. Therefore, we recommend configuring your own WAF solution on a virtual machine or using third-party service providers.

Recommended provider

We recommend using the WAF functionality of the provider Cloudflare. It has a free plan that allows up to 5 firewall rules.

An example of a custom firewall rule banning users by country configured on the Cloudflare WAF service: