How QingCloud’s Security Resource Pool Leverages SDN for Scalable Cloud Protection

Cloud Security Landscape

Cloud computing is becoming essential infrastructure, but security challenges are growing; regulations such as the Cybersecurity Law and the Multi‑Level Protection Scheme require cloud providers to offer security mechanisms across IaaS, PaaS, and SaaS.

QingCloud Security Resource Pool

QingCloud provides a security resource pool built on a trusted cloud platform that offers self‑service security components—including host protection, bastion host, audit, WAF, and security posture—isolated per tenant.

Key Features

Self‑service: Tenants can customize specifications, quantity, and performance of security components.

Performance guarantee: Elastic scaling, load balancing, and EIP integration ensure high‑throughput protection.

Open architecture: SDN orchestration allows integration of third‑party security pools and devices.

Implementation Challenges

Control plane: Integrating numerous security product APIs and consoles for tenant‑level configuration and monitoring is complex.

Data‑flow plane: Orchestrating east‑west and north‑south traffic through multiple security components while maintaining low latency and avoiding single points of failure is difficult.

Architecture

The solution consists of three core parts: an SDN unified control platform, an MCN (multi‑cloud network) component, and various security resource pools.

Unified control platform: Registers and manages security product APIs, exposing them to tenants for policy delivery, alarm, and log collection.

MCN: A software‑defined network that interconnects clouds and routes traffic through selected security devices.

The VG component provides internet egress, EIP binding, and load balancing.

SDN Security Service Orchestration Value

SDN orchestration enables flexible deployment scenarios such as operational access via bastion host, business protection with IDS/IPS, and multi‑layer defense by combining different security technologies.

Use Cases

North‑south: Traffic from a VM passes through a virtual next‑generation firewall, then a hardware IPS, before reaching the internet.

East‑west: Inter‑VPC traffic is forced through a bastion host for authentication and audit before reaching the target VM.

Hybrid: Internet‑to‑VM traffic traverses a virtual firewall and a physical IPS using EIP, achieving mixed‑mode protection.

Advantages

Open architecture for third‑party integration.

Security resource pool with trusted environment, elastic resources, and one‑click delivery.

Consistent operation experience across QingCloud resources.

Intelligent orchestration that bridges traditional networks, security devices, and heterogeneous resources.