Alibaba Cloud Apsara Stack Solution: Version 2018/4/9
Alibaba Cloud Apsara Stack Solution: Version 2018/4/9
Alibaba Cloud Apsara Stack Solution: Version 2018/4/9
Version 2018/4/9 I
Index
Index ..................................................................................................................................................... II
1 Executive Summary ........................................................................................................................ 1
2 Solution Overview .......................................................................................................................... 2
2.1 Solution Benefit ................................................................................................................ 2
2.2 Solution Architecture ........................................................................................................ 2
3 Apsara Stack Solution Description ................................................................................................. 2
3.1 Apsara Stack Core Capabilities ........................................................................................ 2
3.1.1 Apsara Operating System ...................................................................................... 2
3.1.2 Network Architecture ............................................................................................ 3
3.1.3 Security Architecture ............................................................................................. 4
3.1.4 Deployment and Control System (Tianji) ............................................................. 5
3.1.5 Unified O&M management system ....................................................................... 5
3.2 Compliance Security Solution .......................................................................................... 5
3.2.1 Cloud-based classified protection and compliance................................................ 5
3.2.2 Classified protection implementation process ....................................................... 8
3.3 ECS Service ...................................................................................................................... 8
3.3.1 Service Description................................................................................................ 8
3.3.2 Key Features of ECS ............................................................................................. 9
3.3.3 Security ................................................................................................................ 10
3.4 VPC ................................................................................................................................ 11
3.4.1 Service Description.............................................................................................. 11
3.4.2 Key Features of VPC ........................................................................................... 12
3.4.3 Security ................................................................................................................ 13
3.5 OSS ................................................................................................................................. 14
3.5.1 Service Description.............................................................................................. 14
3.5.2 Key Features of OSS ........................................................................................... 15
3.5.3 Security ................................................................................................................ 16
3.6 SLB ................................................................................................................................. 16
3.6.1 Service Description.............................................................................................. 16
3.6.2 Key Features of SLB ........................................................................................... 17
3.6.3 Security ................................................................................................................ 18
3.7 RDS ................................................................................................................................ 18
3.7.1 Service Description.............................................................................................. 18
3.7.2 Key Features of RDS ........................................................................................... 19
3.7.3 Security ................................................................................................................ 19
3.8 Alibaba Cloud Security .................................................................................................. 20
3.8.1 Service Description.............................................................................................. 20
3.8.2 Key Features of Alibaba Cloud Security ............................................................. 21
4 Business Continuity and Disaster Recovery Solution .................................................................. 28
4.1 Apsara Stack Intra-city Disaster Recovery Solution ...................................................... 28
4.2 SLA ................................................................................................................................. 29
4.3 Apsara Stack Service DR Architecture........................................................................... 29
Version: 2018/4/9 II
1 Executive Summary
1
2 Solution Overview
Alibaba cloud proposed solution includes the following product:
Apsara Stack Enterprise Edition
Alibaba Cloud’s Apsara Stack Enterprise Edition solution is a comprehensive private
cloud platform based on Alibaba Cloud’s distributed architecture that enables enterprise
customers to deploy and operate Alibaba Cloud services in their on-premises data center.
2
management, resource management, large-scale distributed file systems, job scheduling,
and coordination services.
Cloud Service Layer
Service Layer provides multiple cloud services to meet customer requirements including
SLB (load balancing service), ECS (computing service), OSS (storage service), VPC
(tenant network), RDS for MySQL (relational database service).
Security Framework
Apsara Stack Security provides security solutions for cloud platform and cloud product
at the design level. For tenant security, Alibaba Cloud Security provides Basic Edition
and Advanced Edition. The Basic Edition is composed of three main function modules:
network traffic monitoring system, host intrusion protection system (Server Guard), and
security auditing. The Advanced Edition includes all the functions of the Basic Edition,
in addition to DDoS Cleaning, Cloud Firewall, WAF, Situation Awareness, and other
functions.
Distributed deployment/Unified management and O&M
The unified O&M management system includes the cloud service consoles and O&M
monitoring console. The consoles enable you to perform the operations such as account
management, distribution of cloud services resources, alerts handling, system upgrading,
and audit management.
Backup and disaster recovery solution
Apsara Stack offers utilities and resource to build scalable, durable and secure backup
and restore solution to meet RTO, RPO, data retention and compliance requirements
which, based on network conditions, can achieve RTO and RPO in a matter of minutes
or hours. In additional, Apsara Stack provides cloud-based intra-city disaster recovery
solution to ensure business continuity. Business Continuity Management Center aka.
BCMC is a management utility to switch failure data center with low RPO to disaster
data center in Apsara Stack
Figure 2-1 Apsara Stack Overview Architecture
3
4
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
ECS is integrated with most Apsara Stack services such as OSS, RDS, and VPC) to provide a
complete, secure solution for computing, query processing, and cloud storage across a wide range of
applications.
Reliability
Large-scale redundancy architectures guarantee the availability of running instances and the
reliability of data stored in cloud disks. High data reliability and service availability. Instance
availability up to 99.95% and cloud disk data reliability no less than 99.9999999% Automatic
downtime migration and data backup. Automatic downtime migration and automatic snapshot
backup (manual configuration of snapshot policies required) make data recovery simple
Security
Server security through Alibaba Cloud Server Guard provides such features as interception against
brute-force password attacks, Trojan scans, remote logon reminders, and anti-intrusion against
high-risk vulnerability repair.
Monitoring
CloudMonitor guarantees service security through a range of real time alert and notification services.
Version: 2018/4/9
Apsara Stack Enterprise
Supports multiple instance generations, dozens of instance types (ranging from 1-core 1 GiB to
32-core 128 GB).
Multiple regions creation
Allows instance creation in all regions
Abundant image resources
Provides various image resources, including public images, custom images, and shared images,
allowing quick operating system deployment and applications without installation
Abundant image resources
Supports multiple Windows and Linux operating systems.
Multiple storage methods
Provides three types of data storage disks (Basic Cloud Disks, Ultra Cloud Disks, and SSD Cloud
Disks) and I/O-optimized instances.
Convenient management
Provides multiple management methods, including the console, VNC, and APIs, ensuring complete
control.
Multiple level resource monitoring
Site Monitoring: Provides statistics-collection, monitoring, and alert notifications for availability
and response time for services including http, ping, dns, tcp, udp, smtp, pop and ftp
Cloud Service Monitoring: Provides cloud service monitoring and alert notifications, as well as a
custom monitoring service to allow users to customize their personalized monitoring needs
Alert and Contact Management: Provides uniform batch management for alert policies and alert
notifications through a range of channels including text message, email, and interface callback
3.3.3 Security
Image security
Ø Regular fixing of high-risk vulnerabilities
Ø Built-in host intrusion prevention software
Hot upgrades
Ø Hot upgrades for Linux kernel hosts
Ø Hot upgrades for Hypervisor
Tenant isolation
Ø Hypervisor is isolated from the CPUs, memory, and storage of different virtual machines.
Ø Tenant networks are isolated through VPCs and security groups.
Ø All stored data are cleared after memory and storage are released.
Reliability
Ø Distributed redundant storage system ensures data reliability.
Ø Quick backup and rollback is provided based on disk snapshots.
Ø Point-in-time Recovery is provided based on failover deployment.
Ø Smart resource scheduling is provided based on online migration.
Version: 2018/4/9
Apsara Stack Enterprise
3.4 VPC
3.4.1 Service Description
Virtual Private Cloud (VPC) is a private network service established in Apsara Stack. VPCs are
logically isolated from other virtual networks. VPCs allow you to launch and use Apsara Stack
resources in your VPC. You have full control over your VPC. For example, you can select its IP
address range, further segment your VPC into subnets, as well as configure route tables and network
gateways. Additionally, you can connect VPCs with an on-premises network using a physical
connection or VPN to form an on-demand customizable network environment. This allows you to
smoothly migrate applications to the cloud with little effort. the VPC has the benefits in the
following aspects:
Network Elasticity
In Apsara Stack VPC, all network configurations and offline IDC configurations can be the same,
and more possibilities are allowed. Interconnection and security domain isolation between data
centers can be realized, and all network configurations and planning in the VPC are flexible.
Software Defined Network (SDN)
SDN provides customized network configurations to extend and manage complex network
infrastructure easily as well as provides complete traffic isolation between cloud tenants.
Interconnection connection methods
Version: 2018/4/9
Apsara Stack Enterprise
Apsara Stack provides more secure method to set up interconnection of different DCs.
Internet Access
VPC Gateway to provide secure method for ECS instance accesses the Internet in VPC including EIP
associated or NAT gateway
Figure 3-10 VPC architecture
VPC CIDR Block The number of available private IPs (excluding system reserved IPs)
192.168.0.0/16 65,532
172.16.0.0/12 1048,572
10.0.0.0/8 16,777,212
VSwitch
VSwitch is a basic network device in a VPC. It is used for connecting different cloud product
instances. After creating a VPC, you can create one or more subnets in the VPC by creating
VSwitches. Different VSwitches in a VPC can communicate with each other through the intranet. A
VPC contains at least 1 VSwitch and can be up to 24 VSwitches.
CIDR Block
When creating a VSwitch, the private IP address range of the VSwitch must be specified in the form
of Classless Inter-Domain Routing (CIDR) block.
Note the following when specifying the VSwitch CIDR block:
Version: 2018/4/9
Apsara Stack Enterprise
Ø The CIDR block of the VSwitch can be the same as that of the VPC to which it belongs, or a
subset of the VPC CIDR block.
Ø The size of the subnet mask for the VSwitch can be /16 to /29, and the VSwitch CIDR block can
provide 8 to 65536 IP addresses.
Ø The first and last three IP addresses are reserved by the system.
Ø Consider the number of cloud instances to be created in the VSwitch. Up to 15000 instances can
be created in a VPC.
Ø If the VSwitch has to communicate with a VSwitch in another VPC or a local network, make
sure the CIDR block of the VSwitch does not conflict with that of the resource to connect.
VRouter
A VRouter is a hub in the VPC that connects all VSwitches in the VPC and serves as a gateway
device that connects the VPC to other networks. VRouter routes the network traffic according to the
configurations of route entries.
Route Entry
Each entry in a route table is a route entry. A route entry specifies the next hop address for the
network traffic destined to a CIDR block. It has two types of entries: system route entry and custom
route entry. There are two types of route entries:
Ø System route entry is a type of route entry with the destination CIDR block is added by the
system when you create a VPC. This allows for communication between cloud product
instances in the VPC. Additionally, a route entry is added for each VSwitch by the system when
you create a VSwitch. The destination CIDR block of this system route entry is the CIDR block
of the VSwitch.
Ø Custom route entry is route entry that you add to route specific traffic to a specified destination.
3.4.3 Security
Security isolation
Different VPCs are isolated by tunnel IDs. Using VSwitches and VRouters, VPC can be segmented
into subnets similar to that in the traditional network environment. Different cloud servers in the
same subnet communicate with each other by using VSwitch, and cloud servers in different subnets
within a VPC communicate with each other by using VRouters. Layer 2 networks between different
VPCs are isolated. ECS instances within a VPC use a security group firewall to control the network
access.
Currently, the Virtual Private Cloud (VPC) in Alibaba Cloud does not comes with a dedicated
resource access management policy. Resource access management in the VPC relies on the access
control capabilities of each cloud product. For example, resource access management for ECS is
implemented using security groups, and that for SLB and RDS is implemented using whitelists.
Access control
Ø ECS Security Group
A security group is a virtual firewall that provides the stateful packet inspection feature. Security
groups are used to set network access control for one or more ECSs. An important means of security
isolation, security groups are used to divide security domains on the cloud.
Ø SLB Whitelist
To configure the whitelist, add the user’s IP addresses or the cloud service IP addresses inside the
VPC to be accessed over SLB to the access management whitelist of SLB.
Ø RDS Whitelist
Version: 2018/4/9
Apsara Stack Enterprise
Using the whitelist feature of ApsaraDB for RDS, the user can customize IP addresses that are
allowed to access the RDS. All access from unspecified IP addresses are denied. When using the
RDS products in a VPC, add the IP address of the ECS to the whitelist for the required RDS so that
the ECS can visit the RDS instance.
3.5 OSS
3.5.1 Service Description
Alibaba Cloud Object Storage Service (OSS) is an easy-to-use storage pool service that enables you
to store, backup and archive large amounts of data on the cloud. OSS acts as an encrypted central
repository from where files can be securely accessed in the cloud. OSS is a massive, secure,
cost-effective and highly reliable cloud storage service. Compared with traditional user-created
server storage, OSS has many outstanding advantages in the reliability, security, cost, and data
processing capabilities. OSS enables you to store and retrieve unstructured data including text files,
images, audios, and videos. The benefit of OSS as below:
Reliability
Ø Three copies of objects stored in OSS
Ø 99.95% designed service availability and 99.999999999% designed data persistence.
Ø Automatic scaling without affecting external services and automatic redundant data backup
Flexibility
Ø Using multiple ways such as standard RESTful APIs, SDKs, client tools and a dedicated
console to manage massive volumes of data from website or application
Ø Provides multiple streams of data writing and reading
Ø Deletion of expired/old data objects in batches or transfer to low-cost archiving service
Ø Accelerates development speed and reduces development costs by providing C language
SDKs for direct connection with OSS.
Scalable
Offers scalable and unlimited object based storage capacity and supports high concurrency
Data Processing Capabilities
Ø Provides high throughput read-and-write access.
Ø Supports multiple file formats such as jpg, png, bmp, gif, web page, tiff etc.
Ø Content delivery acceleration with OSS as origin site and ensures stability with no retrieve
from the origin bandwidth restrictions.
Image Processing
Supports thumbnails, cropping, watermarking, compression, format conversion and other image
processing functions for stored images.
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Ø The user can create multiple buckets and each of buckets can contain an unlimited number
of objects.
Ø The user can configure the attributes of a bucket for region, object access control and object
lifecycle management.
3.5.3 Security
Tenant isolation
Ø Tenant data are separated with tags.
Ø The service access layer uses symmetric encryption key authentication technology to
identify users.
Reliability
Ø Distributed redundant storage ensures data reliability.
Ø Availability reaches 99.9%.
Access Control
Ø Access control is implemented through the access control list (ACL).
Ø Access is controlled based on Resource Access Management (RAM) authorization policies.
Encrypted transmission
Ø Supports SSL transmission encryption
Ø Supports encrypted storage on the server side
3.6 SLB
3.6.1 Service Description
Alibaba Cloud Server Load Balancer is a traffic distribution control service. It distributes the
incoming application traffic among multiple ECS (Elastic Compute Service) instances according to a
scheduling algorithm and listening rules. By setting a virtual IP address, Server Load Balancer
service virtualizes the ECS instances located in the same region into a high-performing and highly
available application service pool. Client requests are distributed to the cloud server pool according
to the defined listening rules. This increases the fault tolerance of your applications. Server Load
Balancer checks the health status of the ECS instances in the cloud server pool and automatically
isolates any ECS instances with an abnormal status. This resolves the single point of failure (SPOF)
problem and improves the overall service capability. The benefits of SLB as below:
High Availability
Server Load Balancing automatically distributes traffic across multiple targets – Apsara Stack ECS
instances, containers and IP addresses – in a single data center or multiple data centers.
Secure
SLB works with VPC to provide robust security features, including integrated certificate management
and SSL decryption. Together, they give the flexibility to centrally manage SSL settings and offload CPU
intensive workloads from applications.
Elastic
Elastic Load Balancing is capable of handling rapid changes in network traffic patterns. Additionally,
deep integration with Auto-scaling service ensures sufficient application capacity to meet varying
levels of application load without requiring manual intervention.
Flexible
Version: 2018/4/9
Apsara Stack Enterprise
SLB allows user to use IP addresses to route requests to application targets. This offers flexibility in
how to virtualize the application targets, allowing user to host more applications on the same
instance.
Robust monitoring
SLB allows user to monitor applications and their performance in real time with CloudMonitor
metrics, logging, and request tracing. This improves visibility into the behavior of the applications,
uncovering issues and identifying performance bottlenecks in the application stack at the granularity
of an individual request.
Access control
Set a whitelist to control which IP addresses can access Server Load Balancer.
Certificate management
Server Load Balancer service provides Certificate Management for the HTTPS protocol listening.
With Certificate Management, you do not need to upload certificates to backend ECS instances.
Deciphering is performed on Server Load Balancer to reduce the CPU overheads of backend ECS
instances.
Instance type
You can choose to create an Internet or Intranet Server Load Balancer service. The system will
assign a public IP address or private IP address accordingly.
Management methods
Server Load Balancer instances can be managed via various methods, such as the Server Load
Balancer console, Open API, and SDK.
3.6.3 Security
DDoS Attack Protection
Combined with Alibaba Cloud Security, Server Load Balancer can defend against up to 5 Gbps
DDoS attacks, such as HTTP flood and SYN flood attacks.
SLB Whitelist
whitelist to control which IP addresses can access the load balancing service
Server certification
Server Load Balancer supports load balancing HTTPS applications and provides a certificate
management function. Use server certificate from Alibaba Cloud Security Certificate Service, or
from other service providers and upload certificate to the Server Load Balancer certificate
management system. This option is only available for HTTPS listeners
3.7 RDS
3.7.1 Service Description
ApsaraDB for RDS (Relational Database Service) is a stable and reliable online database service, and
it also supports elastic scaling function. Based on the Apsara distributed system and
high-performance storage of ephemeral SSD, It offers a complete set of solutions for backup,
recovery, monitoring, migration, disaster recovery, and troubleshooting database operation and
maintenance. ApsaraDB for MySQL proves to have excellent performance and throughput.
ApsaraDB for MySQL also offers a range of advanced functions including optimized read/write
splitting, data compression, and intelligent optimization. The benefits of ApsaraDB for RDS as
below:
Single Deployment
RDS specifications can be customized through the APIs. RDS generates the specified instance
immediately.
Ease of management
Alibaba Cloud is responsible for ensuring the normal operation of RDS through routine maintenance
and management, such as hardware/software fault processing and database update patches. The
Version: 2018/4/9
Apsara Stack Enterprise
customer can independently perform database addition, deletion, restart, backup, recovery, and other
management operations in the Alibaba Cloud console.
Effortless migration
RDS is used similarly to the native database engine, meaning that it is easy to transfer the
pre-existing knowledge and skills to RDS management. Data can be migrated to RDS using the
commercial off-the-shelf data import and export tools with minimal labor cost required.
On-demand upgrades
Along with changes in the database load and data storage capacity, it is flexible to adjust the
instance types, and RDS will not interrupt the data link service during the upgrade period.
Transparent and compatible
The use method of RDS is the same as that of the native database engine. In addition, RDS is
compatible with other programs and tools. Data can be migrated to RDS using a data import and
export tool with minimal labor required.
3.7.3 Security
Alibaba Cloud RDS offers a variety of security reinforcement features to secure user data, including
but not limited to:
IP address whitelist
provides the IP address whitelist feature to implement access control for network security
Virtual Private Cloud (VPC)
A VPC is a private network environment in the public cloud, which strictly isolates users’ network
packets with the underlying network protocol and implements access control at Layer 2. By using the
VPN or private line, use a custom RDS IP address segment of the VPC to resolve IP address
conflicts, and access RDS instances from both server and Alibaba Cloud ECS instance.
Secure Sockets Layer (SSL)
RDS provides Secure Sockets Layer (SSL) for MySQL. Use the server root certificate provided by
RDS to verify whether the database service with the target IP address and port is provided by RDS,
which can effectively prevent man-in-the-middle attacks. To guarantee security and validity, RDS
enable and update the SSL certificates for servers.
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Security auditing
The security auditing module is an integrated solution based on the cloud computing platform. This
module meets the basic requirements for information system security classified protection. It
operates on the physical server level, the network equipment level, and the cloud computing platform
application level to provide behavior log collection, storage, analysis, and alarm functions. The
security auditing module provides the following functions:
Table 3-6 Security Auditing
Version: 2018/4/9
Apsara Stack Enterprise
auditing
Cloud product Audits logins on ECS instances.
auditing Audits operations on ApsaraDB for RDS database.
Audits operations on MaxCompute instances.
DDoS Cleaning
Alibaba Cloud relies on its self-developed, large-scale, distributed operating system and more than a
decade of defense experience to provide a wide range of cloud platform users with its Alibaba Cloud
Security DDoS attack protection product, designed and developed based on its cloud computing
architecture. The DDoS cleaning module provides the following functions:
Table 3-7 DDoS Cleaning
Version: 2018/4/9
Apsara Stack Enterprise
that allow user to customize your own protection policies for your website. These policies
allow user to filter specified malicious web request traffic.
The WAF module also supports rule sorting in protection scenarios and allows user to adjust the
relationships between precise protection and other security protection policies. Precise protection
allows user to add custom protection policies, which always are given the highest priority during
request matching.
Table 3-8 Web Application Firewall
Cloud Firewall
Version: 2018/4/9
Apsara Stack Enterprise
The cloud firewall module is Alibaba Cloud's proprietary cloud access control system developed to
meet needs of east-west traffic micro-isolation in a cloud computing environment. The cloud firewall
module provides the following functions:
Table 3-9 Cloud Firewall
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
4.2 SLA
SLA is essentially the promise the customer about how long a system will remain unavailable during
an emergency. Apsara Stack Disaster Recovery solution SLAs are made up of Latency of Round
Trip Time, Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs):
Latency of Round Trip Time is less than 0.6ms
RTO is the measure of how long the systems can be offline during a disaster. This is the amount
of time it would take to bring the standby systems online in DR solution. The metric of RTO
begins with switchover and ends to online of all services, and promises 10 minutes in Apsara
Stack solution.
RPO is a measure of the amount of data that can be lost to a disaster. The RPO will be the point
to which the cloud services will have all data up to that point recovered. The details of service
RTO lists as below:
Table 11-1 RPO for Apsara Stack Services
Version: 2018/4/9
Apsara Stack Enterprise
Failover of SLB is designed in an active/active mode for disaster recovery. Master and API is the
controller to serve the management of SLB service. Master&API controls SLB service switchover
automatically at the second level when the failure of primary data center.
Figure 4-2 SLB Intra-City Disaster Recovery Architecture
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9
Apsara Stack Enterprise
Mode 1:
RDS for MySQL cluster is configured to master/slave mode. Master node is deployed in primary site
and slave node is deployed in secondary site. The data is replicated from primary to secondary data
center by using MySQL binlog semi-synchronous replication. This solution is a classic disaster
recovery configuration from MySQL and guarantees the metric of RPO at the second level.
Figure 4-5 Mode-1 Architecture
Mode 2:
RDS for MySQL cluster is configured to 4 replica nodes mode. One master and one slave nodes are
deployed in primary site, another two slave nodes are deployed in secondary site. The data is
replicated in all nodes by using MySQL binlog semi-synchronous replication. The data must be
replicated in all the slave nodes before transaction is committed. This replication mechanism
guarantees strong consistency of the data and transactions and service RPO is 0 minute.
Figure 4-6 Mode-2 Architecture
Version: 2018/4/9
Apsara Stack Enterprise
Version: 2018/4/9